Why The Public Directory Of Domain Names Is About To Vanish

Uploaded on 2018-11-14 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The WHOIS service has run into the legal landmine of European data regulation and highlighted the weakness of consensus-based internet governance in the face of the law.

Until May 2018, anyone could look up the name and contact details for the owner of a domain name. The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based private company that coordinates internet domains and IP addresses, required companies that register domain names to collect and publish personal data in the so-called WHOIS service.

While far from a household name, WHOIS was widely relied upon by law enforcement and intellectual property owners to investigate and combat online crime and abuse. At the same time, privacy advocates and regulators have raised concerns (opens in new window) about the mandatory publication of every domain name holder’s name and contact details. These groups, each with their legitimate viewpoints, have been talking – sometimes shouting – past each other within ICANN for the past 20 years.

Then in May, the European General Data Protection Regulation (GDPR) arrived. The principles relevant to publication of WHOIS data were unchanged, but the GDPR’s big fines and long-arm jurisdiction captured the attention of the dominant US players within ICANN. Suddenly data protection became everyone’s problem, not just a quirky European wrinkle.

Despite warnings from several groups, the ICANN community as a whole failed to see the GDPR coming until a few months before GDPR took effect. There was a mad scramble to put in place a temporary policy that would be compliant with privacy laws.

On 25 May, the WHOIS 'went dark' –- all personal data was removed. Since then, ICANN has sued one of its own registrars in Germany for refusing to collect certain WHOIS data items. ICANN has so far lost at first instance (both on an emergency application (opens in new window) and full hearing (opens in new window)), then on appeal (opens in new window), and has failed (opens in new window) to obtain a reference to the Court of Justice of the EU. The German courts gave the status of ICANN’s consensus policies and contracts short shrift in the face of a European regulation.

In an effort to salvage a publicly accessible WHOIS service, ICANN has set up an emergency working group. The group is tasked to agree what, if any, registration data could still be collected and published on the WHOIS (company data? Non-EU data?), while a separate group is trying to agree rules to allow law enforcement and others access to non-public registration data. 

The emergency working group was due to make its interim recommendations by an ICANN meeting in Barcelona in October, but the meeting approaches, there is no sign of consensus.

Any policymaker will recognize that there are some issues on which multiple stakeholders will have incompatible, but legitimate views. In such cases, someone neutral has to step in to frame a solution which can reasonably satisfy all interests, without one side ‘winning’.

This approach is absent by design from the ICANN multi-stakeholder process, where policies are formed through consensus in a bottom-up process, and ICANN the organization assumes a passive role. The current temporary policy was only possible because the ICANN board imposed it, in an unprecedented break from tradition.

So, what will happen next? As is often the case with ICANN, the organization and its multi-stakeholder process is facing an existential crisis. Unable to solve this thorny policy issue for 20 years, ICANN’s latest group is unlikely to find consensus in the following days.

ICANN has lost in the German courts and the European Data Protection Board views with skepticism ICANN's claims that the interest of 'third parties' can justify continued collection and publication of WHOIS data.

Most public registers (like Companies House or the Land Registry in the UK) are required by statute, giving legal cover for their processing of personal data. There is no an equivalent in the ICANN world. ICANN has no ability to impose laws – it can only create 'consensus policies' which are reflected in contracts.

This may be a pragmatic way to achieve international implementation of policy, bypassing the dreary complexity of jurisdiction and international agreements. But consensus policies are informal instruments which, apparently, do not have the required status to offer protection or exemptions from the enforcement regimes of European regulations.

In recent years, intelligence agencies and law enforcement have consistently complained that the Internet is ‘going dark’. This narrative is part hyperbole and partly accurate, reflecting uptake of end-to-end encrypted applications such as WhatsApp, Signal and Telegram, adverse legal decisions in relation to the collection of bulk data, and stronger encryption available at the transport layer, such as TLS 1.3.

The WHOIS represented a small but strategic jump-off point for investigations, allowing law enforcement to look for patterns, or identify lines of enquiry. While the ICANN community struggles to find a way forward, yet another tool for law enforcement has disappeared.

Chatham House:

Emily Taylor is Associate Fellow, International Security at Royal Institute of International Affairs
 
You Might Also Read: 
 
EU Cybersecurity Act Could Impact Cross-Border Data Flows:
 
Russia Will Build A Separate Internet Directory:
 
 
« Can AI Be Used To Fight Crime?
Schoolboy Hacked Mock Florida Election Site In 10 Minutes »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Baker McKenzie

Baker McKenzie

Baker & McKenzie is an international law firm. Practice areas include Data & Technology.

Certification Europe

Certification Europe

Certification Europe (now Amtivo Ireland) is an accredited certification body which provides ISO management system certification, including ISO 27001.

Nimbusec

Nimbusec

Nimbusec scans your website around the clock and informs immediately if it has been hacked or manipulated

Cybersecurity Credentials Collaborative (C3)

Cybersecurity Credentials Collaborative (C3)

C3 provides a forum for collaboration among vendor-neutral information security and privacy and related IT disciplines certification bodies.

Sandline Discovery

Sandline Discovery

Sandline Discovery provides digital forensics, eDiscovery solutions, managed review and litigation consulting services.

Netmarks Indonesia (NMID)

Netmarks Indonesia (NMID)

Netmarks Indonesia is an IT solutions provider offering services related to ICT infrastructure, digital transformation and cyber security.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

ubirch

ubirch

The ubirch platform is designed to ensure that IoT data is trustworthy and secure.

Quantum Security Solutions (QSec)

Quantum Security Solutions (QSec)

QSec is an innovative information security consultancy based in Ghana. We can provide your organisation with information security products and services that assure against information risk.

Binary Security AS

Binary Security AS

Binary Security is a Norwegian information security consultancy company. We are specialists at application security, penetration testing and secure code reviews.

XioGuard

XioGuard

XioGuard is a managed security service for 360-degree cybersecurity coverage, protecting the entire attack surface, increasing performance, reducing cost, and simplifying operations.

Crowe

Crowe

Crowe is a public accounting, consulting, and technology firm that combines deep industry and specialized expertise with innovation.

Asimily

Asimily

Asimily’s IoMT risk remediation platform holistically secures the mission-critical healthcare devices that deliver safe and reliable care.

Paperclip

Paperclip

Paperclip provides paperless solutions while enabling compliance and security for the exchange of critical content.

Odaseva

Odaseva

Odaseva delivers the strongest data security solution for enterprises running on Salesforce, safeguarding confidentiality and integrity of critical business information.

Cloudsmith

Cloudsmith

Cloudsmith is the only cloud-native, global, universal artifact management platform for securely developing and distributing software.