Whois data is âmore important than ever beforeâ as malicious actors seek to undermine democracy, according to a post on the DomainTools blog.
â2018 has been a tough year to be a domain name Whois record. For years Whois has been a favorite and uniquely effective tool of security researchers and law enforcement to battle cybercrime and cyberattacks, yet now that data will be kept under wraps to be metered out, if at all, under the watchful eye of domain name registrars whose strongest orientation in this matter is to their own legal certainty and the privacy of their customers. The situation DNS finds itself in is the unfortunate result of todayâs privacy-centric global policy regimes.â
The introduction of the EUâs General Data Protection Regulation (GDPR) has meant itâs much more difficult to obtain the Whois data that was, for all but those domain names that utilised privacy protection, freely available. Although it wasnât always accurate of course. DomainTools note that less than 25% of domain name registrants utilised privacy protection.
In their post DomainTools note that the âproponents of the anonymization of the internet are saying that âsee, the sky is not falling, Whois didnât really matter after allâ. Except that it does matter. It matters a great deal to the very same people GDPR is designed to protect.â
DomainTools give a couple of examples of where they believe âsecurity investigations or processes [have been] impaired by the current global inability to identify the people or organizations that register and use domain names on the internet.â
âElection meddling is a hot-button issue, it gets to a very closely held civil right in most democratic countries. So last weekâs announcements by Microsoft, cybersecurity company FireEye, Facebook, and Google regarding US midterm election influence campaigns being run on social media and also via state-sponsored phishing attacks, was widely distributed, read and referenced.â
In one example, DomainTools note âFireEyeâs confidence to name Iranian actors as the responsible party stems from âa combination of indicators, including site registration dataâ as well as âRegistrant emails from the sites âLiberty Front Pressâ and âInstituto Manquehueââ.
âFacebook builds on the FireEye research and through investigation of Facebook Accounts and Pages is âable to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP Addresses and Facebook Pages sharing the same admins.ââ
âGoogleâs blog post implicates the Islamic Republic of Iran Broadcasting (IRIB) by noting âTechnical data associated to these actors is strongly linked to the official IRIB address spaceâ¦domain ownership information about these actors is strongly linked to IRIB account informationâ¦(and) Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIBââ.
DomainTools concludes that âWhois data isnât going to solve the worldâs cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in todayâs internet. Itâs reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.â