The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and The Anti-Phishing Working Group (APWG) have again collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s application of the European Union’s General Data Protection Regulation (GDPR) has impacted on the distributed WHOIS service and anti-abuse work. The resulting report, published in June, discusses the effect of the Temporary Specification on anti-abuse actors’ access and usage of domain name registration information, which is central for various types of investigations.
From their analysis of over 270 survey responses, the report finds respondents report changes to WHOIS access following ICANN’s implementation of the EU GDPR, the Temporary Specification for gTLD Registration Data (Temporary Specification, adopted in May 2018), continue to significantly impede cyber applications and forensic investigations and thus cause harm or loss to victims of phishing, malware or other cyberattacks.
Specifically, as the report notes, the survey responses indicate the Temporary Specification has reduced the utility of public WHOIS data due to wide-ranging redactions, beyond what is legally required. It also introduces considerable delays, as investigators have to request access to redacted data on a case-by-case basis; often with unactionable results. Furthermore, with limited or no access to the data that had previously been obtained or derived from WHOIS data, some investigators struggle to identify perpetrators and put an end to criminal campaigns. The resulting delays and roadblocks are a boon to attackers and criminals, prolonging their windows of opportunity to cause harm during cybercrime activities such as phishing and ransomware distribution, or the dissemination of fake news and subversive political influence campaigns.
In summary, the report notes, the data paints a bleak picture of the current state of the WHOIS. Many users in law enforcement, public safety, and cybersecurity of the WHOIS require timely and predictable access to accurate records. This is not only true for those attributing attacks but also for parties relying on bulk data analysis to map cybercriminal infrastructures or detect patterns of abuse. The survey responses corroborate or are consistent with other studies that have concluded that the changes to WHOIS have undermined cybersecurity and impeded cyber investigations generally. According to the respondents:
- The lack of WHOIS access increases the time it takes to address various types of abuse and leads to a higher volume of abusive domains and abuse more generally. Many cybercrimes rely on resources like domain names for a short time only, making quick response paramount when trying to reduce harm. While some security work does not, or only sporadically requires, access to redacted data, those trying to attribute malicious activity are impacted the most.
- The system to access redacted data appears to fail regularly. Wait times are too long, while requests are being ignored, denied, or responded to with useless information
- Dealing with ICANN compliance is a lengthy and inefficient process that too frequently results in no action.
In the report, the M3AAWG and APWG observe that ICANN needs to address the following four issues:
1. Access to some relevant data like contact data of legal persons needs to be readily available while protecting natural persons’ privacy.
2. Both sporadic WHOIS users who make relatively few requests, as well as bulk users who use data-driven approaches for blocklisting should be accommodated by ICANN.
3. ICANN should establish a functional system of registrant data access for accredited parties; such a system needs to be workable for cybersecurity professionals and law enforcement in terms of .me delays and administrative burden, and should include strict privacy and security controls.
4. The survey responses indicate that the solutions currently discussed at ICANN would not meet the needs of law enforcement and cybersecurity actors in terms of timelines
To download the report in full, click here [pdf].