ICANN, GDPR, and the WHOIS: A Users Survey - Three Years Later.

ICANN, GDPR, and the WHOIS: A Users Survey - Three Years Later.

Principal Inves gators Laurin B Weissinger, DPhil, The Fletcher School and Computer Science, Tu s University

Dave Piscitello, Interisle Consul ng Group Bill Wilson, M3AAWG Senior Advisor



tf

it

it

2

ICANN GDPR and WHOIS Users Survey A Joint Survey by M3AAWG and the APWG, June 2021

Table of Contents

Execu ve Summary

3

The WHOIS and the Impact of the Temporary Speci ca on

5

Introduc on

5

Key Findings in Context

6

Detailed Analysis

8

Introduc on

8

Methodology

8

Demographics and Use of WHOIS

9

RDAP Use

12

E ects of the Temporary Speci ca on on WHOIS Use for Abuse Mi ga on 14

Disclosure of Redacted Data

20

Disclosure Systems under ICANN considera on

25

Complaints to ICANN

25

Summary

26

it it it if it

it if

i it t it ff

3

ICANN GDPR and WHOIS Users Survey A Joint Survey by M3AAWG and the APWG, June 2021

Execu ve Summary

The Messaging, Malware and Mobile An -Abuse Working Group (M3AAWG) and The An -Phishing Working Group (APWG) have again collaborated to conduct a survey of cyber inves gators and an abuse service providers to understand how ICANN's applica on of the European Union's General Data Protec on Regula on (GDPR) has impacted on the distributed WHOIS service and an -abuse work. In par cular, we are discussing the e ect of the Temporary Speci ca on on an -abuse actors' access and usage of domain name registra on informa on, which is central for various types of inves ga ons.

At its core, the WHOIS is a protocol widely used for accessing data on registered assignees of an Internet resource, in our case domain names. WHOIS services are available via mul ple channels, e.g. Web-based tools, Port 43, and more recently RDAP.

From our analysis of over 270 survey responses, we nd that respondents report that changes to WHOIS access following ICANN's implementa on of the EU GDPR, the Temporary Speci ca on for gTLD Registra on Data1 (Temporary Speci ca on, adopted in May 2018), con nue2 to signi cantly impede cyber applica ons and forensic inves ga ons and thus cause harm or loss to vic ms of phishing, malware or other cyber a acks.

Speci cally, the survey responses indicate that the Temporary Speci ca on has reduced the u lity of public WHOIS data due to wide-ranging redac ons,3 beyond what is legally required. It also introduces considerable delays, as inves gators have to request access to redacted data on a case-by-case basis; o en with unac onable results. Furthermore, with limited or no access to the data that had previously been obtained or derived from WHOIS data, some inves gators struggle to iden fy perpetrators and put an end to criminal campaigns. The resul ng delays and roadblocks are a boon to a ackers and criminals, prolonging their windows of opportunity to cause harm during cybercrime ac vi es such as phishing and ransomware distribu on, or the dissemina on of fake news and subversive poli cal in uence campaigns.

M3AAWG and APWG observe that there are four issues that ICANN needs to address:

1. Access to some relevant data like contact data of legal persons needs to be readily available while protec ng natural persons' privacy.

2. Both sporadic WHOIS users who make rela vely few requests, as well as bulk users who use data-driven approaches for blocklis ng should be accommodated by ICANN.

1 Temporary Speci ca on for gTLD Registra on Data, h ps://resources/pages/gtld-registra on-dataspecs-en

2 See report 1 from 2018 for further informa on. See: h ps://WhoisSurvey2018-10

3 The Temporary Speci ca on allows for far reaching redac ons, beyond what the GDPR requires. An Interisle study concludes that contact data for 57% of all generic TLDs are now redacted, many mes more than necessary. The Interisle study further notes that registrants of 86.5% of all names cannot be ascertained due to redac ons and the use of privacy and proxy services. See: h p://ContactStudy2021.html

it i i t t i i i f t t it it i i

t t if it i i t t

it it it it it if i it t it if it it if it

i i t t t i t t i t i t i t t t

i i t t

i

f i

t it i i t t tt ff

it it

i t l i t t f t if i i t t it i i f t i i t t it it i i t f it it t t f

t

4

ICANN GDPR and WHOIS Users Survey A Joint Survey by M3AAWG and the APWG, June 2021

3. ICANN should establish a func onal system of registrant data access for accredited par es; such a system needs to be workable for cybersecurity professionals and law enforcement in terms of me delays and administra ve burden, and should include strict privacy and security controls.

4. The survey responses indicate that the solu ons currently discussed at ICANN would not meet the needs of law enforcement and cybersecurity actors in terms of melines

it it i

t it

it

it

5

ICANN GDPR and WHOIS Users Survey A Joint Survey by M3AAWG and the APWG, June 2021

The WHOIS and the Impact of the Temporary Speci ca on

Introduc on

WHOIS records are a key resource used by cybersecurity experts, law enforcement agents, blocklist providers and others to a ribute criminal ac vity, understand malware campaigns, ag malicious domains, and more. Users of the WHOIS tend to use the system for di erent reasons but two use cases seem worth highligh ng.

Inves gators might use the WHOIS to nd informa on on speci c names, for example when they iden fy a counterfeit shopfront, a er receiving an abuse report, or to be er understand or categorize tra c pa erns. The majority of our respondents fall in this category, usually making less than 100 daily requests. Another use of the WHOIS involves the analysis of large amounts of WHOIS data to detect pa erns of abuse, and to associate malicious domains with each other, as well as malware, phishing, or spam campaigns:

Criminals regularly register large numbers of domains in bulk, o en in batches of hundreds or thousands of names at the same me. In case individual names used for their criminal schemes are blocked, detected, or otherwise "burned", the criminals will swi ly switch to new, pre-registered names from their earlier bulk orders. While not all cybercrimes and a acks require large numbers of quickly replaceable names, this approach is common.

To respond to cybercriminals that leverage bulk buying and bulk resource use, inves gators query WHOIS data constantly and at all mes to detect pa erns. Registrant as well as technical data can be used to iden fy sets of likely malicious domains based on their associa on with already known bad domains or known records: names, email addresses, telephone numbers are likely to be the same for domains used by the same criminal group or same campaign, while bulk orders might also present extremely similar me stamps. When matches are found, domains can be analyzed or added to watchlists. If other criteria indica ng abuse are sa s ed, these defenders and blocklist providers might also add these names to a blocklist.

To ght crime and abuse, large datasets are par cularly powerful: inves gators and analysts can use them to map out and then dismantle criminal a ack infrastructures, while bulk data enables blue teams to protect their networks. For this data-driven approach to work, however, high-volume, real-

me access to WHOIS records is essen ally required. Wait mes, rate limi ng, inconsistent responses, redacted data, and rota ng fake informa on all decrease response mes and data quality.

Since the Temporary Speci ca on came into force in 2018 a er years of inac on, redac on of registrant data has complicated the work of inves gators working with large amounts of WHOIS data and those who rely on WHOIS data to a ribute a acks and understand criminal infrastructures. Partly, this is due to the fact that not only EU data subjects' data are now redacted, as legally required, but also data belonging to non-EU ci zens and residents as well as data pertaining to commercial en es, which are not protected under GDPR.

it i l t f it it tt it it f t f

t it it t t i f f f if tf it

i t f t it i i t t t t t i t t

i

t

it tt i i t f it t i i f i t t t

it

i i t f tt it it

it it t t t t it i i t i t i f i f f t

it

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download