Europe's GDPR, Whois shakeup was supposed to trigger spam tsunami – so, er, where is it?
No catastrophe after hardline privacy rules kick in
Updated When new European privacy legislation forced internet registries and registrars to withhold the ownership details of internet domain names, a number of groups – including intellectual property lawyers and cybercrime experts – warned it would result in a jump in spam and online fraud.
"A lot of people who are using this data won’t be able to get access to it, and it's not going to be pretty," Rod Rasmussen, chairman of ICANN’s Security and Stability Advisory Committee, noted earlier this year.
"Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on Whois for their algorithms."
A Europol cybercrime representative weighed in warning about "security gaps" if there isn't an accreditation system that gives people ready access to the hidden data. IBM security VP Caleb Barlow said Whois was "the big tool" that everyone was using to limit both spam and cybercriminals and "all of that's going away" with the change to a limited Whois.
These views were also referenced and reinforced by others. The Intellectual Property Constituency of DNS overseer ICANN – which runs the Whois system – for example wrote a letter [PDF] addressed to European data regulators that argued:
"Precluding efficient searchability of WHOIS data will place significant burdens on efforts to perform routine enforcement investigations and slow down much needed enforcement in an ever increasingly abusive Internet environment."
And so, three months into GDPR and with the loss of public Whois data, what has actually happened? Have we been hit with a tidal wave of spam? Are cybercrime experts running at full tilt in an effort to head off an explosion of phishing and malware?
Nope. In fact, nothing has happened.
Spam, spam, spam, spam
Researchers at Recorded Future have been tracking spam through Cisco's Talos reporting system and have concluded that GDPR has had zero impact on online problems. In fact, spam has dropped slightly since the new law was introduced and new registrations of domain names that are often associated with spam have actually fallen. The doomsayers are looking increasing like fearmongers with an agenda.
"Prior to the implementation of the GDPR, many researchers feared that an increase in spam would be an unintended consequence of the law because security researchers would no longer be able to use Whois information to track new domain registrations and identify potentially bad domains," the authors note. "As a result, spammers could run wild with no way to identify and stop them."
But it hasn't happened.
There may be many reasons for that. But a big one is that the much-vaunted value of Whois data has long been questioned, in large part because the genuinely nefarious domains also use fake information: fake name, fake address, fake telephone numbers.
For a decade, security consultants, IP lawyers and the like have argued that even inaccurate data is useful – because cybercriminals are lazy and tend to reuse to the same fake information, giving them the ability to find other domains that may be associated with a scammer.
But the truth is that no one has ever provided any real evidence that that's the case or that access to fake data has had a measurable impact. When ICANN formally asked the German courts to impose a temporary injunction against a registrar that refused to collect full Whois data, the courts repeatedly noted that the organization had simply failed to provide a compelling argument as to why this data was important and explicitly agreed with the registrar's argument that it wasn't really needed.
It is all too possible that those who insist that Whois data is critical to their crime-fighting efforts have been confusing activity with end results.
Money, money, money
There is also an element of self-enrichment. Some of those insisting on being given access make significant revenue from selling their services to others – such as chasing down people with domain names that contain trademarked terms. It will be interesting to see what the next report of the Anti-Phishing Working Group comes up with. Its report covering the first full quarter of GDPR isn’t expected until February 2019 – six months from now.
Aside from the wave of spam not appearing, there is another source that suggests the change to a private Whois may not actually be that big a deal: none less than the World Intellectual Property Organization (WIPO).
WIPO has produced an FAQ over the process that people use to seize control of a domain name – the Uniform Dispute Resolution Process (UDRP) - in the light of GDPR and Whois changes. And it has pretty much said, through gritted teeth, that everything will continue on as normal.
"How can a trademark owner submit a UDRP complaint if the publicly-available Whois data does not provide the domain name registrant’s identity and contact details?" reads one question.
It then admits: "If a UDRP complaint contains all available registrant information – e.g., where the respondent identified in the complaint matches the publicly-identified registrant in the registrar's Whois database such as 'Name Redacted' – then such a complaint would be accepted by WIPO for processing and compliance review."
It also notes that – as a UDRP provider – it is granted full access to Whois data and has no reason to believe that will ever change since, under the GDPR, it clearly fits the "performance of a contract" criteria to be granted an exception.
Seems to be working
In other words, the GDPR actually does the job it was designed to do: stopping access to private data from people who have no good reason to access it, and reinforcing? formal processes for accessing that data.
If trademark holders, for example, want to find out who is behind a specific domain name, one of the ways they can do that is to lodge a formal UDRP complaint. But, of course, that costs money and will have to meet specific criteria to be accepted.
As for how things are going at ICANN's special working group that is supposed to be coming up with a solution to Whois but pretty much everyone already acknowledges is never going to succeed in reaching agreement. Word is that the same groups that have prevented the service from being updated for 20 years are still in denial over the fact that it will have to actual change this time.
Apparently Facebook is currently the worst offender, with the social network represented by two former ICANN policy staff that oversaw the countless failed previous efforts to update the service.
One member of the group summed up progress on social media by using a current meme of the show American Chopper where two main characters simply yell at one another. In this case, the meme covers the circular argument that access to Whois should be written into the ICANN contract, even though it clearly breaks GDPR, under the logic that if it is in the contract it is then covered by the "performance of a contract" exclusion.
Which pretty much sums up the level of reason and logic that exists – and has always existed – around the Whois service.
Meanwhile, the rest of the world continues on, oblivious and feeling no ill effects from the loss of Whois data. ®
Updated to correct: An earlier version of this article incorrectly noted that Rod Rasmussen was chief technology officer of internet security company IID. We are happy to clarify that Rasmussen retired from the role 18 months ago. We regret the error.
Sponsored: Becoming a Pragmatic Security Leader