As cybersecurity professionals, we can expect the implementation of the European GDPR or General Data Protection Regulations to have many unintended effects on day to day operations of Internet services. One of the most concerning consequences of GDPR is the WHOIS data.
Often termed the “Information Super Highway”, the Internet facilitates the flow of information from individual to individual and company to company. And as with any highway, you need a start and a destination. For companies to exchange information with anyone, they need to register a domain – an Internet identity for the business. This can be seen in e-mail and website addresses, allowing interested parties to connect with people and services in the company.
The registration of such a domain and its underlying components requires names, addresses, email addresses and telephone numbers of people responsible for registering and maintaining these services.
A global body called ICANN (Internet Corporation for Assigned Names and Numbers) maintains this directory. However, from the 25th of May, they will have to hide this information or face stiff penalties. ICANN does not expect an alternative solution to be implemented before December 2018.
GDPR is a sensible law and exists for good reasons. Protecting this personal information is positive, but it has consequences. Until now, the information in the ICANN directory has been publicly available, which has been a benefit for cybersecurity professionals. They use it to trace cyber criminals and cyber vandals. The change means that cybersecurity professionals will have to look for alternative methods. The benefit of the ICANN directory was that it enabled the finding of patterns and similarities in multiple cyber campaigns. Cyber defence specialists had access to contact information of companies that were inadvertently being used as distribution points for attacks, or others that could help mitigate attacks by identifying potential targets.
Without access to this information, it becomes much more difficult to combat cybercriminal activities. Until ICANN provides a working solution, spammers, hackers and other cyber miscreants will be able to work with far more anonymity than before.
In conclusion, it is important to find a balance between providing access to essential crime fighting information, and respecting the privacy of registrants. The unintended impact of hiding such data may be the first negative consequence of GDPR.