Blogs

GDPR and WHOIS Compliance      

Well it appears ICANN has run into a snag on being compliant with GDPR.  Let me explain what this means and how it is going to affect our ability to identify domains.

For starters the U.S. based ICANN had just started their compliance efforts late last year. (I thought we were getting a late start, who knew)  In the current form of how WHOIS works, and for those of you who do not know what that is, makes publicly available anyone who registers a web domain.  What is WHOIS data used for?

ICANN under pressure to comply with the regulation, had asked for a moratorium so that they could better prepare themselves for the WHOIS service changes was turned down by the Article 29 Working Party or WP29.  This is a body of representatives from the EU member states data protection which oversees privacy regulations including GDPR to ICANN as well as many other organizations to ensure compliancy.

Below is just a portion of the WHOIS information when I entered an IP Address of 23.23.193.242:

# If you see inaccuracies in the results, please report at https://www.arin.net/public/whoisinaccuracy/index.xhtmlhttps://whois.arin.net/rest/nets;q=23.23.193.242?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2

NetRange:       23.20.0.0 - 23.23.255.255

CIDR:           23.20.0.0/14
NetName:        AMAZON-EC2-USEAST-10
NetHandle:      NET-23-20-0-0-1
Parent:         NET23 (NET-23-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16509
Organization:   Amazon.com, Inc. (AMAZO-4)
RegDate:        2011-09-19
Updated:        2014-09-03
OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Inc.
Address:        P.O. Box 81226
City:           Seattle
StateProv:      WA
PostalCode:     98108-1226
Country:        US
RegDate:        2005-09-29
Updated:        2017-01-28
Ref:            https://whois.arin.net/rest/org/AMAZO-4
OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-4064
OrgTechEmail:  amzn-noc-contact@amazon.com
OrgTechRef:    https://whois.arin.net/rest/poc/ANO24-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-4064
OrgAbuseEmail:  abuse@amazonaws.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/AEA8-ARIN 

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-266-4064
OrgNOCEmail:  amzn-noc-contact@amazon.com
OrgNOCRef:    https://whois.arin.net/rest/poc/AANO1-ARIN

As you can see it is a wealth of information to determine who or what organization is utilizing a particular domain and who to contact when you identify a possible threat.  I use this religiously when I need to perform specific firewall blocks from bad actors. 

Now we have given you a brief overview WHOIS and the information it provides us, but I bet you are asking, or maybe not, how does this affect me in the United States?

Anyone in security that is responsible for day-to-day operations that have to stop threats in real time need this service to determine where these threat vectors are possibly originating. It is also used to investigate illicit businesses and used to protect intellectual property.

An example of this would be if my threat alerts are telling me I am currently under a DDos attack from a specific IP Address, I may be able to perform a WHOIS search on the IP address and it will give me the domain and the IP addresses it uses with the address of the entity and more specifically the ISP or domain holder so that I can call and report an abuse.  The ISP would then investigate and hopefully stop the offender from further attacks.

Now the example above is often not so cut and dry especially if it is a bot generating traffic from an unsuspecting home computer, but it gives us a little more ammunition in our security tool boxes to mitigate threats we have identified. There is also a way to maintain privacy, as most registrars have a service you pay for to keep your information private, all you have to do is go to your domain registrar and in a click make your contact information private, of course for a subscription fee.

 After reading a plethora of articles on this issue we are basically at a point where registrar and registries are likely to implement their own limitations on accessing WHOIS data according to their interpretation of the regulation. To make matters worse for ICANN and its contracted registrars, the US Government has advised ICANN it wants to continue to provide access to registrant’s data and would be up for imposing legislation. In all likelihood if we want to perform a WHOIS on a EU business or possible bad actor, we may not get the information needed to act on a specific issue with that entity.  What I wonder is this setting up ICANN to pay an exuberant amount of fines for each published domain register in the EU?  Time will only tell where this is going to flush out but all of these things aside ICANN knew this was coming and to be late to the game could in fact cause a whole can of worms as the EU is not budging from their May 25^th deadline.  ICANN and GDPR.