David Goldstein - Could the EU's GDPR Lead to More Scam and Spam Emails?


    The European Union’s General Data Protection Regulation (GDPR) came into effect on 25 May and it’s had a major impact not just on European ccTLDs, but all gTLDs and many ccTLDs around the world. European ccTLDs were belatedly rolling out updates to their policies to deal with GDPR, but ICANN took until the week before its implementation to work out how to deal with it, which not only impacts on all gTLD registries, but also Registrars.

    Security researchers who rely on the WHOIS data collected when registering domain names are facing losing access to the information, as does almost everyone else, and the end result may well be more spam and scam emails.

    To deal with the changes for gTLDs, which include .com, .berlin and .xyz among hundreds more, ICANN announced a “temporary specification”, the final version of which was published just 7 days before the GDPR came into effect.

    The temporary specification requires Registry Operators and Registrars to continue collecting all WHOIS information for gTLDs. However, when conducting WHOIS queries the data returned will only be “Thin” data, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.

    For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.

    There are fears this lack of WHOIS information being made available to law enforcement bodies in a timely manner will give cybercriminals a leg up, allowing them time before their identity is discovered and domain names taken down. While law enforcement bodies can apply for access, this process will take time meaning a delay in approval and access.

    “If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information,” Gregory Mounier, head of outreach at EUROPOL‘s European Cybercrime Center and member of ICANN’s Public Safety Working Group told KrebsOnSecurity. “Let’s say you’re monitoring a botnet and have 10.000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.”