When U.S., European and Canadian law enforcement officials claimed success last year in largely obliterating militant group Islamic State’s online propaganda network following a two-year operation, it was a public database of domain names that partly helped.
In an effort to crack down on websites, blogs, and Twitter accounts that relayed IS propaganda whenever there was an attack, authorities used the internet’s WHOIS database to identify about 400 domains hosting the content and registered by IS supporters, resulting in a number of arrests.
But the same work would be much more difficult to do today, according to a European law enforcement official, due to Europe’s strict new data privacy rules, the General Data Protection Regulation, which entered into force last May.
The WHOIS directory, which previously displayed both technical and personal data related to registered domain names, has been redacted to scrub out names, email addresses and other personal information due to Europe’s privacy law.
"Since May 2018, we have more and more cases of investigations that are just dropped or severely delayed because we can’t have direct access to WHOIS registration data information,” said Gregory Mounier, head of outreach and internet governance at Europol’s cybercrime center. "Overall you can say that the internet has become less safe because of an overly conservative interpretation of the GDPR by the ICANN community.”
The Internet Corporation for Assigned Names and Numbers, or ICANN, is the global internet oversight group. Last May it changed its rules with domain name registrars and registry operators around the world, requiring them to stop publishing personal information in WHOIS amid concern of GDPR-related fines. A similar system will remain in place until ICANN’s volunteer community, which includes technical, business, government and other stakeholders, agree to a long-term solution.
The issue strikes at the heart of a long-running debate, with privacy advocates in one corner and government and law enforcement officials in the other, butting heads over the appropriate level of access authorities should have to data.
The U.S. and U.K. governments in recent years have both urged large tech giants to allow investigators access to encrypted services upon request. But privacy advocates have pushed back against such calls, saying it would also create backdoors for criminals and malign governments.
Law enforcement officials like Mounier say the importance placed on privacy and compliance in the case of WHOIS has complicated criminal investigations.
Officials and others can still request data directly from registrars but a major concern is that the process could tip off illegitimate registrars who have set up their businesses for malicious reasons.
Not everyone agrees. Registrars are cautious about requirements to handle customers’ personal information, out of concern they could run afoul of the EU’s GDPR rules, and get landed with a hefty fine.
WHOIS was "an all-you-can-eat buffet where you could download all the information yourself,” said James Bladel, vice president of global policy at domain registrar and web hosting company GoDaddy Inc. He said it’s "been converted to a process where access is more formal, transparent and controlled."
Domain registrar Tucows Inc. said in February it’d received more than 21,000 data access requests since last May. More than 90% of the requests stemmed from commercial litigation interests, whereas less than 2% came from law enforcement -- none of which related to terrorism, the company said.
Due to the global impact of GDPR, the curtailed access to the database has drawn complaints outside of Europe.
In an April 4 letter addressed to the chair of ICANN’s board of directors, then U.S. Commerce Department telecom chief David Redl said “now it is time to deliberately and swiftly create a system that allows for third parties with legitimate interests, like law enforcement, IP rights holders and cybersecurity researchers to access non-public data critical to fulfilling their missions.”
Without that progress, “alternative solutions such as calls for domestic legislation will only intensify and be considered,” Redl said.
ICANN’s volunteer community is still working on a fix that keeps both its stakeholders and law enforcers happy. But for now, the new redacted system will remain in place until a long-term solution can be agreed.
“The beneficiaries of this system aren’t bearing any of the risk, it’s the folks making this available who are," GoDaddy’s Bladel said.