Whois data is “more important than ever before” as malicious actors seek to undermine democracy, according to a post on the DomainTools blog.
“2018 has been a tough year to be a domain name Whois record. For years Whois has been a favorite and uniquely effective tool of security researchers and law enforcement to battle cybercrime and cyberattacks, yet now that data will be kept under wraps to be metered out, if at all, under the watchful eye of domain name registrars whose strongest orientation in this matter is to their own legal certainty and the privacy of their customers. The situation DNS finds itself in is the unfortunate result of today’s privacy-centric global policy regimes.”
The introduction of the EU’s General Data Protection Regulation (GDPR) has meant it’s much more difficult to obtain the Whois data that was, for all but those domain names that utilised privacy protection, freely available. Although it wasn’t always accurate of course. DomainTools note that less than 25% of domain name registrants utilised privacy protection.
In their post DomainTools note that the “proponents of the anonymization of the internet are saying that ‘see, the sky is not falling, Whois didn’t really matter after all’. Except that it does matter. It matters a great deal to the very same people GDPR is designed to protect.”
DomainTools give a couple of examples of where they believe “security investigations or processes [have been] impaired by the current global inability to identify the people or organizations that register and use domain names on the internet.”
“Election meddling is a hot-button issue, it gets to a very closely held civil right in most democratic countries. So last week’s announcements by Microsoft, cybersecurity company FireEye, Facebook, and Google regarding US midterm election influence campaigns being run on social media and also via state-sponsored phishing attacks, was widely distributed, read and referenced.”
In one example, DomainTools note “FireEye’s confidence to name Iranian actors as the responsible party stems from ‘a combination of indicators, including site registration data’ as well as ‘Registrant emails from the sites ‘Liberty Front Press’ and ‘Instituto Manquehue’”.
“Facebook builds on the FireEye research and through investigation of Facebook Accounts and Pages is ‘able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP Addresses and Facebook Pages sharing the same admins.’”
“Google’s blog post implicates the Islamic Republic of Iran Broadcasting (IRIB) by noting ‘Technical data associated to these actors is strongly linked to the official IRIB address space…domain ownership information about these actors is strongly linked to IRIB account information…(and) Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB’”.
DomainTools concludes that “Whois data isn’t going to solve the world’s cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in today’s internet. It’s reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.”