Security Experts:

Connect with us

Hi, what are you looking for?



Deleted WHOIS Data: An Unintended Consequence of GDPR

GDPR Will Impact the Availability of WHOIS Data to Security Researchers and Investigators

GDPR Will Impact the Availability of WHOIS Data to Security Researchers and Investigators

Unintended consequences. We see examples everywhere. From the mundane – the New Year’s resolution exercise regime that’s not vetted first with a medical professional and leads to injury. To the legendary – the 100 starlings introduced to the U.S. in 1890 by a Shakespeare aficionado, that have multiplied exponentially and now wreak havoc on an ecosystem they were not naturally part of. To the ubiquitous – the development boom in prosperous cities and the fallout from congestion and lack of affordable housing.

As security professionals, next week we can expect to see another example of an unintended consequence when the General Data Protection Regulations (GDPR) goes into effect. There are actually a few unintended consequences from these new regulations, but one of the most concerning is the upcoming response that domain registrars are discussing through the global body the Internet Corporation for Assigned Names and Numbers (ICANN). As the name suggests, ICANN is responsible for maintaining the rules for WHOIS data – essentially, a telephone directory-like structure that contains detailed information on who signed up for a specific Internet domain, including their name, address, email address and telephone number. Such data is subject to the GDPR’s privacy requirements for protection. As a result, under current proposals, many of the businesses that register domains will remove key elements of information from the system. In effect, on May 25 the system will “go dark” until alternative preparations are made, which ICANN representatives expect won’t start being implemented until December 2018.  

GDPR is a sensible law that exists for very good reasons and, in fact, is an evolution of legislation currently in place. But in the quest to further protect the personal data and privacy of citizens of EU countries, we could be creating a riskier world. The problem is that WHOIS is routinely used by companies and individuals to fight computer fraud and other criminal activity on the Internet. This data often serves as a trail of breadcrumbs that leads security researchers to someone obtaining domains to launch global campaigns involving spam, malware and botnets. For example, the email address listed as the technical contact for one computer domain might be the same address used in a specific malware campaign. Or an address that is associated with the primary business contact could be consistent across several registrations. The directory is a useful tool to spot patterns, coordinate efforts and gain insight into who is likely to be responsible for malicious activity and even anticipate what their next expected behavior may be to get ahead of potential attacks. 

Without access to this critical resource, combatting criminal behavior on the Internet becomes much more difficult. To make matters worse, during the intervening months before an alternative solution for GDPR-compliant access is available, attackers will be able to exploit this new-found anonymity to their advantage. We may see an uptick in spam and, more generally, in criminal activity. As we alter our methods for data handling, we could be exposing the very individuals we are striving to protect, to additional risk.

However, there are ways to compensate for a lack of ready access to WHOIS data in the next several months. We need to remember that digital risks come from all kinds of adversaries and places beyond the boundary. Digital risks include cyber threats, data exposure, brand exposure, third-party risk, VIP exposure, physical threats and infrastructure exposure. Often these threats and risks span data sources and cannot be detected in full context by any single source, or even by multiple sources used in isolation. As I’ve discussed before, you need insight across the widest range of data sources possible to mitigate digital risk and better protect your organization. 

Those combating computer crime and fraud will benefit from further diversifying the methods for spotting criminal activity – it’s not just WHOIS data. For example, monitoring Pastebin and social media for mentions of your company, IP addresses and even industry can help you determine if you’ve been targeted for an attack or may be, so you can proactively strengthen defenses. Access to hacked remote server and remote desktop protocol (RDP) sites will allow you to look for mentions of your IP addresses. And monitoring the dark web can provide information on threat actor profiles to understand their motivation and gauge credibility.

Additionally, security experts are speaking up and pointing out how removal of this contact information makes our fight much harder. We need to encourage registrars that make computer domains available to revisit their proposed response. After all, it is up to them how they implement GDPR compliance measures. It is important to find an easy way to provide access while respecting the privacy of registrants. The unintended effect of removing WHOIS data entirely, is not a good outcome for consumers or the industry.

Despite our best intentions, change often brings unintended consequences. But by monitoring across the entire Internet for risks and sharing our perspectives, those of us responsible for fighting cybercrime can help mitigate these outcomes.

Written By

Click to comment

Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...