Why Chicken Little Is Wrong
The General Data Protection Regulation (GDPR) goes into effect in a little over a month. To hear some tell it, this will result in a wave of criminal activity online, and it’s all because of WHOIS.
When you register a domain name, you have to provide ICANN (the international agency regulating domain names) with personal information – specifically, your full name, address, email, and fax and phone numbers. By default, WHOIS information is public – anyone can look up the information for any domain name at any time.
And that’s a problem, because the GDPR says that for any subject individual – meaning essentially any citizen of any European Union – you can’t publish that information without their explicit consent. (Note that there are ways to process information without explicit consent, but they don’t apply to this situation.)
So as of May 25th, WHOIS should go dark. No more publication of domain name ownership information.
The issue with WHOIS going dark is that it torpedoes a technique used by researchers to identify fraudulent domain names.
See, the verification of WHOIS information is spotty – it won’t cause a problem in the short term to give invalid information. And if you’re up to no good, you probably don’t want to give information that could be verified – but that’s fine for the time your malicious domain is likely to be active.
On the other hand, these bad actors are also generally lazy, so while they don’t use correct information, they do tend to use consistently incorrect information. So researchers can analyze the data and use that information to hunt down the bad actors or at least spot related domain names – until May 25, when that data goes away.
And, according to the Chicken Littles of Infosec, doom and chaos shall rain from the heavens.
Now, I think they’re wrong twice over, both in their conclusion and also in the choice they’re implicitly making through this argument.
First of all, WHOIS information isn’t a silver bullet that magically reveals evildoers and stops them in their tracks. When researchers realized they could use this tool, malicious activity didn’t suddenly stop. The long-term trends haven’t even really been impacted by the use of this technique. Sure, it’s useful; I’ve used it myself, and I’m sure there are people out there who absolutely depend on it to do their work. I’m sure they’re unhappy to lose it.
And, well… suck it up, people. The one thing I can guarantee in the technology industry is that everything is temporary. If you absolutely depend on a technology, a technique, a source of data – you’d better have some alternative in the back of your mind, because there is no guarantee it’ll be there next week.
I admit I could be wrong. Maybe, somehow, hidden in the data, is proof that WHOIS analysis is actually essential to the survival of a usable internet, and by July we’ll all be buried in a tsunami of crime.
But I’m not losing sleep over the possibility, because, well… it’s absurd. It’s one method, one technique, that was never 100% effective to begin with, and probably wouldn’t exist if security researchers had to justify their actions in terms of non-financial impacts.
Which brings me to my second point, to me the more essential one.
Publicly-available WHOIS information is privacy abuse, should never have been a thing in the first place, and regardless of its utility for a given purpose, advocating for maintaining the status quo is anti-consumer and hostile to user privacy.
For these researchers to spot the fraudulent domains, they have to examine the data of every registered domain and flag the ones that look suspicious. Which means in order for their analysis to work, they need your information to be public too. Otherwise, there’s no way to spot the fake data they’re looking for.
Now, as things stand, doxxing someone online is a bad thing. Disclosing someone’s contact information can get them harassed, threatened, and even killed. People go to significant lengths to avoid having their information made public… but these researchers want everyone who owns a domain name to be doxxed for their convenience.
Now, they’ll argue that there are measures you can take, even with public WHOIS, and they’re right. I pay extra for every domain I own to have my information hidden behind my registrar. And before that, I was the proxy for a few people who were more vulnerable than I to online harassment and threats.
However, I am not willing to say that only people with the know-how or the resources or the willing partner should be allowed privacy on the Internet.
I am not willing to say that one tool, one technique, that’s useful in one form of analysis is a valid reason to ignore the harm done to privacy in the process.
Especially not just because the Chicken Littles say I should be afraid if we don’t.