The Security Skeptic

My  Interisle colleagues, together with Greg Aaron, have completed an in-depth analysis of the effects of ICANN policy for WHOIS, a public lookup service that has until recently made it possible to identify who registered and controls a domain name. 

The European Union’s General Data Protection Regulation (GDPR), adopted in May 2018, restricted the publication of personally identifiable data in WHOIS. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) established a new policy, allowing registrars and registry operators to redact (withhold) personally identifiable data from publication in WHOIS. The implementation of this policy has been widely criticized, in particular, for failing to discriminate between legal entities and natural persons and for failing to scope the application of redaction to parties operating or residing in the EU's "jurisdiction". This over-redaction is alleged to interfere with parties who have legitimate reasons to contact domain owners (e.g., to notify a victim of a phishing attack) or who are investigating the thousands of domains used daily to perpetrate fraud (business email compromise), extortion (ransomware) or to foment political unrest (state sponsored election interference) or social uncertainty (anti-science rhetoric). 

In 2013, ICANN commissioned NORC/University of Chicago to conduct a WHOIS Registrant Identification Study  Despite the obvious benefit of having more recent data to inform policy, ICANN avoided studying the "demographics" of domain name registrations but instead allowed its community to  develop policy with no answers to the following relevant and compelling questions:

1. What percentage of gTLD domains have actual registrant data on record?
2. What percentage of gTLD domains are under privacy/proxy services, and which services?
3. What percentage of gTLD domains have contact data that is redacted/hidden under ICANN’s Temporary Specification?
4. What percentage of gTLD domains have redacted contact data but are not subject to GDPR? 
5. What percentages of gTLD registrants are natural versus legal persons? Of these, how many are inside versus outside the jurisdiction of the European Union?  What is the relative percentage of privacy/proxy use among legal persons?
6. What are the percentages for gTLD domains registered for malicious purposes (cybercrimes such as malware and phishing)?

We adopted the NORC methodology terms of reference and conducted our own study to answer these questions in our WHOIS Contact Data Availability and Registrant Classification Study, where we also compare the answers to 1-6 above to the state that existed in early 2018, before the GDPR and ICANN’s ill-advised took effect.

Some takeaways from the study:

ICANN’s GDPR-driven policy has resulted in the redaction of contact data for 57% of all generic Top-level Domain (gTLD) names.

ICANN’s policy has allowed registrars and registry operators to hide much more contact data than is required by the GDPR—perhaps five times as much.

Including “proxy-protected” domains, for which the identity of the domain owner is deliberately concealed, 86.5% of registrants can no longer be identified via WHOIS—up from 24% before the ICANN policy went into effect.

The implications of this ICANN policy change are profound: consumers can no longer use WHOIS to confirm the identities of parties they may want to transact with on the Internet, it is harder for law enforcement personnel and security professionals to identify criminals and cybercrime victims, and brand owners face greater challenges defending misuse of their intellectual property.

We hope that our study provides policy decision makers, regulators, and legislators with the bases to make more informed policy or if need be to impose regulatory obligations to (i) continue to offer GDPR privacy protections to intended parties but to (ii) cease the needless suppression of contact data that is needed to maintain a secure and interoperable Internet.