Investigative journalist, Brian Krebs, covers the onslaught of GDPR and how it will complicate his security research, and that of others.
In an article, titled “Security Trade-Offs in the New EU Privacy Law,” Mr. Krebs debunks a series of myths and misconceptions about GDPR and in the process, it rips ICANN a new hole.
[…] in a bid to help registrars comply with the GDPR, ICANN is moving forward on a plan to remove critical data elements from all public WHOIS records. Under the new system, registrars would collect all the same data points about their customers, yet limit how much of that information is made available via public WHOIS lookups.
The data to be redacted includes the name of the person who registered the domain, as well as their phone number, physical address and email address. The new rules would apply to all domain name registrars globally.
Brian Krebs describes how ICANN’s actions were minimal for the longest time, having promised a lot and delivering nothing, essentially, and all too late:
ICANN has proposed creating an “accreditation system” that would vet access to personal data in WHOIS records for several groups, including journalists, security researchers, and law enforcement officials, as well as intellectual property rights holders who routinely use WHOIS records to combat piracy and trademark abuse.
But at an ICANN meeting in San Juan, Puerto Rico last month, ICANN representatives conceded that a proposal for how such a vetting system might work probably would not be ready until December 2018. Assuming ICANN meets that deadline, it could be many months after that before the hundreds of domain registrars around the world take steps to adopt the new measures.
Krebs predicts that cybercrime will actually increase as the result of the upcoming GDPR implementation, which will redact important domain ownership information from the WHOIS of domain names:
In a series of posts on Twitter, I predicted that the WHOIS changes coming with GDPR will likely result in a noticeable increase in cybercrime — particularly in the form of phishing and other types of spam.
The Krebs On Security article also addresses the claims made by a pro-GDPR article that was published by Georgia Tech’s Internet Governance Project, and debunks its mythology, for example:
Cyber criminals don’t use their real information in WHOIS registrations, so what’s the big deal if the data currently available in WHOIS records is no longer in the public domain after May 25?
I can point to dozens of stories printed here — and probably hundreds elsewhere — that clearly demonstrate otherwise. Whether or not cyber crooks do provide their real information is beside the point. ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.
You can read additional information on GDPR from the law perspective of Wiley Rein, and watch a 30 minute presentation by MarkMonitor.