The Unintended Consequences of GDPR

The General Data Protection Regulation (GDPR) governs the privacy and security of personal data collected from the European market, effective May, 2018. Outside of the European Union (EU) and the European Economic Area (EEA), it only applies to those processing personal data of EU/EEA subjects for the purposes of offering goods or services or monitoring subjects’ behavior in the EU/EEA, but the law has had a major impact worldwide. While the primary objective of GDPR is to increase the protection and privacy of individuals’ data, it has produced a host of unintended privacy consequences, including its effect on ICANN and the WHOIS database.

ICANN is a not-for-profit, public-benefit corporation serving to track and regulate Internet domain names and addresses (e.g. Availity.com). In order to reserve a domain name, a user must register it with an ICANN-accredited registrar, which is contractually obligated to provide ICANN with the registrant’s information. ICANN has historically published this information through its WHOIS database, an online, public white pages for domain holders.

In response to the GDPR regulations, ICANN approved temporary specifications on May 17, 2018 restricting access to registrant information on the WHOIS database. While ICANN is still collecting registrant data, it is no longer available to the public. Some believe these censorship measures are unnecessary to comply with the GDPR, which does not apply to domain names registered to U.S. registrants by U.S. registrars, nor does it apply to non-personal information. While the GDPR does state that “disclosure of even personal information can be warranted for matters such as consumer protection, public safety, law enforcement, enforcement of rights, cybersecurity, and combating fraud,” ICANN, like many other entities, has conservatively interpreted the law to avoid heavy fines associated with non-compliance.

Restriction of the WHOIS database has caused a number of problems for parties with legitimate interests in accessing domain registrant data, including law enforcement and trademark/intellectual property rights holders. In the name of GDPR compliance, ICANN has unintentionally given online infringers the anonymity they need to elude detection, posing a security threat to the very data GDPR aims to protect.

In October 2018, the Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) released a joint survey, which found that ICANN’s temporary specifications “introduced delays to investigations and the reduced utility of public WHOIS data.” The survey also reported that “[t]he loss of timely and repeatable access to complete WHOIS data is impeding investigations of all kinds, [including] cybercrime activities such as phishing and ransomware…”

Organizations that store and transmit sensitive data such as protected health information (PHI), financial information, and personally identifiable information are especially at risk for these cybercrime activities. PHI is extremely valuable, making healthcare one of the top targets of cyber criminals. A 12-month analysis of ransomware, email fraud, and other healthcare threats conducted by Proofpoint, Inc. (a well-known security-as-a-service provider) found that nearly 1 in 5 emails purporting to be from a healthcare organization were fraudulent. This same study also found that typosquatting—registering a domain name that looks confusingly similar to a trusted domain name—was one of the primary methods used to target clinical staff, health consumers, and business associates.

ICANN is evaluating technical and legal solutions to the current problems posed by their response to GDPR, such as authentication that would allow law enforcement and trademark owners to access registration data for legitimate purposes. Additionally, ICANN is exploring legal options, including contributing to terms of use or codes of conduct to satisfy requirements under the GDPR.

In the meantime, law enforcement will have to use alternative means to track bad actors who are using domain name(s) for fraud, typosquatting, malware, phishing, and a host of other cybercrimes, and businesses must develop new measures to protect themselves from the heightened security risk posed by anonymous online domain ownership.