We are still feeling the effects of GDPR, but so far most of the impact has been positive as companies tighten up their security or face punishing fines in the event of a breach. However, that doesn’t mean that the legislation isn’t without its flaws, and in one area, Whois queries, it is weakening security.

This is according to Michael Jones, VP of product at DomainTools, a company that leverages insight into domain data to provide threat intelligence. For this, the widely used Whois is a vital tool for researchers.

For those unfamiliar, Whois is a protocol that allows anyone to query key details about a domain such as who has registered it and when. While it isn’t the only tool available to researchers of domain-related threats, it is a vital one.

However, its use has been compromised by the introduction of GDPR as the legislation blocks certain fields from being accessed. And while it still maintains some of the valuable data researchers rely on, this does impair its use.

“GDPR is only removing four fields from the Whois records around registrants: people who sign up for a domain,” says Jones.

“There's still plenty of information that's not affected, so things like your name servers and a lot of the other data, create dates and things like that. So there's still definitely a lot of good information inside of Whois, and you try to use other types of data beyond Whois type data to also fill the gaps where possible.

“But I do think that Whois, the way it's being impacted, will impact internet security overall though.”

Why domain data is a valuable security tool

Domain-related threat research is a key element of cybersecurity because many attackers rapidly cycle through domains as part of wider campaigns.

“It's like a Wild West out there. It's just so many different things going on,” says Jones.

“It's increasing in velocity in the amount of domain registrations and things that they're doing and how quickly they use a domain for one attack and then they switch over to something new.”

Being able to access data about registrants and other domain data available through Whois enables researchers to associate multiple domains used in a campaign to one attacker.

“You always have to stay out ahead of those guys and track them and try to provide some kind of proactive protection,” he says.

With some Whois fields now blocked, however, the ability to do this is reduced.

The impact on general internet users

While cybersecurity researchers are impacted, Jones anticipates that there will also be an effect on conventional internet user as it will reduce the ability of tools found in browsers such as Chrome to work effectively.

“I think that's going to impact not only the more advanced customers, but even everyday internet users that their security will start to degrade a bit because of this,” says Jones.

“So things like your browsers that do safe browsing or spam filtering, a lot of those solutions are powered by some of this data. And so they're going to degrade a bit in terms of their effectiveness.”

Maintaining security and privacy

While DomainTools, and particular its CEO Tim Chen, has been very vocal about this issue, Jones is keen to stress that the company isn’t looking to teardown GDPR.

“We definitely respect GDPR as a law and we also respect people's right to privacy. Those are very important,” he says. “But we also believe that we have a valid use case to use this data to help provide security on the internet.”

The solution, then, may come in the form of tiered access to Whois, which is currently being explored by ICANN, the non-profit organisation responsible for maintaining much of the internet’s underlying structure.

“We believe that we have a valid use case to use this data to help provide security on the internet.”

This would involve making Whois private to conventional users but allowing different levels of access to those with appropriate credentials. However, the precise details of how this would work are still being ironed out.

“Right now we're operating what's called the interim model, so ICANN published an interim model about a week before GDPR took hold,” says Jones.

“So there's a bit of time before we get to the next phase where they'll have this accreditation model and they'll be kind of some tiered access to the data that we used to be able to get. And we just want to continue to work with those communities and ensure that the whole security community is considered part of that accreditation model.”

Share this article