Fight Between ICANN and GDPR Reveals Flaws on Both Sides

The first cyberwar between the USA and the European Union has already begun. The nominal belligerents are the Internet Corporation for Assigned Names and Numbers (ICANN), a US nonprofit that plays an essential role in managing the internet, versus the authorities that will enforce the General Data Protection Regulation (GDPR), the EU’s latest attempt to turn the responsible management of personal data into a legal necessity. The privacy demands enshrined in GDPR will break the way ICANN currently manages WHOIS, a protocol that permits users to discover who is responsible for everything on the internet, and hence of great value to security researchers. But focusing on this detail may lead us to miss the bigger picture: ICANN and the GDPR are proxy combatants in a war that pitches the USA against the EU for mastery of the global internet. Whilst the current battleground is delineated by privacy and security considerations, the ultimate issue is who can impose rules on how the internet works.

An area of concern is that the privacy requirements of GDPR will obstruct the work of security researchers. The laissez-faire outsourced American approach epitomized by ICANN asks the people and companies who control internet resources to provide information about themselves, and this information is then liberally shared with anyone else who asks for it. Anonymity leads to abuse, so somebody needs to know who is pulling the strings behind the internet’s curtain. In contrast, the government-as-guardian model that lies at the heart of GDPR will prohibit the personal data of EU citizens being shared freely. As some of the people who control internet resources also happen to be individual EU citizens, ICANN’s approach to WHOIS will be illegal per EU law. This may seem a victory for privacy but it comes at a severe price. ICANN’s response to GDPR will necessarily reduce access to the data it previously supplied through WHOIS. The WHOIS resource is exploited by cybersecurity firms like RiskIQ, who reasonably observe:

We are on the brink of the most serious threat to the open and public Internet for decades. ICANN, under pressure from domain name registrars and EU data protection authorities, has proposed an “interim” plan that will hide critical information in WHOIS. Security, threat assessment, and anti-abuse professionals rely on this data to track down bad guys and keep the Internet as safe and secure as possible…

The ability to register domains anonymously is a massive problem for the security of the internet—attackers need to establish an infrastructure to originate their attack and set up servers to communicate with their malware. Often, they’ll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Security professionals rely on the WHOIS protocol to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware—the vast majority of cybercriminal activities.

So this argument is not just simply about privacy versus security. It is also about privacy versus privacy. The privacy of the people who register web domains is being set against the privacy of individuals who are attacked by the criminals that phish for private information and use malware to collect it surreptitiously.

The inherent conflict should lend itself to mature and calm analysis of the ramifications of change; most of us want privacy and security, and are unwilling to completely sacrifice one for the other. Furthermore, criminals and other naughty people want our data, so weaknesses in security will likely be exploited by those who threaten our privacy. Sadly, these issues relate to the management of the internet, which is also home to many bone-headed propagandists. Some mock ICANN for asking to be exempt from GDPR for another year. They say ICANN had plenty of time to devise solutions. This partly misses the point, which is that ICANN does not primarily exist to serve the wishes of the EU’s government, and that trade conflicts between powers like the USA and EU may involve a lot of bluff and brinkmanship, before a compromise is finally sought. That ICANN’s requests have been rebuffed should be seen as illustration that the EU intends to flex its muscles, begging the question of whether they really could impose privacy standards if the US government chose to openly oppose them.

This point about where real power lies is overlooked by commentators too absorbed by trivial detail. If fake news has become a vital component of modern warfare, this first cyberwar between the US and EU illustrates that nations need not employ troll farms; they can rely upon volunteer troll militias to jump into the line of fire. For instance, the reliably imbecilic Kieren McCarthy of The Register tells us “Whois is dead as Europe hands DNS overlord ICANN its arse”. McCarthy refuses to acknowledge that GDPR compliance can prompt genuine security concerns. Saner voices like that of American security expert Brian Krebs have explained that GDPR is already having a negative impact on his research:

Many privacy activists involved in to the WHOIS debate have argued that other data related to domain and Internet address registrations — such as name servers, Internet (IP) addresses and registration dates — should also be considered private information. My chief concern if this belief becomes more widely held is that security companies might stop sharing such information for fear of violating the GDPR, thus hampering the important work of anti-abuse and security professionals.

This is hardly a theoretical concern. Last month I heard from a security firm based in the European Union regarding a new Internet of Things (IoT) botnet they’d discovered that was unusually complex and advanced. Their outreach piqued my curiosity because I had already been working with a researcher here in the United States who was investigating a similar-sounding IoT botnet, and I wanted to know if my source and the security company were looking at the same thing.

But when I asked the security firm to share a list of Internet addresses related to their discovery, they told me they could not do so because IP addresses could be considered private data — even after I assured them I did not intend to publish the data.

“According to many forums, IPs should be considered personal data as it enters the scope of ‘online identifiers’,” the researcher wrote in an email to KrebsOnSecurity, declining to answer questions about whether their concern was related to provisions in the GDPR specifically. “Either way, it’s IP addresses belonging to people with vulnerable/infected devices and sharing them may be perceived as bad practice on our end. We consider the list of IPs with infected victims to be private information at this point.”

Some might argue that we should not relying on people like Krebs to keep the internet secure. That is the gist of the argument implied by McCarthy when he praised the GDPR stance adopted by Nominet, the operator of the registry for .uk domains. Nominet will allow law enforcement agencies (LEAs) to have access to all their data, and anybody else will only see limited non-personal data that falls outside of the scope of GDPR. Clearly this complies with the requirements of EU law, but it makes us all increasingly reliant on the effectiveness of the LEAs. This concern is sidestepped by McCarthy by contrasting LEAs with other users of WHOIS data that he deems unworthy, such as intellectual property lawyers who use WHOIS to chase infringers of copyright. We should focus on the essential facts about LEAs rather than become embroiled in silly arguments about lawyers. Put simply, the LEAs who have been responsible for protecting people’s data have an abysmal track record. Their standard approach is to wait for the sky to fall on people’s heads, then spend the next two years struggling to arrive at the most mundane conclusions, whilst mostly relying on the organizations they are investigating to explain what they did wrong.

The repeated failure of European LEAs is the driving motivation behind GDPR. It is a simple fact that the EU’s previous data protection regime did not deliver as promised. This fact is no less true because it is routinely elided by European politicians and privacy campaigners who wanted to laud the data protection regime that GDPR will now overhaul. European politicians think they can resolve the weakness of LEAs by greatly increasing fines and by demanding every business employs a Chief Data Officer whose primary responsibility will be to act as a snitch for the LEAs. This is wishful thinking of the worst kind. If LEAs lack competence there is no reason to believe that thousands of newly-qualified Chief Data Officers will be of great help to them. The average Chief Data Officer is destined to become a bureaucrat whose chief skills will be pushing paper and covering their own backsides paper rather than managing IT systems or interrogating data. There will be millions of ways to distract data officers with minor infractions, so they never address the most serious endemic problems of their employers.

If this appraisal of European data managers and LEAs seems overly gloomy, then consider the following: the European Commission broke its original data protection laws from almost the day they were adopted, and over a decade elapsed before the EU’s highest court finally pointed this out. The EU failed comprehensively because it wanted to believe a fantasy about the ‘Safe Harbor’ they had agreed with US authorities, which supposedly guaranteed that US corporations and the US government would comply with EU data protection law. This fantasy should have been risible from the outset, but was made even more painfully obvious when whistleblower Edward Snowden explained how the US gathers data from all possible sources to spy on EU citizens, whether they be ordinary people or Angela Merkel. But even then there was not a single European LEA prepared to do their actual job, by taking legal action against the European Commission. Instead, it fell to a not-so-ordinary European citizen, Max Schrems, to first take the Irish Data Protection Commissioner to court, then pursue the case to the Court of Justice of the European Union (CJEU), where he won, and so wrecked the sham US-EU Safe Harbor for personal data.

Far from protecting citizens, the Irish Data Protection Commissioner wasted EUR2mn (USD2.5mn) resisting Schrems. And when it was shown that the US-EU Safe Harbor was unlawful, who was punished? Nobody. On the contrary, LEAs all acted as if no laws were being broken, even though the legal framework had so collapsed that it was no longer possible for many organizations to even pretend they were compliant with EU data protection law.

ICANN’s WHOIS is flawed in many respects, as is made obvious whenever I receive a string of calls from morons offering to design one of my websites, or scammers who are clearly recycling the data they obtained from the register. The purpose of the register is not to create a revenue opportunity for jackass Indian web developers who think they have the right to spam everybody listed, or to aid criminal schemers. The data supplied by ICANN may be abused in more serious ways too, though I cannot agree with dogmatists like McCarthy who assert it is wrong for intellectual property lawyers to use it as a resource to chase copyright infringers, because that would be tantamount to saying copyright laws should not be effectively upheld by anyone. Good people have used WHOIS data to shame and defeat scoundrels. A relevant example can be drawn from Commsrisk’s own history, when an anonymous contributor shared proof that the website of a fake revenue assurance forum was registered in the name of an Israeli software CEO.

This ICANN-GDPR conflict stems from the same issues that led to the US-EU Safe Harbor debacle. The EU wants to believe that the US government will comply with its wishes. They do this despite the fact that the US need not agree with the EU on every matter. This is especially problematic when managing a common global resource like the internet, which will ultimately be managed by common rules or else become unmanageable.

Though ICANN is not a part of the US government, it is natural that their actions should be informed by US law and practice before they seek to appease other nations. We could hardly imagine them redesigning WHOIS if the governments of Mauritius or Mongolia had adopted the equivalent of GDPR first. The EU has great power and influence, but not without limit. When it comes to GDPR, there are valid reasons for other countries to question why they should be subject to data protection rules that make tremendous promises to EU citizens, whilst being extraordinarily sketchy on some of the details about how to comply. For example, there is not a single person in Europe who really knows what it means to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (article 32) or what is needed to comply with a dozen other abstract clauses written by lawyers to cover scenarios that nobody has thought concretely about. That is why GDPR is so poorly designed for the role of ICANN’s WHOIS. Threat intelligence expert Angela Gunn of BAE Systems distilled the essence of the problem when she said:

Europe’s led the world on data privacy protections for years, but the GDPR treats WHOIS as just another dataset, rather than as an integral part of how the net itself works. That’s incredibly short-sighted, especially when we’re asking internet users to be better informed about where their information comes from.

ICANN needs to reform WHOIS. Their approach has been too open to abuse. However, the changes they will now implement to comply with GDPR will likely hurt privacy more than if they did nothing. Whilst privacy advocates may want to applaud the EU’s proactive stance on privacy, undermining the use of WHOIS by independent security experts will only make it more likely that the privacy of countless people will be abused by criminals. Inadequate security will put more people at risk than a lax regime at ICANN ever will.

Contrary to the assertions made by the EU’s cheerleaders, the fundamental difficulty is that GDPR, and the EU’s general philosophy to data protection, is hostile to the idea that we live in a civil society where some people do good without being compelled by law or motivated by rewards issued by the state. This contrasts with the American philosophy, which has kept the management of the internet outside of the hands of government officials because they have a more optimistic view of civil society, and a more cynical view of governments. As such, the first cyberwar between the US and the EU has profoundly ideological roots. Dogmatists thrive when arguments become ideological. Pragmatists, however, should reflect on another of Angela Gunn’s observations about the conflict between GDPR and ICANN’s WHOIS:

Privacy and security belong together, but concealing WHOIS information offers a low return for privacy effort. Meanwhile, security researchers, investigators, other site admins, even ordinary citizens will pay dearly for the concealment. I expect pretty immediate blowback and eventually some sort of accommodation, but it looks like we all get to figure out those refinements the hard way. No rest for the GDPR-implementation-weary, right?

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.