As the world copes with repercussions of the Facebook/Cambridge Analytica scandal, the Internet continue its struggle to find the right balance between global interconnectivity and the right to privacy. The General Data Protection Regulation (GDPR), enacted by the European Union (EU), comes online at an apt and interesting time.
On May 25, GDPR will go live in the EU and is set to revolutionize data protection and privacy for individuals within the EU, while creating aftershocks to the rest of the world. GDPR was initially designed in 2016 to give EU residents greater control over their personal data and unify privacy regulations across EU member states. Two years later, the guidelines will finally be implemented, and many online services are scrambling to make sure they are prepared for the changes.
Hype surrounding the implementation of GDPR standards is justified, as it has far-reaching implications for businesses and governments alike. One consequence of GDPR is starting to receive media attention– the standard’s impending effect on WHOIS, a online database service offered by the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN). Currently, WHOIS is not GDPR-compliant and will soon have to cease part or all of its functions, triggering a serious impact on cyber security practices, including merchant monitoring solutions who rely on its data.
Who is WHOIS?
WHOIS is a network of online databases that keeps record of registered domain owners and their contact information. Hosting providers, like GoDaddy, are required to collect the data from their users, including full name, email and physical addresses. This contact information is then vetted by ICANN, and if accurate, published to the WHOIS directory and available for public access.
WHOIS has been invaluable over the years to individuals, businesses, and governments because it links the quasi-anonymous world of the Web with real-world people and their attachment to the domains they own. It has been a critical resource for law enforcement, cybersecurity and risk professionals to find connections to illegal or illicit online activity. Notably, for merchant risk professionals, WHOIS enables the search of domain registration details (or IP addresses) to help make connections to other sites could be suspect of illegal or illicit activity.
The inherent value of the WHOIS tool is exactly what brings it into direct conflict with GDPR – because enabling anyone to search for and contact the registered domain owners is in direct conflict with the privacy guidelines outlined by GDPR.
What Is GDPR’s Direct Impact on WHOIS?
ICANN has been struggling to proactively rectify WHOIS functionality to meet GDPR standards. A recent ICANN paper proposes interim changes that could be made to WHOIS, to bring the service into compliance with GDPR, but these updates could take more than a year to implement.
Despite proposed interim changes and last-minute requests to keep parts of the service available once GDPR is enacted, the countdown to potential shutdown continues for WHOIS. ICANN made a recent statement expressing concern on the fate of the public database: “Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource.”
Why is ICANN challenging GDPR? For decades, WHOIS has been a primary resource for online security enforcement. Security professionals investigating phishing, malware, breaches and all types of cybercrime often start with WHOIS during their initial incident response. For example, investigators will start by contacting registered domain owners, who may be unaware that their site has been compromised.
Anti-piracy efforts also significantly rely on WHOIS. Entertainment industry groups like the IFPI, MPAA, the Copyright Alliance, and the RIAA are concerned that restricted access to WHOIS data may deal a serious blow to their ability to protect intellectual property rights.
How Is Your Merchant Risk Solution Affected by WHOIS?
Many merchant risk solutions are heavily reliant on WHOIS for merchant information that they can use to draw connections and perhaps detect or intercept illicit/illegal activity. For example, an email address used in two seemingly unrelated domains can give insights into hidden connections and underlying transactions.
Companies that require WHOIS to enable the discovery of these connections, will soon become unable to perform their risk evaluations as efficiently, once the WHOIS registry changes or goes offline altogether. With this amount of uncertainty around WHOIS – an essential database and primary resource for many merchant monitoring solutions – it is important to choose a solution that is not reliant on WHOIS, like EverCompliant’s Merchant View. MerchantView uses proprietary and automated, machine-learning technology to discover hidden connections across online entities. It has quickly become the leading platform for content compliance and Transaction Laundering detection and prevention.
If you are currently using a merchant monitoring solution, you should ask your provider: HOW IS WHOIS going to affect your service and the quality of your risk findings?