Cybersecurity experts have warned that the EU’s incoming general data protection regulation (GDPR) could conflict with a fundamental protocol which identifies internet users.
The GDPR enters into force in May, and will present sweeping changes to the ways in which data is processed online in Europe. However, certain aspects of the new data protection laws could protect the online anonymity of criminals.
Speaking to the Guardian, Raj Samani, chief scientist at internet security firm McAfee, warned that the new regulations could conflict with the WHOIS protocol, which is one of the oldest available tools for verifying the identities of internet users.
How does the WHOIS protocol work?
Established in the 1980s, WHOIS remains an industry standard internet security protocol for identifying users in cybersecurity situations, Samani explained: “As an industry, one of the first things we often do is use WHOIS data to determine whether something is likely malicious, or whether there’s an indicator of suspiciousness”.
The protocol allows anyone to look up the contact details of the owner of a domain name, and can be used to link criminal activity and misdeeds online to real, offline identities, making it an important point of call for investigators. On the other hand, WHOIS databases can also be mined by senders of spam emails and hackers, who can target users who have registered internet domains.
Why is WHOIS under threat?
Because domain registrations are commercial contracts, those applying for them may now be entitled to privacy under the new regulations. Because the data held in a WHOIS database has been collected for the purpose of registering a domain, under the new regulations it cannot be used for a different purpose, including identifying the owner of the domain. This could put the legality of this internet security protocol at risk, or at least weaken its effectiveness for law enforcement.
The registry owner of the .amsterdam domain name has already argued the legal case that publishing the details of domain owners would be in violation of the GDPR legislation. In a letter issued by its lawyers, the Internet Corporation for Assigned Names and Numbers said: “Publishing all of the registrants’ data … is a clear breach of the EU Regulation 2016/679 (the General Data Protection Regulation) that will go into effect 25 May 2018 … in particular when the registrants are private citizens”.