Who is collected, disclosed and protected: CERT’s viewpoint

14 Nov 2018 12:30h - 13:30h

Event report

[Read more session reports and live updates from the 13th Internet Governance Forum]

This session centred on WHOIS databases and the impact on their operation by the adoption of the EU’s General Data Protection Regulation (GDPR). The meeting joined the Internet governance and law enforcement communities in a conversation around the concept of accountability of all users of WHOIS – those that input their information into the databases, and the third parties that request access.

Mr Paul Wilson, APNIC, pointed out that there are different sets of Internet resources – in the technical identifier sense, there are domain names and numbers. A register identifies who owns the Internet resource. Domain name registries are operated to certain standards, but as they are operated by registry organisations which are independent bodies, these standards are not necessarily one and the same. There are five Regional Internet Registries (RIR), which operate a registry of resources for a particular geographical region. A member of the public that wants to know who owns an IP address can find out at the appropriate registry. Wilson stressed that a multitude of critical resources is registered in a multitude of registries. WHOIS is a generic term for a simple protocol which is for the registry itself, WHOIS being the original Unix line command used to give the user an answer from a registry.

Ms Christine Hoepers, CERT.br, explained that a Computer Emergency Response Team (CERT) is a team of experts which responds to computer security incidents, coordinates the resolution, notifies the constituents, exchanges information with others, and assists constituents with the mitigation of the incident. The most important use of WHOIS for CERTs is to identify who owns a certain network – who is the administrator and who is responsible for abuse. The IP WHOIS database and Autonomous Systems Database is particularly important for CERTs, because CERTs know who to contact to clean the affected machine, or affected network and recover from a compromise. WHOIS is also important for organisations to be able to find their peers in other networks in order to exchange information and get help in solving an incident. Not being able to access WHOIS would severely impede the work of CERTs, as the WHOIS inquiry is the first step taken in their investigations.

Ms Becky Burr, ICANN, reminded the audience that now with GDPR, a lawful basis for processing data is needed. One of the lawful processes for processing data can be the public interest. Under GDPR, that public interest is typically laid down in European law or EU member state law. While ICANN is charged in its bylaws to operate in the public interest, it does not have the authority to create a public standard under GDPR. Burr stated that one approach to getting a consistent experience-for-users would be to recognise ICANN’s authority to develop standards in the public interest.

Mr Gregory Mounier, Head of Outreach, European Cybercrime Centre (EC3) – EUROPOL, pointed out that from the law enforcement perspective, WHOIS data is an essential element for transparency and accountability online. WHOIS gives law enforcement pointers, indications, and patterns which can potentially help identify who was the perpetrator of a cybercrime. He stressed that it is important that every actor involved in cybersecurity has access to information from WHOIS because timeliness in receiving information is of the essence. He noted that some EUROPOL investigations are still successful, because domains were registered before GDPR went into effect. It is hard to say how many investigations will be unsuccessful in the future due to the reduction of personal data in WHOIS.

Ms Farzaneh Badii, Non-commercial Stakeholder Group, ICANN, underscored that WHOIS is wrongly compared to traditional registries. WHOIS is a global registry and contains the personal and sensitive information of individuals. This information should be safeguarded from mining and abuses, with the knowledge of who is accessing what information from WHOIS. Registrants should be provided with due process, Badii suggested, and those who do use it need to be held accountable. WHOIS is a thirty year-old protocol, put into place when the Internet was not so up-scaled. The privacy of registrants in WHOIS should have been discussed sooner, and GDPR should not have been the trigger for the conversation.


By Andrijana Gavrilović