EU data protection law
WHOIS, one of oldest tools on internet for verifying real identities, at risk of being killed due to tough new GDPR regulations
Sweeping new European data protection regulations may have the accidental effect of protecting scammers and spammers by killing the WHOIS system used to link misdeeds online to real identities offline, security experts have warned.
The General Data Protection Regulation (GDPR), which comes into effect in May, contains a raft of measures intended to strengthen data protection for Europeans.But some of the new rights and responsibilities will conflict with decades-old technologies that have provided much-needed transparency on the internet, says Raj Samani, the chief scientist at cybersecurity firm McAfee.
The WHOIS protocol allows anyone to look up the contact details for the owner of a domain name, such as theguardian.com, google.com or parliament.uk. First standardised in the 1980s, it has become a key part of the toolkit for anyone trying to trace online wrongdoing back to its roots- a digital equivalent of Companies House or the Land Registry, Samani says.
“As an industry one of the first things we often do is use WHOIS data to determine whether something is likely malicious, or whether there’s an indicator of suspiciousness,” Samani explains. “It could be something as simple as ‘hey, look, this name is a name we find registered with other domains’, or ‘this metadata is used for other things’.”
But domain registrations are commercial contracts, meaning that those making a registration have a right to privacy that is hard to square with publishing contact details on the internet, as Sarah Wyld, a product manager at internet services company OpenSRS, wrote in November:
“It’s certainly difficult to argue that there’s a legal basis for openly sharing contact details of a domain’s owner, administrator, or technical contact in the public WHOIS record. And we can’t claim that it helps to accomplish the original purpose for which the information was collected (registering the domain). This means that the public WHOIS system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.”
Read Full Article: The Gaurdian