Experts concerned that the GDPR could make it harder to catch online scammers
The new General Data Protection Regulation (GDPR) is due to come into effect in May. The purpose of these new regulations is to strengthen data protection for EU citizens, and provide them with greater rights and some much needed transparency.
However, there are fears among experts that these regulations could make it easier to scammers to operate online. Although the aim is to protect citizens, there have been warnings that the legislation could conflict with existing technology, and by eliminating the WHOIS system, it will become impossible to link online activity to individuals offline.
According to Raj Samani, the chief scientist at cybersecurity firm McAfee “As an industry one of the first things we often do is use WHOIS data to determine whether something is likely malicious, or whether there’s an indicator of suspiciousness. It could be something as simple as ‘hey, look, this name is a name we find registered with other domains’, or ‘this metadata is used for other things’.”
Samani also noted that the current WHOIS allows anyone to look up the contact details for the owner of a domain name, which is an important part of tracing any fraudulent online activity. The system is the online equivalent of companies house or the land registry, and without it, scammers will be able to keep their information private.
Sarah Wyld, a product manager at internet services company OpenSRS said that, as a domain registration is a commercial contract, under the new legislation owners will have the right to privacy just like the general public. However, some have argued that it’s unlikely to have a significant impact as law enforcers already have a range of security tools designed to catch online criminals.
She said “It’s certainly difficult to argue that there’s a legal basis for openly sharing contact details of a domain’s owner, administrator, or technical contact in the public WHOIS record. And we can’t claim that it helps to accomplish the original purpose for which the information was collected (registering the domain). This means that the public WHOIS system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.”
However, Samani also pointed out that the WHOIS information can be useful to the public as well as to companies. “A friend of mine was buying a camera over Christmas, and what they did is they looked a the WHOIS information for this website and actually the website had only been registered for a couple of weeks. And it was clearly fake information that had been put in: it was registered under something like “Mickey Mouse”, something equally obvious.”
Tim Chen, the chief executive of analytical firm Domain Tools, agreed, saying that “it’s difficult to make broad statements about the interest of a ‘typical’ member of the public. Yes, members of the public who strongly favour their own privacy will likely look kindly on a change like this.”
“Other members of the public want their information to be in WHOIS so that anyone navigating to their website can know who they are dealing with. There are more thoughtful and effective ways to meet privacy concerns than simply redacting all the contact fields.”