A recent exchange on CircleID highlighted a critical need for data to inform the debate on the impact of ICANN's post-GDPR WHOIS policy that resulted in the redaction of domain name registrant contact data. A bit of background: in my original post, I made the point that domain name abuse had increased post-GDPR. A reader who works with a registrar (according to his bio) commented:
“Can you back up that statement with data? Our abuse desk has actually seen a reduction in abuse complaints.”
That question spurred an investigation by the data engineers at AppDetex to answer these questions:
Our goal was to assemble domain name abuse data from a market basket of very large consumer-focused brands who have looked for, found, and then attempted to mitigate abuse of the domain name system related to their own brands. The abuse encompassed a variety of categories ranging from innocuous to insidious and included malicious attacks that sought to defraud users or spread malware.
To understand the effect of GDPR, we examined the number of attempted mitigations of abuse and the success or failure of those mitigation attempts (compliance) in the quarter preceding, and then two quarters after the implementation of ICANN’s Temporary Specification for gTLD Registration Data and the resulting wholesale redaction of registrant contact data in registrars’ publicly available WHOIS databases.
We inspected both the number of cases of brand abuse that warranted mitigation as well as compliance for a few reasons. Abuse, if left unchecked and available to the public on the internet, can ensnare people who are lured into mistakenly giving up their credentials, transacting with those who have bad intent, downloading malware, or may fall victim to any other variety of crimes or misdemeanors.
After evaluating thousands of mitigations during the quarter before, and two quarters post-GDPR, we found an increase of nearly 15% in the number of attempted mitigations following the implementation of the Temporary Specification. More disturbing and indicative of harm, in the quarters following the implementation of the Temporary Specification, we found substantial decreases in successful mitigations (compliance). Two quarters after the implementation, that decrease in compliance totaled 38% (measured during the 30 days following an initial mitigation attempt and qualified as the removal of content or a drop or transfer of the domain name). This means that the life of abusive domains began to increase immediately after the implementation of the Temporary Specification, exposing billions of internet users to scams for much longer periods of time than before the implementation of the Temporary Specification.
This change followed a very stable period of successful enforcement and mitigation rates. Prior to the implementation of GDPR, those rates had remained relatively consistent, having leveled-off from the previous period of changes observed immediately after the launch and release of new generic top-level domains in the months following October 2013.
Another significant change in mitigation is that fewer domain name registrants and registrars are part of the solution. It’s now much more difficult to reach registrants due to both the wholesale redaction of registrant contact data and the lack of clarity over when that data should be revealed to those seeking to abate abuse. This means that ISPs are removing content at the behest of brands while, due to inaction by registrants and registrars, the abusive domain names remain registered and might again be used in malicious schemes.
Were these changes a result of the redaction of registrant contact information? Likely, as both brand rights holders and security professionals are finding it more difficult to pursue mitigation of abuse. In fact, MarkMonitor, in their blog, cited that it takes 12% more effort to abate abuse, and IBM X-Force cited huge drops in blocking of abusive domains as a result of GDPR.
Can we expect more of this? Again, it’s likely. The anonymity of the domain naming system as a result of GDPR-related redactions and the use of privacy and proxy services (as mentioned by Russ Pangborn in his recent blog) leave room for bad actors to act with impunity. To put it bluntly, it’s easy for criminals to be brazen when their identity is hidden, and they are not held accountable for their crimes.
The sad thing is that it’s not the brands or security professionals that suffer the brunt of the damage. It’s the poor souls who don’t know how to discern a good site from a bad site, the unlucky ones who mistakenly visit a site and have their credit card “skimmed”, and the rest of us who suffer any number of other insults to our well-being while ICANN policy makers debate the definition of abuse and the responsibilities of contracted parties in abating it.
Isn’t it time for the US and other local lawmakers to take up the cause of consumer protection in the domain name space and mandate a change for the better?