I’m at a press conference on how #GDPR is frustrating US law enforcement efforts online. DEA’s Jae Chung and DOJ’s Jason Gull speaking now. 
Gull: “WHOis is turning into WHOwas ... We have information on who owned a domain six months ago, or a year ago now. It’s like having an old phone book.”
Problematic for urgent requests to preserve data in investigations.
Problematic for urgent requests to preserve data in investigations.
Gull notes that WHOis was always problematic — full of false information and outdated information. He said about 1/4 of all entries were proxied through privacy services, but that many were very cooperative. Now the process of sending requests to preserve evidence is slower.
Chung notes that even when WHOis data was bogus, it was possible to look at domain registration patterns to tie different malicious sites together.
Gull: “Even that kind of gibberish information ... you can draw some potential dotted lines between those domains.”
Gull: “Even that kind of gibberish information ... you can draw some potential dotted lines between those domains.”
“Not having bulk access makes it difficult to draw those correlations,” Gull said. I’ll bet threat intel companies have similar gripes.
Neil Fried (2nd from L) of MPAA up next. He suggests US should compel websites to make WHOis data public again. Others have noted GDPR is cramping copyright enforcement.
“We may need Congress to act. ... this information, when there is a nexus to the US, must be made public.”
“We may need Congress to act. ... this information, when there is a nexus to the US, must be made public.”
GG Levine, is the National Association of Boards of Pharmacy, says “not having access to WHOis data has slowed investigations and hampered our efforts.” Says investigators once had a window into who owned what site — “now we have a brick wall.”
Uh-oh. First mention of “cyberterrorism.” ⚠️
That was from Alan Brill of Kroll, who is speaking now.
But am curious how sites would navigate both GDPR & US requirements mooted by Fried of the MPAA.
Fried holds up Denmark as an example, says .dk requires the publication of some WHOis data *and* is GDPR compliant.
But am curious how sites would navigate both GDPR & US requirements mooted by Fried of the MPAA.
Fried holds up Denmark as an example, says .dk requires the publication of some WHOis data *and* is GDPR compliant.
Brill says WHOis data has been available since the dawn of the internet. “If we want a transparent internet, (we) need to know who’s at the other end of the line.” He compares it to KYC regulations at banks. “Not having it doesn’t make sense.”
Fried said that “since WHOis has gone dark, we’ve seen an uptick in domain registrations.” Suggests that the data isn’t in yet, but that malicious actors are jumping at the chance to register sites anonymously.
Gull says that removing the ability to make instant WHOis queries is slowing LE down dramatically.
“The subpoena response time from a good provider could be a matter of days. It’s exponentially slowing down our response time.”
As for foreign providers: “That’s months.”
“The subpoena response time from a good provider could be a matter of days. It’s exponentially slowing down our response time.”
As for foreign providers: “That’s months.”
Chung: “We’re talking about time,” said Chung. If it takes a few extra weeks to get basic info, “there’s true harm that could be done”
Meeting is over, but something that occurred to me:
Journalists are generally required to seek comment from subjects of their stories — it’s often called “the right of reply.”
How does that happen if you write about a website and have no way to reach its administrator?
Journalists are generally required to seek comment from subjects of their stories — it’s often called “the right of reply.”
How does that happen if you write about a website and have no way to reach its administrator?
