IGF 2018 WS #50 Whois collected, disclosed and protected: CERTs viewpoint

Format: 

Round Table - 60 Min

Organizer 1: PABLO HINOJOSA, APNIC
Organizer 2: Madeline Carr, University College London
Organizer 3: Duncan Hollis, Temple University Law School

Speaker 1: Cristine Hoepers, Technical Community, Latin American and Caribbean Group (GRULAC)
Speaker 2: Adli Wahid, Technical Community, Asia-Pacific Group
Speaker 3: Madeline Carr, Civil Society, Western European and Others Group (WEOG)
Speaker 4: Chris Buckridge, Technical Community, Western European and Others Group (WEOG)
Speaker 5: Alice Munyua, Government, African Group

Additional Speakers: 

Becky Burr. ICANN Board member.

Farzaneh Badii. Noncommercial Stakeholder Group. ICANN.

Grégory Mounier, Europol

Jac Sm Kee, APC Women

Farzaneh Badii, Georgia Institute of Technology

Relevance: 

This roundtable is about the importance of CERT continued access to Whois data, with proper balancing of renewed privacy considerations, as a key topic for international cyber security discussions. This is a topic that has not been explored enough in the recently intensified debate about privacy in the Whois databases.
--
All of us recognize the utility and importance of the Whois database. It started as a directory service to contact network operators or domain name holders whenever there is an issue. It also has served as a title registration system. Over the years, law enforcement agencies have used the Whois database for attribution, basically to help them identify bad behavior online. With GDPR into effect, there have been renewed discussions about Whois and privacy: What data is or should be collected? What data should be disclosed? How can privacy be protected?
--
In March 2018, the Chair of the Forum of Incident Response and Security Teams (First.org), sent a letter to ICANN and the GAC arguing in favor of CERTs eligibility to access non-public Whois data. "An incident responder within private sector, academia, may have responsibility over multiple client or organization networks, and need access to Whois data to investigate malicious activity", the letter says. However, further complicating this dynamic, incident response teams are not always accredited by respective governments, likely preventing their continued access if a tiered access policy is established.
--
This roundtable will be the 3rd iteration of a series of IGF workshops (Guadalajara, Geneva and, hopefully, Paris), that have successfully brought together the CERT and the technical / policy communities to discuss relevant cyber-policy matters. In 2016 we opened the debate with “NetGov please meet Cybernorms”. In 2017 we discussed “International Cooperation Between CERTS: Technical Diplomacy for Cybersecurity”. In 2018 we would like to talk about the importance of CERT access to Whois data as a key topic for international cybersecurity.

Session Content: 

The objective is to have a discussion about Whois that is not ICANN-centric and not GDPR-focused. Reference to diversity of Whois services available. Talk about the original technical purpose and the importance of continuity of service.

Much has happened at ICANN in terms of an Expedite Policy Developing Process and discussion about an Universal Access Model, that I think it is important to share, though with not much detail.

Of interest is the CERT community assessment that Whois is an important tool for their work and their concerns about how to legitimize their access even if they are not National CERTS.

See: https://www.icann.org/en/system/files/files/gdpr-comments-first-icann-proposed-compliance-models-25mar18-en.pdf

The workshop is part of a series about bridging Internet governance community with the security community. This will be the third workshop, first one in Guadalajara called “NetGov, please meet Cybernorms. Opening the Debate. The second one in Geneva called “International Cooperation between CERTs: Technical Diplomacy for Cybersecurity.

As Whois is quite narrow in the great scheme of cybersecurity issues it is important that this workshop won't go deep into the status and details of the discussions about EPDP, but more about the overall importance of Whois for technical purposes and how the Security community, including governments, can get a better understanding of why this is important and how the policy decision-making process works: Is it community lead? Or government imposed? And how are the interests being aggregated. The need as well, for the security community to have a say on these matters.

Interventions: 

We have approached members of the CERT community (First.org and CERT.Br), academia (UCL and Temple University), Whois implementers (ICANN and RIRs), government and policy experts (GAC, national). We are also planning to have private sector participants, particularly from ISP's and Domain Name Registrars. We have non-commercial stakeholders onboard (NCSG of ICANN). This will provide a broad view of the subject and, being a roundtable, an open discussion that will accept questions from an interested group of participants.

Diversity: 

We have gender and geographic diversity in the group of people that have committed to participate in this workshop. We have North-South perspectives, and also important for this discussion, European and non-European perspectives.

Online Participation: 

In our previous workshops we brought remote participants that successfully contributed views to the workshop. We also had good turnout of live attendants. And also many viewers after the workshop. It is the same expectation this time, with more targeted promotion through social media and direct invitations to experts previous to the workshop.

Discussion Facilitation: 

In the past workshops, a team of speakers have been responsible of laying out the core of the discussion. Team members have learned about each others points of view and have had coordination meetings beforehand, so at the time of the workshop their interventions are well prepared and not improvised. This has proved successful in keeping the discussion focused. Just as in previous workshops, we are promoting a roundtable format and not a panel. This means that there will be other participants that would be welcomed into the discussion, that are expected to provide fresh views and pointed questions. These interventions will be artfully interlaced by the moderator throughout the session, without loosing sight of the overall outline. This has proved to be a successful formula for having open discussions, yet also ones that arrive to a conclusion or agreement at the end.

Onsite Moderator: 

Duncan Hollis

Online Moderator: 

Adli Wahid

Rapporteur: 

Pablo Hinojosa

Agenda: 

10 minutes - Introduction: primary use and purpose of WHOIS. Accountability on the Internet. Anonymous behavior.
30 minutes - Discussion: Use of Whois by the CERT community. How IP address operators or domain name holders are informed about a security incident affecting them? Can registration data help identify individual malicious actors? Why is important that CERTs maintain access to Whois private data? To what degree has the security community made a successful case for the collection of WHOIS data under GDPR rules? What existing or new technical means of access can be used and deployed to provide access to a limited set of accredited security actors? Who accredits the security actors?
20 minutes - Answering to questions.
10 minutes - Closing

Report: 

- Session Title:                       Who is Collected, Disclosed and Protected: CERTs Viewpoint

- Date:                                        14 November 2018           

- Time:                                       11:30 - 12:30

- Session Organizer:           Pablo Hinojosa

- Chair/Moderators:             Madeline Carr, Duncan Hollis

- Rapporteur/Notetaker:  Madeline Carr

 

- List of Speakers and their institutional affiliations:  

(in order of participation)

  • Duncan Hollis, Professor of Law, Temple University School of Law
  • Dr. Madeline Carr, Associate Professor of International Relations and Cyber Security, University College London
  • Pablo Hinojosa, Strategic Engagement Director, APNIC
  • Paul Wilson, APNIC
  • Cristine Hoepers, CERT Brazil
  • Becky Burr, ICANN
  • Grégory Mounier, Europol
  • Jac Sm Kee, APC Women
  • Farzaneh Badii, Georgia Institute of Technology

 

- Key Issues raised (1 sentence per issue):                 

  • As in the past two IGF sessions, this roundtable is an effort to improve dialogue between the policy, technical and internet governance communities.
  • We always choose one specific issue around which we can gather and exchange views in an effort to better understand diverse perspectives on a contentious topic.
  • This session touched on the difficulties of implementing the GDPR in the context of the WhoIs databases, however, the main focus was on issues around accountability online.
  • The implementation of the GDPR has raised questions about the use of, access to and distribution of the WhoIs databases.
  • While these questions are still to be resolved, the CERTs that rely on this information are very concerned that any steps that interrupt their easy access to critical information will hamper their ability to carry out security practices and respond to incidents.
  • Although law enforcement can still access WhoIs databases, the process is now slower and more cumbersome than it was previously and this has negative implications for investigations.
  • WhoIs databases can contain personally identifiable information which, under the GDPR, can only be shared under prescribed conditions such as ‘legitimate use’ or with the consent of the data subject.
  • There remain very real concerns in the community about the possible infringement of human rights and the right to privacy that arise through access to personally identifiable information (PII) contained in the WhoIs databases.
  • The WhoIs database is not a single, unitary database. Rather, there are many different databases that contain different information and serve different purposes.
  • Some WhoIs databases contain more PII than others.
  • These databases or registries operate independently.
  • For CERTs, it is critical to be able to quickly identify the owner / administrator of a network that may have been affected by a security incident.
  • Free access to the WhoIs databases is a key tool in the toolbox of the CERTs.
  • Not being able to access the WhoIs databases that they rely upon will mean that they struggle to identify those at risk and notify them in a timely manner.
  • This access is not only important for large, national CERTs but is also important for small and large organisations that need to quickly find peers in other networks to exchange information and collaboratively problem solve security incidents.
  • From the perspective of the European CCTLD landscape, there has been little change in terms of data collection for the WhoIs databases post GDPR.
  • For law enforcement, although criminals tend not to use their real names to register, the information in the WhoIs databases remains a key element of investigations.
  • The implementation of GDPR has impacted law enforcement investigations negatively due to the added time it takes to access the data they need.
  • There was a point made that CERTs do qualify as ‘legitimate interest’ under the GDPR and therefore, should still be entitled to access the WhoIs databases.
  • CERTs are clearly identifiable within their community and recognise their accountability in terms of protecting sensitive data.
  • While the WhoIs databases are a necessary source of information for CERTs and law enforcement, they are also open to abuse by perpetrators of gender based violence who use them to find personal details of their victims.
  • The CERT representative pointed out that she really needs access to IP addresses and admin details, rather than domain names.
  • It was acknowledged that further clarity about exactly what information is needed, by whom, would help this discussion move forward.
  • It was suggested that it is now necessary to devise a system of due process that can operate globally, including clear checks and balances to define who are the actors, who are their interest and what information they should have access to including clear safeguards against abuse.
  • The issue of a valid email address as a point of contact in case there are trademark infringements was raised as important for the intellectual property constituencies.

 

 

- If there were presentations during the session, please provide a 1-paragraph summary for each presentation:                 

 

n/a

- Please describe the Discussions that took place during the workshop session (3 paragraphs):    

  • The exact nature of the information that CERTs require access to was discussed in some detail. As were the challenges that law enforcement face in their investigations due to time constraints now imposed by GDPR compliance.This discussion was useful in terms of developing a better understanding amongst participants of which personally identifiable information is or is not at risk through CERTs access to WhoIs databases.
  • There was also an important discussion about the ways in which WhoIs database information can and is used by perpetrators of gender based violence, to suppress political free speech and also as harvested information that is then on-sold without permission of the data subjects.
  • It was clear from the discussion that relevant stakeholders had not had the opportunity for clear discussion and understanding of these competing perspectives in adequate detail. By the end of the session, there was a general sense in the room that a more fine grained conversation was essential and that, having done so, there were certainly pathways for forward momentum on this issue and a resolution that brought all parties together in an acceptable framework.

- Please describe any Participant suggestions regarding the way forward/ potential next steps /key takeaways (3 paragraphs):   

  • CERTs need to provide more clarity about exactly what information they need and under what circumstances. They also should take a role in outlining which entities qualify for that access, given the tightly controlled parameters of their community which has a high degree of accountability.
  • The administrators of WhoIs databases need to have a clear understanding of the range of ways in which the information they collect and control can be abused by those who can access it. They should work with law enforcement, CERTs and those who work in human rights protection to develop adequate safeguards that allow CERTs to continue their work without undermining human rights.
  • Further discussions of this type would be useful to tease out these future collaborative working practices and avoid the road blocks that have characterised past engagements.

 

Gender Reporting

- Estimate the overall number of the participants present at the session:

Around 70 pax.

- Estimate the overall number of women present at the session:

35 pax.

- To what extent did the session discuss gender equality and/or women’s empowerment?

n/a

- If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief summary of the discussion:

  • The list of speakers was big and quite diverse in terms of gender, stakeholder group and geographic representation.

 

Session Time: 
Wednesday, 14 November, 2018 - 12:30 to 13:30
Room: 
Salle IX

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 678