The goal of the European Union’s General Data Protection Regulation (GDPR) is, among other things, to standardize data protection laws applicable to EU data subjects. Aimed at enhancing privacy protection, the enforcement of the regulation becomes effective on May 25.

GDPR’s implementation on an issue relevant to the cybersecurity industry may well have negative consequences that, ironically, run contrary to its original intent. These consequences could include a significant increase in cyberattacks, online fraud, and spam. At IBM, we are among many groups and individuals calling for European regulators to work with the right parties to ensure security teams continue to have access to the data they need to help stop cybercrime through a discussion of possible consequences and remedies.

What’s at Stake?

The central issue involves changes to accessing business contact information in the ICANN WHOIS database as a result of the current interpretation of the GDPR. WHOIS is a service that has readily provided basic information about a registered domain, such as domain owner contact information, domain availability status and the company with which the domain is registered. Registrants of new domains provide this information as part of the registration process.

The current interpretation of GDPR will greatly restrict access to data for security professionals and security researchers, as well as automated processes associated with access. Today, cybersecurity professionals use this information to quickly stop cyberthreats. Restriction under the GDPR interpretation includes limiting access or redaction of data such as the name of the person who registered the site domain, his or her phone number, physical address and email address.

Why this information is so vital to ongoing efforts to protect data privacy and prevent or limit cybercrime is best explained with an illustration of how that protection is provided in the first place.

How We Stop Cybercrime Today

IBM receives upward of 35 million malicious spam messages per day in our spam traps. Using high-speed machine-to-machine technology and with full access to WHOIS data, we can block these messages. But organizations like IBM X-Force can also block or at least delay activity coming from domains associated with the individuals (or phone numbers, email addresses or physical addresses) aligned with these spam messages.

That’s how IBM X-Force identifies and blocks nearly 1.3 million malicious domains per month. This information is shared globally — with other cybersecurity investigators, governments and even law enforcement — for the legitimate purpose of cybersecurity protection and to better protect users everywhere. Without WHOIS data, IBM X-Force analysts predict it might take over 30 days to detect malicious domains by other methods, leaving organizations at the mercy of cybercriminals during that period.

Also, it is important to understand how attacks are often launched. Organized criminals — and that is exactly who is behind an estimated $600 billion annual cybercrime business — invest heavily in buying legal and illegal email lists. They also purchase spam and phishing kits on the Dark Web. They then purchase not a few, but literally thousands of domain names at a time — domains that, at a glance, may look quite legitimate.

Then they do nothing for a period of time, possibly months, simply watching and noting if security filters block any of the domains. Once they feel their fake domains are largely perceived as legitimate, they strike, unleashing millions of illicit emails. They closely monitor click-thrus, which usually follow a pattern of high clicks followed by increasingly fewer successful click-thrus as spam and other filters begin limiting their effectiveness. After as little as a few hours, they shut down the operation and assess their “take.”

With the proper WHOIS data, IBM X-Force, as well as private, legitimate security researchers, can essentially “map” the malicious domain information to other fake domains by blocking any domains opened by the same person or with the same phone number or same email address. Cybercriminals routinely reuse such data because it is too costly to buy thousands of phones with unique phone numbers or to establish thousands of unique email address. This cyber cross-referencing is highly successful at stopping or greatly limiting the overall damage of the attack by limiting the amount of time the attack can take place.

Many Calls for Restraint

Opposition to these fundamental access changes to the WHOIS database and calls for a “cooling-off period” have come from many quarters. Included among these voices is Secretary Wilbur Ross, Department of Commerce, who specifically noted the importance of “preserving quick access to domain name registration… needed for intellectual property rights enforcement, cybersecurity and law enforcement.”

Additionally, the U.S. Chamber of Commerce, in a recent memorandum, minced few words in praising the security benefits of broad access to WHOIS data while sounding warnings of probable impact due to proposed changes to that access.

“Legitimate public access to the [WHOIS] database has proven crucial to effectively identify, prioritize and allocate resources to the policing of malicious and unlawful activity on the Internet,” the memorandum stated. “If access to the database is eliminated, there will be a significant rise in cyberattacks and fraudulent online activity without any ability for law enforcement, cyber researchers, companies or consumers to respond or remedy. An assurance of forbearance of enforcement or an interim ‘self certification’ solution, preserving this access to qualified users with appropriate safeguards, is necessary.”

Others Chime In

Security expert Brian Krebs is another leader in the call for temporary reconsideration of the GDPR rules regarding WHOIS data.

“I have worked the majority of my professional career to expose those who are doing the spamming and scamming,” Krebs articulated. “I can say without hesitation that an overwhelming percentage of that research has been possible thanks to data included in the public WHOIS registration records.”

Some suggest that this change will not have a material impact as qualified investigators can take legal steps to access the owner’s information. This is not practical in an automated cyber protection environment when security attacks often begin, do all of their damage, and conclude in a few minutes or hours. More time is needed to develop a solution that would appropriately calibrate privacy interests with the need to access this information for cybersecurity research purposes.


The time is now for security professionals globally to contribute to the conversation regarding the unintended consequences of interpreting the GDPR to restrict access to WHOIS data in cybersecurity research contexts. Preserving the resiliency, transparency and accountability of the internet is key, given the national and economic security issues that could result.

A fuller meaningful dialogue is needed and short- and long-term solutions must be developed and proposed. Industries and regulators need to find a path to both protect privacy and give the security community access to the data we need to stay ahead of the threat actors — but we’re running out of time to put it into action.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…