The goal of the European Union’s General Data Protection Regulation (GDPR) is, among other things, to standardize data protection laws applicable to EU data subjects. Aimed at enhancing privacy protection, the enforcement of the regulation becomes effective on May 25.

GDPR’s implementation on an issue relevant to the cybersecurity industry may well have negative consequences that, ironically, run contrary to its original intent. These consequences could include a significant increase in cyberattacks, online fraud, and spam. At IBM, we are among many groups and individuals calling for European regulators to work with the right parties to ensure security teams continue to have access to the data they need to help stop cybercrime through a discussion of possible consequences and remedies.

What’s at Stake?

The central issue involves changes to accessing business contact information in the ICANN WHOIS database as a result of the current interpretation of the GDPR. WHOIS is a service that has readily provided basic information about a registered domain, such as domain owner contact information, domain availability status and the company with which the domain is registered. Registrants of new domains provide this information as part of the registration process.

The current interpretation of GDPR will greatly restrict access to data for security professionals and security researchers, as well as automated processes associated with access. Today, cybersecurity professionals use this information to quickly stop cyberthreats. Restriction under the GDPR interpretation includes limiting access or redaction of data such as the name of the person who registered the site domain, his or her phone number, physical address and email address.

Why this information is so vital to ongoing efforts to protect data privacy and prevent or limit cybercrime is best explained with an illustration of how that protection is provided in the first place.

How We Stop Cybercrime Today

IBM receives upward of 35 million malicious spam messages per day in our spam traps. Using high-speed machine-to-machine technology and with full access to WHOIS data, we can block these messages. But organizations like IBM X-Force can also block or at least delay activity coming from domains associated with the individuals (or phone numbers, email addresses or physical addresses) aligned with these spam messages.

That’s how IBM X-Force identifies and blocks nearly 1.3 million malicious domains per month. This information is shared globally — with other cybersecurity investigators, governments and even law enforcement — for the legitimate purpose of cybersecurity protection and to better protect users everywhere. Without WHOIS data, IBM X-Force analysts predict it might take over 30 days to detect malicious domains by other methods, leaving organizations at the mercy of cybercriminals during that period.

Also, it is important to understand how attacks are often launched. Organized criminals — and that is exactly who is behind an estimated $600 billion annual cybercrime business — invest heavily in buying legal and illegal email lists. They also purchase spam and phishing kits on the Dark Web. They then purchase not a few, but literally thousands of domain names at a time — domains that, at a glance, may look quite legitimate.

Then they do nothing for a period of time, possibly months, simply watching and noting if security filters block any of the domains. Once they feel their fake domains are largely perceived as legitimate, they strike, unleashing millions of illicit emails. They closely monitor click-thrus, which usually follow a pattern of high clicks followed by increasingly fewer successful click-thrus as spam and other filters begin limiting their effectiveness. After as little as a few hours, they shut down the operation and assess their “take.”

With the proper WHOIS data, IBM X-Force, as well as private, legitimate security researchers, can essentially “map” the malicious domain information to other fake domains by blocking any domains opened by the same person or with the same phone number or same email address. Cybercriminals routinely reuse such data because it is too costly to buy thousands of phones with unique phone numbers or to establish thousands of unique email address. This cyber cross-referencing is highly successful at stopping or greatly limiting the overall damage of the attack by limiting the amount of time the attack can take place.

Many Calls for Restraint

Opposition to these fundamental access changes to the WHOIS database and calls for a “cooling-off period” have come from many quarters. Included among these voices is Secretary Wilbur Ross, Department of Commerce, who specifically noted the importance of “preserving quick access to domain name registration… needed for intellectual property rights enforcement, cybersecurity and law enforcement.”

Additionally, the U.S. Chamber of Commerce, in a recent memorandum, minced few words in praising the security benefits of broad access to WHOIS data while sounding warnings of probable impact due to proposed changes to that access.

“Legitimate public access to the [WHOIS] database has proven crucial to effectively identify, prioritize and allocate resources to the policing of malicious and unlawful activity on the Internet,” the memorandum stated. “If access to the database is eliminated, there will be a significant rise in cyberattacks and fraudulent online activity without any ability for law enforcement, cyber researchers, companies or consumers to respond or remedy. An assurance of forbearance of enforcement or an interim ‘self certification’ solution, preserving this access to qualified users with appropriate safeguards, is necessary.”

Others Chime In

Security expert Brian Krebs is another leader in the call for temporary reconsideration of the GDPR rules regarding WHOIS data.

“I have worked the majority of my professional career to expose those who are doing the spamming and scamming,” Krebs articulated. “I can say without hesitation that an overwhelming percentage of that research has been possible thanks to data included in the public WHOIS registration records.”

Some suggest that this change will not have a material impact as qualified investigators can take legal steps to access the owner’s information. This is not practical in an automated cyber protection environment when security attacks often begin, do all of their damage, and conclude in a few minutes or hours. More time is needed to develop a solution that would appropriately calibrate privacy interests with the need to access this information for cybersecurity research purposes.


The time is now for security professionals globally to contribute to the conversation regarding the unintended consequences of interpreting the GDPR to restrict access to WHOIS data in cybersecurity research contexts. Preserving the resiliency, transparency and accountability of the internet is key, given the national and economic security issues that could result.

A fuller meaningful dialogue is needed and short- and long-term solutions must be developed and proposed. Industries and regulators need to find a path to both protect privacy and give the security community access to the data we need to stay ahead of the threat actors — but we’re running out of time to put it into action.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…