While trying to combat an onslaught of new fraudulent websites peddling coronavirus-related scams, investigators at the Federal Bureau of Investigation and the Justice Department are facing a familiar obstacle: restricted access to a previously public database of domain name owners.
Listings in the WHOIS database have been heavily redacted following the implementation of the European Union’s expansive privacy law, adding a hurdle for investigators trying to decipher who is behind the scam sites and prompting lawmakers in both the House and Senate to begin looking at possible solutions.
Typically the WHOIS database, which provides domain name ownership records, is the first line of defense for law enforcement and private cybersecurity researchers investigating fraudulent activities by providing them with potential bread crumbs — such as contact information or alias information that’s connected to known cyber criminals. However, following the implementation of the EU’s General Data Protection Regulation two years ago, domain name registrars such as GoDaddy Inc. and their governing body, the Internet Corporation for Assigned Names and Numbers, opted to redact personal information found in the WHOIS database worldwide for fear that those listings could be seen as a privacy violation.
But consumer advocates, who typically follow a stringent pro-privacy agenda, argue that in this instance, fully equipping law enforcement officials is essential to protecting Americans given how quickly domain name-related scams crop up: Between Jan. 1 and March 31, more than 116,000 domains were newly registered with coronavirus-related names, according to researchers at cybersecurity firm Palo Alto Networks Inc. And the FBI estimated that as of April 21, it had received and reviewed more than 3,600 complaints related to COVID-19 scams, including those tied to websites advertising fake vaccines, charity drives and other fraudulent activity.
“I know there are some privacy concerns, like if I want to start a website, I should be able to do that without revealing who I am, so we have to balance those, but that’s a more complicated process,” said Sally Greenberg, executive director of the National Consumers League. “But we definitely need it because it’s a floodgate for scammers and fraudsters if we don’t have any of that information provided to the public.”
Lawmakers have begun taking the first steps to either provide relief for law enforcement and reopen the WHOIS database or hold domain name operators accountable to verifying the identities of those who purchase web addresses themselves — as seen in a series of letters and resolutions this year from lawmakers on both sides of the aisle and in both chambers.
Rep. Bob Latta (R-Ohio), the ranking member of the House Energy and Commerce Committee’s communications subcommittee, introduced a resolution in February highlighting the importance of WHOIS database access for law enforcement officials tasked with cracking down on domain name frauds, marking the first time a lawmaker has taken up this issue on the House floor since the implementation of the EU’s General Data Protection Regulation in May 2018.
What restricting WHOIS data “does is open the door for all of these bad actors out there to know that there is no consequence, and nobody is going to be watching over them,” Latta said in an interview.
Dave Piscitello, a partner at digital security firm Interisle Consulting Group, said part of the reason why WHOIS data access is so integral for law enforcement and private investigators is because domain name registrars don’t typically verify the identities of those purchasing web addresses — mostly because their business models don’t incentivize it.
“When you go to a GoDaddy, they want for it to be a completely human-free operation that can streamline things to the point where I could go register a name and put up a website in under an hour,” said Piscitello, ICANN’s former vice president for security and ICT coordination. “That’s really nice, but it’s also the perfect playing field for criminals.”
Since the coronavirus pandemic, a group of Democratic senators has targeted the issue of domain name accountability. In April, Sens. Mazie Hirono (Hawaii), Cory Booker (N.J.) and Maggie Hassan (N.H.) sent letters to eight domain name operators urging them to do more to combat scams and misinformation during the pandemic.
In response, GoDaddy Chief Legal Officer Nima Jacobs Kelly said the company has no way of knowing how people plan to use their new URL addresses at the time of purchase, according to a copy of the letter obtained by Morning Consult, and also warned that any automated process to determine fraudulent activity at the time of purchase “could result in erroneous suspension of an official news or beneficial public-information site and be an infringement on free speech.”
Meanwhile, some registrars indicated they’re able to use a variety of tools to root out bad actors: InMotion Hosting Inc. said in its letter to the senators that it cross-references the contact information provided at the time of purchase with publicly available data to check for potential criminal activity, and Donuts Inc. said that its registrar, Name.com Inc., uses a mix of internal tools and external feeds from IBM Corp. and other companies to “identify trends of abuse” among its customers.
“Too many domain name registrars and other internet companies are putting their heads in the sand as cybercriminals and scammers try to exploit this pandemic by luring people to fraudulent coronavirus-related websites,” Hirono said in a statement given to Morning Consult, adding that many of these sites advertise fake virus cures, test kits and personal protective equipment.
A GoDaddy spokesperson pointed to a blog post the company published March 26 outlining its coronavirus scam response, as well as a tweet from the New York attorney general’s office applauding the registrar’s work on this issue.
Libby Baney, a partner at Faegre Drinker Biddle & Reath LLP who represents the Alliance for Safe Online Pharmacies, said that while the government response to the proliferation of coronavirus-related scam websites has been “fantastic,” including takedowns announced by the Department of Justice in April, the problem can’t be solved through enforcement actions alone. Structural changes are also needed, she said.
“We can’t get our arms around all of the domain registrars globally,” Baney said. “The internet is global, and we only have domestic jurisdiction, but even if we did have jurisdiction, there’s too many domain names and criminals online for us to be able to enforce our way out of the problem.”
Greenberg, of the National Consumers League, said her group plans to start reaching out to more members of the House Energy and Commerce Committee and the Senate Commerce Committee to get more lawmakers talking about the role of domain name registrars in online scams and access to WHOIS data.
As for including the discussions around WHOIS data access in discussions for a comprehensive privacy bill, Latta said he isn’t ruling it out.
“It could be,” Latta said about rolling the issues surrounding WHOIS access into a broader privacy legislation discussion. “But with our resolution, we have something right here that we can move forward with to make sure that we know what WHOIS is supposed to do and what’s out there.”