WHOIS is a service that allows the public to query information about a domain registrant. This type of information often includes the name, address, IP address, and contact information for the registrant. Information from WHOIS is useful in identifying the owners of domains, which can be useful for determining whether or not a domain is legitimate, what other domains are owned by the same registrant or are related, and identifying contact information if it is necessary to reach the domain owner, determine the owner’s geographic location, and/or serve legal process against them.
Law enforcement use of WHOIS varies greatly. Law enforcement activities are likely to be negatively impacted as law enforcement officers often use WHOIS data to identify evidence regarding malicious actors and actions, assess threat location and jurisdiction, serve legal orders, and as evidence in legal proceedings. Cybersecurity staff likely use WHOIS queries in daily cybersecurity operations to analyze malware and phishing messages, assess the legitimacy of websites, identify fraud, and issue takedown and abuse requests. Law enforcement may also have services that rely on WHOIS data.
The Multi-State Information Sharing and Analysis Center (MS-ISAC<https://www.cisecurity.org/isac/>) is providing this paper to guide agencies in determining the impact of WHOIS data restriction.