Thu 19. Dec 2024, 18:52
The anonymization of domain owners' WHOIS data as a result of the General Data Protection Regulation (GDPR) has had a significant impact on spam emails. A field experiment, the results of which were published by policy expert Tobias Sattler after a year of research, comes to a differentiated conclusion.
On May 25, 2025, it will be seven years since the GDPR came into force. The EU wanted it to give EU citizens more control over their own personal data and improve their security both online and offline. The GDPR had a drastic impact on the domain name system; the previous WHOIS system, which told anyone within seconds who the owner of a domain was and under which contact details they could be reached, was rendered obsolete practically overnight due to high fines. But has the GDPR achieved its purpose? It has long been assumed that the disclosure of registration data in the WHOIS leads to email spam; however, there has been no systematic academic study on this effect. This gap has now been closed by Tobias Sattler, Executive Advisor and active in various functions for the internet administration ICANN, in a field experiment; he has published the results in a research paper entitled “WHOIS Data Redaction and its Impact on Unsolicited Emails: A Field Experiment”. The focus is on the question of whether the severely restricted access to WHOIS data since 2018 has curbed widespread abuse practices such as spam, phishing attempts and other unwanted information flows - or whether spammers have merely had to adapt their tactics.
Sattler registered a total of 66 domains under generic top level domain in July and August 2022, which were randomly generated with a script that created different, unidentifiable strings to avoid recognizable patterns or keywords that could attract the attention of address collectors. To ensure diversity, these domains were distributed across three generic top level domains (.com, .xyz and .store) and registered through eleven different registrars. For half of the domains, the registration data was public; for the other half, the data was masked either by the registry or the registrar in accordance with the GDPR. To ensure consistent data collection, Sattler set up unique email addresses for each domain and systematically monitored them over the course of a year, from July 2022 to June 2023. The experiment ultimately classified as unwanted all commercial, advertising or potentially malicious emails that the domain owner had not explicitly requested. Ultimately, 788 emails were received, 425 of which were in category 3, referred to as “spam” in the experiment. The results confirm the prejudice, but call for differentiation: “Our results revealed that, on average, domains with publicly disclosed contact information received 19.7 total emails per domain, compared to a mean of 4.2 for domains with undisclosed details. When focusing specifically on spam emails, domains with publicly disclosed contact information received 12.76 per domain, compared to only 0.12 for domains with undisclosed details,” says Sattler. It became apparent that .com domains attract significantly more spam emails than other domain extensions.
In his research work, Sattler shows considerable differences overall depending on the published domain registration data, the selected top level domain and the responsible domain registrar. These results underline the need for careful consideration when registering domains. At the same time, Sattler sees them as an invitation to a dialog on research into the evolving dynamics of internet governance and domain name management. “By understanding how data redaction influences communication channels, we can better evaluate current policies and anticipate future trends,” says Sattler.
You can find Tobias Sattler's field experiment at:
https://ieeexplore.ieee.org/document/10776773