On Monday evening, Slate published what was potentially a bombshell report indicating that a Trump-affiliated server was communicating with a server at Russia’s largest bank, Alfa Bank, at suspicious, irregular intervals. The exact nature of the “communications” was unclear, but the Slate article seemed to imply that Trump’s relationship with Russia, and its president, Vladimir Putin, went further than simple admiration — that Trump was, possibly, colluding with Russian bankers or government agents in some vague and undetermined way. Unfortunately for proponents of the Trump-is-a-Russian-asset theory, the report was scoffed at by cybersecurity experts, who took a look at the data and determined that the server was almost definitely sending out marketing material for Trump’s hotel operation, and the responses from the bank were likely just its mail servers attempting to ascertain the origin of the junk mail.
But lost in the battle over the veracity of the claims in the report itself is the troubling question of where the data itself came from. Ultimately the real, though less juicy, effect of the story may be to raise serious concerns over the privileged access that some researchers have to the systems that administer internet traffic around the globe.
I’ll try to explain. The original discovery that the two servers had been communicating was made by malware researchers combing through records in the domain-name system, which routes internet traffic. Malware research — often informal collaborations between tech companies, experts, and academics — relies on giving people access to online traffic information that isn’t publicly accessible. In this case, the supposedly damning Trump evidence relies on logs from the domain-name system, the universal directory that, among other functions, translates text-string domains to numerical IP addresses. By looking at this hidden information in the DNS system, researchers can identify the source and targets of cyberattacks and other vulnerabilities.
As Robert Graham explains, this community has, at the very least, an informal agreement that their research remain confidential. That someone in the group was leaking information about Trump-related servers to both the F.B.I. and the press raises daunting questions about the aims and neutrality of the community.
Malware research consists of a lot of informal relationships. Researchers get DNS information from ISPs, from root servers, from services like Google’s 220.127.116.11 public DNS. It’s a huge privacy violation – justified on the principle that it’s for the general good. Sometimes the fact that DNS information is shared is explicit, like with Google’s service. Sometimes people don’t realize how their ISP shares information, or how many of the root DNS servers are monitored.
People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers. People should be angrily asking ICANN, which is no longer controlled by the US government (sic), whether it’s their policy to share DNS lookup information with those who would attempt to change US elections.
Access to such (potentially) revealing information, often without the knowledge of parties that route their traffic through DNS providers, requires discretion that was not exercised in the case of Trump. That the Foer report was so anemic only makes this violation more embarrassing.
No one should blame Foer for accepting potentially newsworthy data, even if was originally obtained through ethically dubious measures — that’s how journalism works. But it should be troubling to anyone who cares about privacy on the web that malware researchers have unfettered access to DNS information, but few formal rules or official regulations about what they can do with it. And, worse, that they’re prepared to share that information based on such dubious conclusions as those that were reached in this case.