The EU Parliament today approved the directive to increase cyber security (“NIS 2”) by a large majority. According to it, the registration of internet domain names shall in the future require the correct identification of the owner in the Whois database (Article 28). The obligation to register the identity explicitly also applies to “privacy” and “proxy” registration services and resellers (Article 6). Public authorities and private individuals wil have access in case of “legitimate interest”. “Whois privacy” services for proxy registration of domains thus become illegal, threatening the safety of activists and whistleblowers.
Pirate Party Member of the European Parliament Patrick Breyer, shadow rapporteur in the opinion-giving Civil Liberties Committee, explains:
“If the operators of leak sites like Wikileaks were to be listed by name in the future, they risk long prison sentences for publishing US war crimes, just like Julian Assange. The Catalonian independence referendum also had to be organised via anonymously registered websites because of the threat of imprisonment in Spain.
This government-dictated identification requirement is unique in the world and breaks with international principles of internet governance. It will be gratefully adopted by regimes in Russia, Iran, China etc. and will have dire consequences for courageous human rights and democracy activists.
Mandatory identification endangers website operators because only online anonymity effectively protects against data theft and loss, stalking and identity theft, doxxing and ‘death lists’. The right to anonymity online is particularly indispensable for women, children, minorities and vulnerable persons, victims of abuse and stalking, for example. Whistleblowers and press informants, political activists and people in need of counselling, fall silent without the protection of anonymity. Only anonymity prevents the persecution and discrimination of courageous people in need of help and ensures the free exchange of sometimes vital information.
We Pirates fully support the parts of the directive that will increase network security. But making identification mandatory for domain holders has nothing to do with network security.”
Breyer’s group had requested a separate vote on the identification requirement, but this was rejected by the parliamentary majority.
The Directive will still need to be implemented by the EU member states.
Annex: Article 28
Article 28 Database of domain name registration data
- For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.
- For the purposes of paragraph 1, Member States shall require the database of domain name registration data to contain the necessary information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs. Such information shall include:
- (a) the domain name;
- (b) the date of registration;
- (c) the registrant’s name, contact email address and telephone number;
- (d) the contact email address and telephone number of the point of contact administering the domain name in the event that they are different from those of the registrant.
- Member States shall require the TLD name registries and the entities providing domain name registration services to have policies and procedures, including verification procedures, in place to ensure that the databases referred to in paragraph 1 include accurate and complete information. Member States shall require such policies and procedures to be made publicly available.
- Member States shall require the TLD name registries and the entities providing domain name registration services to make publicly available, without undue delay after the registration of a domain name, the domain name registration data which are not personal data.
- Member States shall require the TLD name registries and the entities providing domain name registration services to provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers, in accordance with Union data protection law. Member States shall require the TLD name registries and the entities providing domain name registration services to reply without undue delay and in any event within 72 hours of receipt of any requests for access. Member States shall require policies and procedures with regard to the disclosure of such data to be made publicly available.
- Compliance with the obligations laid down in paragraphs 1 to 5 shall not result in a duplication of collecting domain name registration data. To that end, Member States shall require TLD name registries and entities providing domain name registration services to cooperate with each other.