The EU is currently drafting legislation to increase cyber security (revised NIS Directive, in short “NIS 2”). According to this directive, the registration of internet domain names will in future require the correct identification of the owner in the Whois database, including name, address and telephone number. So far, registries such as denic do not register telephone numbers of the holders. The leading Industry Committee wants to additionally mandate „verification“ of the registration data. The plans could mean the end of “whois privacy” services for proxy registration of domains, threatening the safety of activists and whistleblowers. The Home Affairs Committee is voting on the issue this week. The lead committee ITRE is expected to take a position at the end of the month.
MEP Patrick Breyer, shadow rapporteur in the opinion-giving LIBE Committee, warns against the proposal:
“This indiscriminate identification policy for domain holders is a big step towards abolishing anonymous publications and leaks on the Internet.
This policy endangers website operators, because only anonymity effectively protects against data theft and loss, stalking and identity theft, doxxing and ‘death lists’. The right to anonymity online is particularly indispensable for women, children, minorities and vulnerable persons, victims of abuse and stalking, for example. Whistleblowers and press informants, political activists and people in need of counselling, fall silent without the protection of anonymity. Only anonymity prevents the persecution and discrimination of courageous people in need of help and ensures the free exchange of sometimes vital information. If Wikileaks activists, for example, had had to register the platform’s website in their name, they would have been immediately prosecuted in the United States.
I welcome the aim of increasing network security. But indiscriminate identification has nothing to do with network security. That is why my group and I are calling for the deletion of the identification requirement from the draft Directive.”
✊What you can do
Phone calls are most likely to have an impact. English is the working language. This dossier is commonly referred to as “NIS 2 Directive”. The problematic provision is Article 23 (see below for the wording proposed by the LIBE committee).
To avoid misunderstandings: The identification data are not to be published, but to be accessible to third parties in case of a “legitimate interest”. This can easily be constructed. The data might also be hacked. Therefore, the security of activists, threatened and harassed persons, and many more is at risk.
Full text of provision as recommended by LIBE
ARTICLE 23 – Databases of domain names and registration data
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD have policies and procedures in place to ensure that accurate and complete domain name registration data is collected and maintained in a dedicated database facility in accordance with to Union data protection law as regards data which are personal data. Member States shall ensure that such policies and procedures are made publicly available.
2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain the information necessary to identify and contact the holders of the domain names, namely their name, their physical and e-mail address as well as their telephone number, and the points of contact administering the domain names under the TLDs.
3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available.
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, in accordance with Article 6(1)(c) and Article 6(3) of Regulation (EU) 2016/679 and without undue delay after the registration of a domain name, certain domain name registration data, such as the domain name and the name of the legal person.
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of public authorities, including competent authorities under this Directive, competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, or supervisory authorities under Regulation (EU) 2016/679, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all lawful and duly justified requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.