Sonstiges

Cybersecurity: EU to ban anonymous websites

The EU is currently drafting legislation to increase cyber security (revised NIS Directive, in short “NIS 2”). According to this directive, the registration of internet domain names will in future require the correct identification of the owner in the Whois database, including name, address and telephone number. So far, registries such as denic do not register telephone numbers of the holders. The leading Industry Committee wants to additionally mandate „verification“ of the registration data. The plans could mean the end of “whois privacy” services for proxy registration of domains, threatening the safety of activists and whistleblowers. The Home Affairs Committee is voting on the issue this week. The lead committee ITRE is expected to take a position at the end of the month.

MEP Patrick Breyer, shadow rapporteur in the opinion-giving LIBE Committee, warns against the proposal:

“This indiscriminate identification policy for domain holders is a big step towards abolishing anonymous publications and leaks on the Internet.

This policy endangers website operators, because only anonymity effectively protects against data theft and loss, stalking and identity theft, doxxing and ‘death lists’. The right to anonymity online is particularly indispensable for women, children, minorities and vulnerable persons, victims of abuse and stalking, for example. Whistleblowers and press informants, political activists and people in need of counselling, fall silent without the protection of anonymity. Only anonymity prevents the persecution and discrimination of courageous people in need of help and ensures the free exchange of sometimes vital information. If Wikileaks activists, for example, had had to register the platform’s website in their name, they would have been immediately prosecuted in the United States.

I welcome the aim of increasing network security. But indiscriminate identification has nothing to do with network security. That is why my group and I are calling for the deletion of the identification requirement from the draft Directive.”

German registry Denic criticises the proposed registration requirements while ICANN wants to extend them.

✊What you can do

The lead ITRE Industry Committee will decide on the European Parliament’s position on 28 October. You can get in touch with the Committee’s negotiators (click links for contact details):

Phone calls are most likely to have an impact. English is the working language. This dossier is commonly referred to as “NIS 2 Directive”. The problematic provision is Article 23 (see below for the wording proposed by the LIBE committee).

To avoid misunderstandings: The identification data are not to be published, but to be accessible to third parties in case of a “legitimate interest”. This can easily be constructed. The data might also be hacked. Therefore, the security of activists, threatened and harassed persons, and many more is at risk.

Full text of provision as recommended by LIBE

ARTICLE 23 – Databases of domain names and registration data

1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD have policies and procedures in place to ensure that accurate and complete domain name registration data is collected and maintained in a dedicated database facility in accordance with to Union data protection law as regards data which are personal data. Member States shall ensure that such policies and procedures are made publicly available.

2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain the information necessary to identify and contact the holders of the domain names, namely their name, their physical and e-mail address as well as their telephone number, and the points of contact administering the domain names under the TLDs.

3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available.

4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, in accordance with Article 6(1)(c) and Article 6(3) of Regulation (EU) 2016/679 and without undue delay after the registration of a domain name, certain domain name registration data, such as the domain name and the name of the legal person.

5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of public authorities, including competent authorities under this Directive, competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, or supervisory authorities under Regulation (EU) 2016/679, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all lawful and duly justified requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.

6 comments on “Cybersecurity: EU to ban anonymous websites

  1. Anonymous says:

    Wonder who’s sponsoring this directive.

  2. Anonymous says:

    Maybe the copyright lobby and related lawyers? So they can get ahold of people who use domain names that they want for their companies easier.

  3. Anonymous says:

    The compromise text is different.

    Secondly, there’s no such thing as anonymous websites.

    The NIS2 directive proposal has some articles on domain names but is certainly not solely about the DNS ecosystem.

    Domain names can be used for websites, email and many other applications on the Internet but are NOT synonymous with websites.

    Anonymously using the internet is not the same as owning a domain name. Domain names are unique alphanumeric identifiers and form an integral infrastructural part of the internet. Facebook, Google, Microsoft, booking.com, wouldn’t exist without their domain names.

  4. one says:

    PASS THIS LAW! IT IS ESSENTIAL!

  5. Anonymous says:

    Not sure why it’s claimed personal data (“identification data”) will not be published. Maybe that’s ITRE’s position as of now?

    LIBE and IMCO (which has an absolutely absurd position on this) both agree personal data should be published in violation of GDPR Article 25. IMCO is presumably supposed to consider the “consumer protection” aspect of this, but that’s nowhere to be found. Instead, we get the contrary. The other committees don’t appear to have a position on this matter.

    Surprisingly, the Commission’s proposal is the voice of reason here.

Leave a Reply

Alle Angaben sind freiwillig. No field required.

Your email address will not be published.