Cybersecurity: EU to ban anonymous websites
The EU is currently drafting legislation to increase cyber security (revised NIS Directive, in short “NIS 2”). According to this directive, the registration of internet domain names will in future require the correct identification of the owner in the Whois database, including name, address and telephone number. So far, registries such as denic do not register telephone numbers of the holders. The leading Industry Committee wants to additionally mandate „verification“ of the registration data. The plans could mean the end of “whois privacy” services for proxy registration of domains, threatening the safety of activists and whistleblowers. The Home Affairs Committee is voting on the issue this week. The lead committee ITRE is expected to take a position at the end of the month.
MEP Patrick Breyer, shadow rapporteur in the opinion-giving LIBE Committee, warns against the proposal:
“This indiscriminate identification policy for domain holders is a big step towards abolishing anonymous publications and leaks on the Internet.
This policy endangers website operators, because only anonymity effectively protects against data theft and loss, stalking and identity theft, doxxing and ‘death lists’. The right to anonymity online is particularly indispensable for women, children, minorities and vulnerable persons, victims of abuse and stalking, for example. Whistleblowers and press informants, political activists and people in need of counselling, fall silent without the protection of anonymity. Only anonymity prevents the persecution and discrimination of courageous people in need of help and ensures the free exchange of sometimes vital information. If Wikileaks activists, for example, had had to register the platform’s website in their name, they would have been immediately prosecuted in the United States.
I welcome the aim of increasing network security. But indiscriminate identification has nothing to do with network security. That is why my group and I are calling for the deletion of the identification requirement from the draft Directive.”
German registry Denic criticises the proposed registration requirements while ICANN wants to extend them.
✊What you can do
The lead industry committee ITRE finally adopted the position of the European Parliament on October 28. Now you can write to the permanent representations of your member state, as the approval of the member states is pending.
This dossier is commonly referred to as “NIS 2 Directive”. The problematic provision is Article 23 (see below for the wording proposed by the LIBE committee).
To avoid misunderstandings: The identification data are not to be published, but to be accessible to third parties in case of a “legitimate interest”. This can easily be constructed. The data might also be hacked. Therefore, the security of activists, threatened and harassed persons, and many more is at risk.
Full text of provision as recommended by ITRE
(bold print are changes in comparison to the Commission’s proposal)
Database structure of domain names and registration data
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD registries and entities providing domain name registration services to collect and maintain accurate, verified and complete domain name registration data in a database structure operated for that purposes.
2. Member States shall ensure that the database structure of domain name registration data referred to in paragraph 1 contains relevant information, which shall include at least the registrants’ name, their physical and email address as well as their telephone number, to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs.
3. Member States shall ensure that TLD registries and entities providing domain name registration services have policies and procedures in place to ensure that the database structure includes accurate, verified and complete information. Member States shall ensure that such policies and procedures are made publicly available.
4. Member States shall ensure that TLD registries and entities providing domain name registration services make publicly available, without undue delay after the registration of a domain name, domain registration data which are not personal data. For legal persons as registrants, the domain registration data publicly available shall include at least the registrants’ name, their physical and email address as well as their telephone number.
5. Member States shall require TLD registries and entities providing domain name registration services to provide access to specific domain name registration data, including personal data, upon duly justified requests of legitimate access seekers, in compliance with U nion data protection law. Member States shall require TLD registries and entities providing domain name registration services to reply without undue delay and in any event within 72 hours upon the receipt of the requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.
(59) Maintaining accurate, verified and complete databases of domain names registration data (so called ‘WHOIS data’) is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union, and for tackling illegal activities. TLD registries and entities providing domain name registration services should therefore be required to collect domain name registration data, which should include at least the registrants’ name, their physical and email address as well as their telephone number. In practice, the collected data may not always be thoroughly accurate, however TLD registries and entities providing domain name registration services should adopt and implement proportionate processes to verify that natural or legal persons requesting or owning a domain name have provided contact details on which they can be reached and are expected to reply. Using a ‘best efforts’ approach, these verification processes should reflect the current best practices used within the industry. Those best practices in the verification process should reflect the advances being made in the electronic identification process. The TLD registries and entities providing domain name registration services should make publicly available their policies and procedures to ensure the integrity and availability of the domain name registration data. Where processing includes personal data such processing shall comply with Union data protection law.
(60) TLD registries and entities providing domain name registration services should be required to make publicly available domain name registration data that does not contain personal data. A distinction should be made between natural and legal persons. For legal persons, TLD registries and entities should make publicly available at least the registrants’ name, their physical and email address as well as their telephone number. The legal person should be required to either provide a generic email address that can be made publicly available or give consent to the publication of a personal email address. The legal person should be able to demonstrate such consent at the request of TLD registries and entities providing domain name registration services.
(61) The availability and timely accessibility of the domain name registration data to legitimate access seekers is essential for cybersecurity purposes and tackling illegal activities in the online ecosystem. TLD registries and entities providing domain name registration services should therefore be required to enable lawful access to specific domain name registration data, including personal data, to legitimate access seekers, in accordance with Union data protection law. Legitimate access seekers should make a duly justified request to access domain name registration data on the basis of Union or national law, and could include competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, and national CERTs or CSIRTs. Member States should ensure that TLD registries and entities providing domain name registration services should respond without undue delay and in any event within 72 hours to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and entities providing domain name registration services should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tools to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board.
Wonder who’s sponsoring this directive.
Maybe the copyright lobby and related lawyers? So they can get ahold of people who use domain names that they want for their companies easier.
The compromise text is different.
Secondly, there’s no such thing as anonymous websites.
The NIS2 directive proposal has some articles on domain names but is certainly not solely about the DNS ecosystem.
Domain names can be used for websites, email and many other applications on the Internet but are NOT synonymous with websites.
Anonymously using the internet is not the same as owning a domain name. Domain names are unique alphanumeric identifiers and form an integral infrastructural part of the internet. Facebook, Google, Microsoft, booking.com, wouldn’t exist without their domain names.
What do yo mean?
PASS THIS LAW! IT IS ESSENTIAL!
Not sure why it’s claimed personal data (“identification data”) will not be published. Maybe that’s ITRE’s position as of now?
LIBE and IMCO (which has an absolutely absurd position on this) both agree personal data should be published in violation of GDPR Article 25. IMCO is presumably supposed to consider the “consumer protection” aspect of this, but that’s nowhere to be found. Instead, we get the contrary. The other committees don’t appear to have a position on this matter.
Surprisingly, the Commission’s proposal is the voice of reason here.