Privacy activists oppose new draft EU IRS directive • The Register

The European Union has angered privacy activists over proposals to put real names and contact details back into Whois searches, as part of its Networks and Information Systems Directive (NIS ).

The European Commission’s draft update on the IRS Directive has slowly passed through the bloc’s bureaucracy, and this week German Pirate Party MEP Patrick Breyer declared it “A big step towards the abolition of anonymous posts and Internet leaks.”

Why? Because the explanatory memorandum to the draft directive [PDF] states that domain registries will “establish policies and procedures for the collection and maintenance of accurate, verified and complete registration data, as well as for the prevention and correction of inaccurate registration data.”

What will not happen, however, is the free publication of names and contact details. Currently, the draft Article 23 text states: “Member States shall ensure that TLD registries and entities providing domain name registration services for the TLD publish, without undue delay after registration. a domain name, domain registration data that is not personal data.

This line in italics seems to have been passed by a very large number of very garish people.

Data, data, everywhere, no drip

Doxxing domain name holders are what happened until 2018, when the EU’s General Data Protection Regulation came into force. Collecting and posting personal data online without registrants’ explicit consent to its posting violated GDPR, and as a result the regulations caused the death of the old, squeaky protocol behind Whois.

Once a useful system in the early days of the World Wide Web, Whois showed who owned a given web domain name, list name, mailing address, zip code, and sometimes phone numbers as well. In recent years, unscrupulous registrars have stopped verifying the accuracy of information – and registrants have become less eager to pass it on as marketers scratched the data. The systems protecting Whois against abuse were sometimes quite poor.

Now, however, the EU, after spending a lot of time and effort defending its position, wants to enforce a GDPR-compliant form of Whois – something that Breyer of the Pirate Party has described as a license to create “lists. death ”as well as for“ data theft ”. and loss, stalking and identity theft, doxxing, “and more. He does not appear to have read draft section 23 of the updated IRS guideline.

Chad Anderson, senior security researcher for threat intelligence firm DomainTools, said The register: “For those who say it will be a hit for whistleblowers and activists: that’s hogwash because they should all be using Tor and pre-built sites anyway to protect their anonymity … Leaked sites will always exist and alternative registrars will always exist. All of the problems of keeping the internet private where activists can work have already been resolved. “

He added that the infosec industry has “found other ways to take the fingerprints of actors on the basis of tactics, techniques and procedures (TTP)”, saying:

Oddly, given the story, ICANN itself seems to disagree with the EU’s decision to restore a partial status quo. In a feedback note published on the website of the European Commission in March 2021, ICANN’s At-Large Advisory Committee declared that the plans of the draft NIS Directive for TLD registries were unworkable.

“Some or all of the registration data may never be stored by (or even presented to) the registrar. It will be held by a privacy or proxy provider. A proxy provider will not transmit the name of the actual registrant. nor his contact A privacy provider protects only contact data, ”wrote the organization’s Alan Greenberg.

Have you seen him? Well, have you?

It seems that current section 23 is not causing much harm to those who have read it. The Internet Infrastructure Coalition, whose members include 123-Reg, GoDaddy and cPanel, as well as Amazon and Google, said he was the most worried on who would make “justified requests” for Whois data rather than the concept of data collection.

Once enshrined in EU law, the directive is not a directly effective legal text either; EU member states must transpose it into their own laws to give it legally enforceable effects.

So much for the excited folks screaming about a new Whois leading to “death lists”. As currently worded, this simply means a return to pre-2018 Whois without publication of names and contact details – and it won’t lead to some sort of WWW concentration camp. ®

Source link