German Pirate Party member claims EU plans for a GDPR-compliant Whois v2 will lead to 'doxxing and death lists'

ICANN also dislikes it but web infrastructure firms don't really mind

The European Union has drawn the ire of privacy activists for proposals to put real names and contact details back into Whois lookups, as part of its Network and Information Systems (NIS) Directive.

The EU Commission's draft update to the NIS Directive has been slowly grinding through the bloc's bureaucracy, and this week German Pirate Party MEP Patrick Breyer declared it "a big step towards abolishing anonymous publications and leaks on the internet."

Why? Because the draft directive's explanatory memorandum [PDF] says domain registries will have to "establish policies and procedures for the collection and maintenance of accurate, verified and complete registration data, as well as for the prevention and correction of inaccurate registration data."

What won't be happening, however, is the free publication of names and contact details. Currently the draft text of article 23 states: "Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data."

That italicised line seems to have passed by an awful lot of very shouty people.

Data, data, everywhere, nor any drop to scrape

Doxxing domain registrants is what used to happen until 2018, when the EU's General Data Protection Regulation came into force. Gathering and publishing personal data online without registrants' explicit consent to publication of it was in breach of GDPR and therefore the regs caused the death of the creaky old protocol underpinning Whois.

Once a useful system back in the early days of the World Wide Web, Whois showed who owned a given web domain name, listing name, street address, postcode, and sometimes phone numbers too. In more recent years unscrupulous registrars stopped checking the accuracy of the information – and registrants became less keen on handing it over as marketers scraped the data. Systems protecting Whois from abuse were sometimes pretty poor.

Now, however, the EU, having spent considerable time and effort defending its position, wants to mandate a GDPR-compliant form of Whois – something the Pirate Party's Breyer described as licence to create "death lists" as well as carrying out "data theft and loss, stalking and identity theft, doxxing," and more. He appears not to have read draft article 23 of the updated NIS Directive.

Chad Anderson, a senior security researcher for threat intel firm DomainTools, told The Register: "For those that say this will be a hit to whistleblowers and activists: that's hogwash as they should all be using Tor and pre-built sites anyways to protect their anonymity... Leak sites will still exist and alternative registrars still exist. All of the problems for maintaining a private internet where activists can work have already been solved."

He added that the infosec industry has "found other ways of fingerprinting actors based on tactics, techniques, and procedures (TTPs)," saying:

For those that say this is a hit to privacy: this operates the same way it would if you were buying property anywhere else. Yes, it's digital property, but you should have to be responsible for that permissive SPF record allowing relay of malware spam in the same way you have to be responsive when there's a gas leak on physical property.

Bizarrely, given the history, ICANN itself appears to disagree with the EU's move to restore a partial status quo. In a feedback note published on the EU Commission website during March 2021, ICANN's At-Large Advisory Committee said the draft NIS Directive's plans for TLD registries were unworkable.

"Some or all of the registration data may never be stored by (or even presented to) the registrar. It will be held by a privacy or proxy provider. A proxy provider will not pass on either the name of the real registrant or their contact information. A privacy provider protects only the contact data," wrote the org's Alan Greenberg.

Did you read it? Well, did you?

It appears that the current article 23 isn't causing much harm to those who actually did read it. The Internet Infrastructure Coalition, whose members include 123-Reg, GoDaddy and cPanel, as well as Amazon and Google, said it was most worried about who would be making "justified requests" for Whois data rather than the concept of collecting the data.

Once rubberstamped into EU law, the directive isn't a directly effective legal text either; EU member states need to transpose it into their own laws to give it its legally enforceable effects.

So much for excitable people shouting about a new Whois leading to "death lists". As currently worded, all it means is a return to the pre-2018 Whois without publication of names and contact details – and that won't lead to some kind of WWW concentration camp. ®

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021