The European Union has drawn the ire of privacy activists for proposals to put real names and contact details back into Whois lookups, as part of its Network and Information Systems (NIS) Directive.
The EU Commission's draft update to the NIS Directive has been slowly grinding through the bloc's bureaucracy, and this week German Pirate Party MEP Patrick Breyer declared it "a big step towards abolishing anonymous publications and leaks on the internet."
Why? Because the draft directive's explanatory memorandum [PDF] says domain registries will have to "establish policies and procedures for the collection and maintenance of accurate, verified and complete registration data, as well as for the prevention and correction of inaccurate registration data."
What won't be happening, however, is the free publication of names and contact details. Currently the draft text of article 23 states: "Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data."
That italicised line seems to have passed by an awful lot of very shouty people.
Data, data, everywhere, nor any drop to scrape
Doxxing domain registrants is what used to happen until 2018, when the EU's General Data Protection Regulation came into force. Gathering and publishing personal data online without registrants' explicit consent to publication of it was in breach of GDPR and therefore the regs caused the death of the creaky old protocol underpinning Whois.
Once a useful system back in the early days of the World Wide Web, Whois showed who owned a given web domain name, listing name, street address, postcode, and sometimes phone numbers too. In more recent years unscrupulous registrars stopped checking the accuracy of the information – and registrants became less keen on handing it over as marketers scraped the data. Systems protecting Whois from abuse were sometimes pretty poor.
Now, however, the EU, having spent considerable time and effort defending its position, wants to mandate a GDPR-compliant form of Whois – something the Pirate Party's Breyer described as licence to create "death lists" as well as carrying out "data theft and loss, stalking and identity theft, doxxing," and more. He appears not to have read draft article 23 of the updated NIS Directive.
Chad Anderson, a senior security researcher for threat intel firm DomainTools, told The Register: "For those that say this will be a hit to whistleblowers and activists: that's hogwash as they should all be using Tor and pre-built sites anyways to protect their anonymity... Leak sites will still exist and alternative registrars still exist. All of the problems for maintaining a private internet where activists can work have already been solved."
He added that the infosec industry has "found other ways of fingerprinting actors based on tactics, techniques, and procedures (TTPs)," saying:
For those that say this is a hit to privacy: this operates the same way it would if you were buying property anywhere else. Yes, it's digital property, but you should have to be responsible for that permissive SPF record allowing relay of malware spam in the same way you have to be responsive when there's a gas leak on physical property.
- Be careful what you inline: Defunct video-hosting domain used to inject smut flicks into news articles, more
- APNIC left a dump from its Whois SQL database in a public Google Cloud bucket
- You've got to be shipping me: KatherineRyan.co.uk suggests the comedian has diversified into freight forwarding
- ICANN begs Europe: Please fill in the blanks on this half-assed GDPR-compliant Whois we came up with
Bizarrely, given the history, ICANN itself appears to disagree with the EU's move to restore a partial status quo. In a feedback note published on the EU Commission website during March 2021, ICANN's At-Large Advisory Committee said the draft NIS Directive's plans for TLD registries were unworkable.
"Some or all of the registration data may never be stored by (or even presented to) the registrar. It will be held by a privacy or proxy provider. A proxy provider will not pass on either the name of the real registrant or their contact information. A privacy provider protects only the contact data," wrote the org's Alan Greenberg.
Did you read it? Well, did you?
It appears that the current article 23 isn't causing much harm to those who actually did read it. The Internet Infrastructure Coalition, whose members include 123-Reg, GoDaddy and cPanel, as well as Amazon and Google, said it was most worried about who would be making "justified requests" for Whois data rather than the concept of collecting the data.
Once rubberstamped into EU law, the directive isn't a directly effective legal text either; EU member states need to transpose it into their own laws to give it its legally enforceable effects.
So much for excitable people shouting about a new Whois leading to "death lists". As currently worded, all it means is a return to the pre-2018 Whois without publication of names and contact details – and that won't lead to some kind of WWW concentration camp. ®