back to article German Pirate Party member claims EU plans for a GDPR-compliant Whois v2 will lead to 'doxxing and death lists'

The European Union has drawn the ire of privacy activists for proposals to put real names and contact details back into Whois lookups, as part of its Network and Information Systems (NIS) Directive. The EU Commission's draft update to the NIS Directive has been slowly grinding through the bloc's bureaucracy, and this week …

  1. Joe W Silver badge

    Checking at least some details?

    OK, I am not holding my breath, but wouldn't it be nice to be able to pinpoint nefarious activity on domains (registered to phish or scam, complete with copies of real homepages to deceive the mark) to persons? Having some way to get that information definitely would be helpful in some cases. Considering it should have been done that way before 2018 (gosh, that long ago?), but did not work as intended I feel disinclined to have that info accessible.

    And let's not start looking at what "legimate interest" might mean... (other than a red flag for any reader)

    1. Graham Cobb Silver badge

      Re: Checking at least some details?

      Crims will have (throwaway) front organisations (many in corrupt countries) to do registration. Political campaigners in Belarus and other authoritarian countries will be arrested.

      The rest of us will just be harassed.

      1. Ken Hagan Gold badge

        Re: Checking at least some details?

        Knowing that the website you are using is owned by someone in a country that you don't trust is still useful information. You can't tell that from the TLD, so other mechanisms might be useful.

        1. doublelayer Silver badge

          Re: Checking at least some details?

          It's not hard to set up a front organization in a country you think you trust. The organizations who sell anonymization services or did so before GDPR made that generally applicable were located all over the place. I remember several based in Canada, the U.S., France, and Denmark. Would you trust any of those countries? If not, I wonder what your list is and whether you really checked sites for presence on it.

    2. elsergiovolador Silver badge

      Re: Checking at least some details?

      Isn't that information already available to law enforcement?

  2. Mike 137 Silver badge

    WHOIS not alone

    If the WHOIS database contravened the GDPR, does not the UK companies registry still do so? It lists all directors by name and role, which is fundamentally personal data. The difference is that the companies registry doesn't try to rely on consent as its lawful basis for processing. If ICANN had chosen an alternative lawful basis for transactions involving EEA registrants (e.g. contractual necessity or legitimate interest) the whole debacle could have been avoided.

    A simple opt out mechanism for special cases would have then been sufficient.

    1. Anonymous Coward
      Anonymous Coward

      Re: WHOIS not alone

      "UK companies registry"

      I'm not very happy that they show my details to all and sundry who query my company including my full name and my wife's name, our dates of birth, address and even scans of our signatures. It's a free gift to identity thieves and scammers.

      1. Anonymous Coward
        WTF?

        Re: WHOIS not alone

        I am really quite confused about your post, since the public register doesn't show your date of birth, just the month and year, and it shows a correspondence address which doesn't have to be your home address.

        You have to have some company officer sign a form to, for example change the company name, which is scanned and published, but there is certainly no requirement for all of the officers to all provide signatures which are then published, for example on the accounts.

        1. doublelayer Silver badge

          Re: WHOIS not alone

          Birth month and year is bad enough, especially as I see no reason the public needs to know that when investigating a company. As for the address, that's great for a company that has its own premises somewhere, but if it's a small one where all the workers work from home or it exists for a freelance person to organize contracting work, then they won't have one. Should they be obliged to rent some external address to receive post just so their real address where they can already receive post won't be publicized?

          1. Ken Hagan Gold badge

            Re: WHOIS not alone

            I think the usual practice is to have a registered address at your lawyer's office, where papers can be served. The company HQ could be somewhere else entirely, even for quite large orgs.

          2. Anonymous Coward
            Happy

            Re: WHOIS not alone

            >Birth month and year is bad enough, especially as I see no reason the public needs to know that when investigating a company.

            The reason is so obvious that I cannot understand your difficulty - the birth month and year makes it easier to identify, or at least substantially narrow down, particular individuals with common names, since there are plenty of company directors called John Smith and they aren't all the same person.

            It is usual to use the address of the accountant who does your company books as the registered office of the company, and if you want the correspondence address for its directors. However, if you do your own books, or your business receives a large amount of correspondence that you don't want mixed with your private mail, then it does not take a huge leap of imagination or vast expense to hire a mailbox address.

            1. doublelayer Silver badge

              Re: WHOIS not alone

              And why might you need to narrow down the company director without the extra access, and if you do, why is it birth month and year that you should use as a key? That is not a very good key, as people could share that data as well and it is of use to scammers. Eliminate those issues by instead having a company director number, which is randomly assigned to a unique person so you can immediately see any other companies they have registered but you can't use it to pose as them. Risk of collision: zero, so it's a better tool for your use case. Risk of abuse: significantly lower.

              1. NATTtrash

                Re: WHOIS not alone

                Maybe I'm getting too old for this, or maybe I just don't get it, but I don't understand the issue to begin with.

                Should the owner of a domain be registered: yes, because it is property, and that has to be recorded. Just like you own a house, plot of land, or a car.

                Should this information of your ownership be available to world + dog? Well, look at those other examples; can you track down, as a plain Joe member of the public, track down the owner of a house, car by its reg/ address, within 2 secs through a open, public access dbase at your finger tips? I know I'm on thin ice here geographically, but no, I think it is a very strong case if you say it shouldn't be possible.

                Should a point of info be available where, if valid, such info can be retrieved (e.g. registrar, DVLA): yes, that would be reasonable.

                Again, I realise I might have a geographic and/ or occupational deformation, but putting "all" on the net for me is similar to those cases where some cockwomble left 3 boxes with medical records at the bus stop. But I assume some here might also not have an issue with that? ;)

                1. Anonymous Coward
                  Happy

                  Re: WHOIS not alone

                  >can you track down, as a plain Joe member of the public, track down the owner of a house

                  You certainly can track down the owner of a house in the UK within a couple of minutes for the princely sum of £3. And very useful it is too, particularly if the occupier is not the owner, and e.g. the property's tree roots are damaging your buildings.

                  1. NATTtrash

                    Re: WHOIS not alone

                    I'm sure it is...

                    That why I wrote "I realise I might have a geographic and/ or occupational deformation".

                    But I suppose the argument I'm trying to make is that we all have some convenient situation where it is to our benefit. But what about those where it isn't that convenient to you? Or appropriate? Or desired? I'm not on a crusade here. Just suggesting a moment to stop and think. But looking at the usual level of <rant> against e.g. OS spinal data taps here, I'm sure this is a superfluous remark ;)

              2. Anonymous Coward
                Happy

                Re: WHOIS not alone

                Assigning a unique ID to each John Smith who is a company director does not help identify directorships of a particular John Smith that a member of the public wants to find out about.

                The controllers of companies have no more right to anonymity than politicians. You may disagree with director's identities being published that but it came about through bitter experience, and anonymous companies are a major problem with many jurisdictions, particularly as a vehicle for hiding serious criminality.

                1. doublelayer Silver badge

                  Re: WHOIS not alone

                  I don't support anonymous companies, though I can see a case for companies that a member of the general public can't identify, leaving that to law enforcement. But I'm not going to argue that point right now; we can proceed with the idea that the public should have instant access to the identities creating any company. In which case, a unique number is much better than birth month and year. If two John Smiths born in May 1981 open companies, you could confuse them. If John Smith 1285939 and John Smith 1287561 open companies, you can't mistake them for one another. And in order to find all the companies with the former, you just search for that director number.

                  1. Paul Kinsler Silver badge

                    Re: WHOIS not alone

                    This is something of a tangent, but in science these days we use things like ORCID identifiers which help disambiguate authors with similar names.

                    I see no obvious reason why when registering a company (&etc) one might not also have to register for (or provide) some similar identifier to use as you just described.

    2. Graham Cobb Silver badge

      Re: WHOIS not alone

      Companies are for commercial activities. They are not necessary to start, or even run, a political campaign.

    3. LDS Silver badge

      "does not the UK companies registry still do so?"

      You'll need to change the laws that require a company administrator to be easily identified for legal reasons.

  3. LDS Silver badge

    "He appears not to have read draft article 23"

    He wasn't able to find it using BitTorrent from a pirate site so he actually didn't read it probably. Again he's just worried his favourite source of pirated material will be identified and closed.

    It's time to crackdown sites registered with fake data just to be used for illegal activities - ICANN doesn't like it because they know registrars will make far less money if crooks can't register websites by the sackful using stolen credit cards. They will probably move to use some dummies, but it will be more complex anyway.

    I'm perfectly fine with domain registration being vetted and corresponding to real people - I had to do it anyway twenty years ago because here that was the rule, and that's why I asked to hide them as soon as GDPR made it possible - there were my name, address and telephone number. Acceptable back then, not acceptable any longer.

    Of course as long as PII aren't published to dogs & pigs, and available only under very specific rules.

    1. Graham Cobb Silver badge

      Re: "He appears not to have read draft article 23"

      If crooks are using a sack of stolen credit cards they already have enough info to put in a false name and address. Either they already know the name and postcode (most online credit card transactions) or the provided name and postcode are not being validated. A (stolen) credit card which validates will be enough to convince any registrar that the provided name and address are valid.

      1. LDS Silver badge

        Re: "He appears not to have read draft article 23"

        Depends. If additional proof of identity are required that may not be enough. Here a credit card is not enough to prove your identity.

        1. Graham Cobb Silver badge

          Re: "He appears not to have read draft article 23"

          It will be enough to prove your identity to a domain registrar. They aren't the police or a bank. I really don't think anyone is proposing anti-money-laundering levels of proof to be required.

          1. LDS Silver badge

            Re: "He appears not to have read draft article 23"

            That depends on the rules and laws. There are many other services or goods you can't buy simply exhibiting a credit card - and even if they are not a bank or the police they can ask you a proof of identity.

            1. heyrick Silver badge

              Re: "He appears not to have read draft article 23"

              Indeed, it's quite common if one writes a cheque for over €50 to have to show an identity card or passport, and depending on how well the checkout girl knows the person (as in, don't harass a regular), a lot of the numbers and information from the ID may well be written on the back of the cheque.

              1. LDS Silver badge

                Re: "He appears not to have read draft article 23"

                I meant more buying things that are in some ways "regulated" and a owner needs to be identified. And tat may not depend on value. For example you can buy a 50k watch just showing your credit card, you can't buy a 50k car the same way - because a car owner needs to be registered because the law states so.

                That's also true for some services like telecommunications ones. As they need someone to be held responsible for misuse. And for example, it would be needed to force call centre to use a identifiable number and forbid them to rotate them among many numbers difficult to trace, just like crooks do with websites.

                But I guess many will agree on the call centre issue, but won't on domains because they are driven by greed, and while they have no advantages by call centres calling them night and day, they want to keep on downloaded movies/music/games etc. without paying them. So it's not "protecting freedoms" - it's just "protecting ones' geed"...

                1. Graham Cobb Silver badge

                  Re: "He appears not to have read draft article 23"

                  Nope. If you sell a car privately you do not have to do any ID checks on the buyer - you just tell the DVLA to whom you sold it based on what they tell you.

                  By the way, I have never downloaded a movie, music or game to which I am not entitled - mostly because those things don't particularly interest me. However, I have registered domain names anonymously.

                  In any case, my point was that any ID regulations will do nothing to stop criminals -- they have the resources, expertise and experience to avoid them. They will just make it harder for campaigners, activists, journalists, womens refuges, asylum seekers and others to get their messages out safely.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: "He appears not to have read draft article 23"

                    You have to tell the government who you sold a car to?

                    In the US, you just sell the car. Put your signature on the back of the title, and hand it to the buyer. I've sold cars to people whose names I never even asked.

                    1. Richard 12 Silver badge

                      Re: "He appears not to have read draft article 23"

                      You have to tell them you're no longer the keeper, so they don't come to you when it's photographed speeding or leaving the scene of a hit-and-run.

                      I don't remember of you have to include a name and address of the new keeper.

                  2. LDS Silver badge

                    "If you sell a car privately you do not have to do any ID checks on the buyer"

                    Depends on the jurisdiction - UK is not the whole world and is not EU anymore too - and you still have to tell DVLA who you sold it to, and DVLA should make checks a private is not allowed to perform... and what happens if they found you did something illegal selling?

                    Something you don't have to do with other kind of products.

                    "I have registered domain names anonymously."

                    Maybe you had very good reasons to do that - maybe you didn't.

                    "will do nothing to stop criminals"

                    Utterly false. It won't stop criminals but it will make harder pursuing their illegal activities. Just like guns limitations don't stop all crimes but in countries that regulate guns there are far less gun crimes than in countries that don't regulate them. For the simple reason that not all criminals have the resources to source them easily.

                2. doublelayer Silver badge

                  Re: "He appears not to have read draft article 23"

                  "But I guess many will agree on the call centre issue, but won't on domains because they are driven by greed,"

                  Not my reasoning. For one thing, call centers will spoof IDs until the laws against that are enforced or the protocol is updated to prevent it. Requiring an ID to operate a phone number won't get either done.

                  Having a domain name without an identity connected to it doesn't make piracy much easier. The governments still have the ability to shut down the domain name and collect information such as the payment method used to register it. If you view IDs on items used to pirate media as a justified response, you would have to collect them for lots of other things. Internet connections, including temporary ones on a public network, for example. Also the equipment you use at the end of those lines, meaning all computers. You'd also want to identify any user of an online service which could share information, because they could put copyrighted information up there or identify the system on which it's found. You could make a case for registering each IP address and each general-purpose computer as a measure against copyright violation. I think that, if you did, it's a terrible idea and has several worrying risks, and I think they apply similarly with domain names.

                  In my opinion, there are few items dangerous enough that their purchase should be recorded for the use of law enforcement. Any item added to that list needs a lot of justification, and so far I haven't been convinced by any argument about domain names being that dangerous.

                  1. LDS Silver badge

                    "doesn't make piracy much easier."

                    It does - and not only piracy. There are reasons why some kind of goods and services are regulated and require someone taking responsibility of illegal activities using them, because they can have far larger and dangerous effects than others.

                    It's far more difficult to shutdown domain names when they can be created automatically using fake credentials and being unable to identify who's behind but with a lot of efforts. Did you give a look to the spam your receive? Phishing websites? Botnet and ransomware delivery and C&C? Frankly if it was only piracy it would be a far smaller issue.

                    While being anonymous can make sense in some contexts, it's being widely abused for illegal activities. It's not possible to allow online what is not allowed in the physical world. Can you open a shop wtihout being registered in many different "books"? Can you publish something physically without registering your publication and identifying who's responsible for it?

                    "registering each IP address and each general-purpose computer as a measure against copyright violation."

                    It's already done. ISPs have to keep records of who has that IP at a given time because of legal requirements. Just like keep track which number called which and when for the same reason. Again copyright violation is the smallest issue. There are far worse ones.

                    Just, most people are OK with the worse ones as long as they can get their pirated contents for free... a very myopic and selfish attitude.

                    Sure, it won't solve completely the issue, but why let crooks be able to hide very easily when there's little reason to allow that? A whistleblower or activists in danger registers their own domain to publish what they need? C'mon....

                    1. doublelayer Silver badge

                      Re: "doesn't make piracy much easier."

                      "It's far more difficult to shutdown domain names when they can be created automatically using fake credentials and being unable to identify who's behind"

                      If you're in law enforcement, it's not that difficult to shut down the accounts and go after their payment method, which is a lot harder to fake. Most of the time when they're not shut down, it's because nobody investigated them, not because they were just too good.

                      "Did you give a look to the spam your receive? Phishing websites? Botnet and ransomware delivery and C&C?"

                      Let's consider those then. Phishing is mostly coming from spoofed addresses, meaning they don't need to buy a domain name. Botnets almost never have domain names. Nodes in them may not even have dedicated IP addresses. C&C: domain names are more common here, but they're not either. If the malware writers put in an IP address, they can still route their C&C traffic there.

                      "It's not possible to allow online what is not allowed in the physical world."

                      It's very possible and often desirable.

                      "Can you open a shop wtihout being registered in many different "books"?"

                      Legally? Not exactly, but sort of. You could have an unofficial shop which doesn't operate as a business, doesn't have financial accounts, and doesn't own or rent property. So long as you tell the tax authorities about the money you make, that's fine. It gets more complex if you want to be bigger, but that small approach is entirely possible.

                      "Can you publish something physically without registering your publication and identifying who's responsible for it?"

                      Yes, without difficulty. 1) Buy a printer, 2) print a document several times, 3) distribute the paper however you like. Entirely legal. You are not required to register any publication, and you can still copyright it without having done so. The only places which require registration are authoritarian nightmares, and the method still works there too.

                      "copyright violation is the smallest issue. There are far worse ones. Just, most people are OK with the worse ones as long as they can get their pirated contents for free... a very myopic and selfish attitude."

                      Which I have stated that I don't support, and yet you seem to have such a low opinion of me. Your examples of worse ones were above, and they didn't use domain names, so you're not convincing me yet.

                      "Sure, it won't solve completely the issue, but why let crooks be able to hide very easily when there's little reason to allow that?"

                      Because anonymity is useful, and because despite what you've claimed, there is little reason to expect that removing it will prevent any crime. Meanwhile, I think domain names are so core to the functioning of the internet that people shouldn't have to be publicly identifiable to host one.

                      "A whistleblower or activists in danger registers their own domain to publish what they need? C'mon...."

                      They do, you know. If you're afraid that something will be removed if you publish it on a service, whether because it's illegal or just unpopular, then hosting it yourself works pretty well. If it is really illegal, law enforcement can have the domain name and hosting cut.

  4. rg287 Silver badge

    Are there not two issues going on here?

    Prior to 2018, public WHOIS reflected exactly the information that registrars gave them. This was not compliant with GDPR.

    But because people were already sick of this, proxy registrars popped up and only submitted their own details as a Privacy service.

    Article 23 does not merely provide a GDPR-compatible framework. It effectively bans proxy registrars and require the registrants details to be passed through to the registry - they just can't be published publicly.

    This is indeed a significant change. Rather than simply regulating how registries store and publish data, they're now telling them how to conduct their business and stipulating data they must collect. It's a significant step up in regulating the domain industry and one which the article somewhat glosses over in it's scathing dismissal of the (admittedly rather clickbaity) cries from privacy advocates.

    This statement:

    As currently worded, all it means is a return to the pre-2018 Whois without publication of names and contact details – and that won't lead to some kind of WWW concentration camp.

    Is not accurate. We're not going back to pre-2018. This is a new regime in which proxy registrars and "privacy services" are banned.

    Now as JoeW says, this is not necessarily a bad thing and it would be nice to be able to pinpoint certain bad actors.

    But realistically it means bad actors will just use TLDs outside the EU (such as such minor extensions like .com, .org or almost all gTLDs).

    1. Zippy´s Sausage Factory
      Unhappy

      I'm in agreement with this, but as usual I'm thinking about where the process leads.

      If the registrar has to collect and verify personal data, this concerns me. What then happens to that data? Who has access to it?

      It seems to me that having that database there provides a handy means of being able to censor private citizens own domains, should they wish to. Said something bad about the government? Following a "justified request" to your domain name provider, here comes the local police, knocking on your door, as a "friendly" reminder to be politer in future...

      And you know that if the EU starts doing it, it'll be cited as a precedent by other governments whose reminders won't be quite as "friendly".

      And that's what worries me.

      1. LDS Silver badge

        You mean just like registering a telephone number or asking for an internet connection and using to say/write something bad?

        Domain registrations ends up to the official registrar for each TLD. That's where data are stored and should be protected. They collect user data just like telcos do...

        1. Zippy´s Sausage Factory

          You're correct, but currently there's a mechanism for getting this information and it (usually) uses the courts to get a warrant / court order / whatever the local legal process entails.

          It's the bypassing of that safety net that worries me.

          1. LDS Silver badge

            "It's the bypassing of that safety net that worries me."

            Me too. It's clear that mandatory registrations of private data must be also protected by the law, and accessed only with a a warrant - or at least with enough safeguards to avoid them to be available to everybody and their dog - and especially the marketing/data hoarding worms.

            Nobody denies that. But that's different from saying there should be no control over domain registrations - and people who may have legal reason to identify who registered a domain should be able to do it - and I'm not talking about piracy, which is probably the smallest issue.

    2. SCP

      rg287: "Article 23 does not merely provide a GDPR-compatible framework. It effectively bans proxy registrars and require the registrants details to be passed through to the registry - they just can't be published publicly."

      I am not au fait with the details , rules, and procedures of domain registration.

      Does the change being proposed create any risk of an ownership battle occuring with domains currently registered through a proxy registrar? e.g. - if a proxy decides it will not continue to offer its service are there rules in place that will ensure that the current "actual holder" will be able to retain the domain registered via the proxy?

  5. Disgusted Of Tunbridge Wells Silver badge
    Facepalm

    EU: The GDPR

    EU: Now put all your information in plain text in a directory for anybody to look up

  6. Teejay

    So which way is it, then?

    I'm confused. Either the name and address are once again accessible to everyone, or they are not.

    In a time of deeply malignant cancel culture, anyone with a webpage that could excite the most excitable must thus, again, fear that his data lands on some crazy lists.

    This is either very real, or not.

    1. Doctor Syntax Silver badge

      Re: So which way is it, then?

      There's certainly a lot of surrounding verbiage in the PDF linked in the article bringing scope for confusion. However para 62, pp 26 to 27 seems clear enough: "TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons" (My added italics.)

      If it's protected by GDPR that protection is honoured. AFAICS it means that if scammylookingsite.de is registered to a company you can look it up and if mypersonalemail.de is registered to an individual you can't. Substitute uk for de and all bets are off, of course.

    2. elsergiovolador Silver badge

      Re: So which way is it, then?

      malignant cancel culture

      That's probably the point - Marxists in the EU want to chill the free speech using Chinese policies as their blueprint.

      Law enforcement already has access to WHOIS data.

  7. Anonymous Coward
    Anonymous Coward

    Colour me confused

    The article really isn't clear about the ultimate state of affairs, as is demonstrated by many confused and possibly misleading comments above.

    Me, I'll just continue using non-EU domain companies and non-EU TLDs, with the free privacy service that all _decent_ domain companies offer.

  8. msobkow Silver badge

    Well, one thing is for sure. When this is all said and done, someone is going to be unhappy because there is no way all the parties involved are going to end up getting their way...

    Personally I've found that "real registration information" does absolute SQUAT about ensuring content is sane and clean on a site. Even sites that have companies that check on the ids of their registrants still end up hosting spammers and the like from time to time. Sure they have a name to blame, but it isn't exactly hard to get fake id on the black market...

  9. ohmygod1

    Chad Anderson's comments are disappointing

    Tor is slow and inconvenient, so it is common for most whistleblowers to register their website both on clear net. Also the existence of an alternative does not justify the EU's stupid proposal. Worst of all, most of the registrars used by whistleblowers and activists are based on EU.(EX: njalla, Flokinet, PRQ) If Western countries, which have emphasized human rights and freedom, make these policies, where should activists go? China? Russia? North Korea?

    You said that alternative registrars still exist so all of the problems have been solved. If other countries followed the EU, what would you say then?

    Also, I don't know why he mentioned physical properties. If you're talking about responsibility for spam, it's enough for the registrar to suspend account. ISP records IP and the police can use it as evidence.

    Domains are not expensive properties like real estate or automobiles, and not used for tax evasion. It's just a $10 product. Do you always present your ID card and proof of address when shopping in the store?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022