Who's there? In the European Union offered to hide the data of the owners of domain names
On May 25, the General Data Protection Regulation (GDPR) enters into force in the European Union. The decree will change the method of storage and processing of personal data by companies operating in the EU. However, some of its provisions still raise questions from the community .
So, the Corporation for the management of domain names and IP addresses (ICANN) proposes to exclude information on domain owners (name, address, etc.) from WHOIS to bring the principles of the system in accordance with the GDPR.
We understand why this is necessary and who will be affected.
')
/ Pixabay / SplitShire / CC
The GDPR will replace the EU Data Protection Directive, which has been in force since 1995. The main feature of the new resolution is the stricter requirements for the storage and processing of personal data.
The regulation significantly expands the rights of individuals to control their own confidential information. Users will be more aware of how their personal data is used. They will be able to prohibit their processing and actively exercise the right to oblivion . The GDPR provides for serious fines for companies for violating the new rules - up to 20 million euros or 4% of the organization’s annual turnover.
The WHOIS Network Protocol, which is used to obtain registration data on the owners of domain names — names / names and contact information — “conflicts” with the regulations of the GDPR. In ICANN, it was considered that from the point of view of the new regulations, this information is considered confidential, accordingly, its publication in the public domain can be interpreted as a violation of the new rules for the processing of personal data.
/ WHOIS data about wikipedia.org
The responsibility for administering the WHOIS lies with ICANN. The Corporation enters into agreements with thousands of domain registrars worldwide and requires them to provide reliable data. ICANN is now participating in the preparation of the new provisions of the GDRP and makes recommendations. One of them came from ICANN President and CEO Goran Marb.
To bring the WHOIS in line with the GDPR, it offers three models:
From the point of view of a regular user who wants to use the WHOIS system, access to personal data of domain name holders in all three cases will look like this: all information is closed, but there is an anonymous email address. Through it, the letter will be redirected to the real address of the owner.
Now WHOIS is used to communicate with administrators, resolve technical issues, conduct domain sale transactions, clarify the company's address. This information is also used by law enforcement agencies. For example, the data of the owners of the domains with which cyber attacks are linked, allow to identify the criminals.
It is assumed that the development of an accreditation system will fall on the shoulders of the Governmental Advisory Committee (GAC). So, according to ICANN, it will be possible to comply with the law and state interests.
ICANN also explains the need for change in that the WHOIS is used to send spam, phishing, and committing cybercrime. This activity causes the main damage to domain name holders who are registrar clients. Therefore, the latter are interested in revising the existing system.
/ Flickr / veni / cc
Recently, ICANN announced that it will no longer sue the registrars who do not publish personal data in WHOIS. The world's largest domain name registrar - GoDaddy has already begun to hide PD. The company's vice president explained that this way they protect customers from spam.
Last week, ICANN's plan was rejected by the European Commission. This was done because the proposals made by ICANN are based on incomplete information on the GDPR. At the same time, the need for such measures was not sufficiently substantiated and not supported by statistics or analytical information.
Also, the reason for the refusal was the fear of anonymous cybercrime. WHOIS data is a key tool in the fight against cybercrime. The model in which law enforcement agencies must obtain permission to access information through the courts prevents the prompt investigation of such cases. This position was taken by the Europol cybercrime center.
The anonymity of domain owners will also affect lawyers working with intellectual property rights. WHOIS data helps them find people distributing pirated content. Journalists are often turned to WHOIS databases for investigation. ICANN does not clarify whether they can get accreditation.
Although the ICANN initiative was rejected, members of the European Commission recommended the company to continue working on new policies. Therefore, it is likely that discussion of this issue will be resumed soon.
So, the Corporation for the management of domain names and IP addresses (ICANN) proposes to exclude information on domain owners (name, address, etc.) from WHOIS to bring the principles of the system in accordance with the GDPR.
We understand why this is necessary and who will be affected.
')
/ Pixabay / SplitShire / CC
Why is WHOIS "not friendly" with GDPR
The GDPR will replace the EU Data Protection Directive, which has been in force since 1995. The main feature of the new resolution is the stricter requirements for the storage and processing of personal data.
The regulation significantly expands the rights of individuals to control their own confidential information. Users will be more aware of how their personal data is used. They will be able to prohibit their processing and actively exercise the right to oblivion . The GDPR provides for serious fines for companies for violating the new rules - up to 20 million euros or 4% of the organization’s annual turnover.
The WHOIS Network Protocol, which is used to obtain registration data on the owners of domain names — names / names and contact information — “conflicts” with the regulations of the GDPR. In ICANN, it was considered that from the point of view of the new regulations, this information is considered confidential, accordingly, its publication in the public domain can be interpreted as a violation of the new rules for the processing of personal data.
/ WHOIS data about wikipedia.org
What does ICANN offer
The responsibility for administering the WHOIS lies with ICANN. The Corporation enters into agreements with thousands of domain registrars worldwide and requires them to provide reliable data. ICANN is now participating in the preparation of the new provisions of the GDRP and makes recommendations. One of them came from ICANN President and CEO Goran Marb.
To bring the WHOIS in line with the GDPR, it offers three models:
- Model One - works only on the territory of the European Economic Area. Personal data of domain owners will be hidden, but it will be available to those people and organizations that prove the need for this information. This model is slightly different from the current one, but does not describe the criteria for assessing the legality of access to PD.
- The second is a multi-level system, in which most of the data is closed, but a certain group of people can access them after passing the accreditation.
- Third - most of the PD is hidden. Access to them is possible only by a court decision. This model meets the basic ideas of the GDPR.
From the point of view of a regular user who wants to use the WHOIS system, access to personal data of domain name holders in all three cases will look like this: all information is closed, but there is an anonymous email address. Through it, the letter will be redirected to the real address of the owner.
Now WHOIS is used to communicate with administrators, resolve technical issues, conduct domain sale transactions, clarify the company's address. This information is also used by law enforcement agencies. For example, the data of the owners of the domains with which cyber attacks are linked, allow to identify the criminals.
It is assumed that the development of an accreditation system will fall on the shoulders of the Governmental Advisory Committee (GAC). So, according to ICANN, it will be possible to comply with the law and state interests.
ICANN also explains the need for change in that the WHOIS is used to send spam, phishing, and committing cybercrime. This activity causes the main damage to domain name holders who are registrar clients. Therefore, the latter are interested in revising the existing system.
/ Flickr / veni / cc
Recently, ICANN announced that it will no longer sue the registrars who do not publish personal data in WHOIS. The world's largest domain name registrar - GoDaddy has already begun to hide PD. The company's vice president explained that this way they protect customers from spam.
The fate of the initiative
Last week, ICANN's plan was rejected by the European Commission. This was done because the proposals made by ICANN are based on incomplete information on the GDPR. At the same time, the need for such measures was not sufficiently substantiated and not supported by statistics or analytical information.
Also, the reason for the refusal was the fear of anonymous cybercrime. WHOIS data is a key tool in the fight against cybercrime. The model in which law enforcement agencies must obtain permission to access information through the courts prevents the prompt investigation of such cases. This position was taken by the Europol cybercrime center.
The anonymity of domain owners will also affect lawyers working with intellectual property rights. WHOIS data helps them find people distributing pirated content. Journalists are often turned to WHOIS databases for investigation. ICANN does not clarify whether they can get accreditation.
Although the ICANN initiative was rejected, members of the European Commission recommended the company to continue working on new policies. Therefore, it is likely that discussion of this issue will be resumed soon.
Some materials from our corporate blog:
Source: https://habr.com/ru/post/351918/
All Articles