The US government continues to be opposed to changes to Whois that they believe will have little benefit for consumer privacy and major benefits for cyber-criminals. The comments were made, again, in a speech by the the NTIA’s Assistant Secretary of Commerce for Communications and Information, David J. Redl, at a FDA Online Opioid Summit in Washington, D.C. on 2 April.
In his speech, Redl said “the WHOIS is a resource that, prior to the GDPR, provided public access to domain name registration information, including contact information for the entity or person registering the domain name. This information is a critical tool that helps keep people accountable for what they do and put online. Law enforcement uses WHOIS to shut down criminal enterprises and malicious websites, including those that illegally sell opioids. Cybersecurity researchers use it to track bad actors. And it is a first line in the defense of intellectual property protection, including the misuse of opioid brand names.”
The European Union’s General Data Protection Regulation has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.
“Unfortunately, when GDPR went into effect, those companies responsible for providing WHOIS stopped publishing much of the data because they feared it would make them vulnerable to the massive fines GDPR imposes for privacy violations. The U.S. government’s position on this is clear: the loss of a public WHOIS without a predictable and timely mechanism to access redacted information has little benefit for consumer privacy, and major benefits for cyber-criminals.”
But Redl says there has been some progress on this issue within ICANN. “First, ICANN put in place last year a temporary policy that clarified that WHOIS data should continue to be collected and reasonable access should be provided. This kicked off an intensive global multistakeholder discussion about how to develop a long-term solution. NTIA continues to actively push U.S. interests in these discussions. In March, policy recommendations were finalised and submitted to the ICANN Board for approval.”
Redl says he wants “to congratulate the people who have worked on developing these policy recommendations for how to handle the processing of WHOIS information in a manner that is compliant with GDPR. This was the first step we needed to ensure that the WHOIS system is preserved.”
“However, it must be noted, issues remain. Yet to be addressed is development of a technical solution, and policies associated with disclosure and access to non-public WHOIS information. Now it is time to deliberately and swiftly create a system that allow for third parties with legitimate interests, like law enforcement, IP rights holders, and cybersecurity researchers to access non-public data critical to fulfilling their missions. NTIA is expecting this second phase of the discussion to kick off in earnest in the coming weeks, and to achieve substantial progress in advance of ICANN’s meeting in Montreal in November.
Redl concluded by saying the “NTIA remains a staunch defender of the free and open Internet. That’s not going to change. But we also aren’t going to turn a blind eye to the real issues that are raised by this freedom and openness.”
“We reject the notion that a free and open Internet must tacitly condone illegal activity. We believe there’s a path to solving these issues without turning our backs on innovation and prosperity. And that path begins with honest discussions and debates, with compromise and collaboration. So if you have concerns or solutions you’d like to offer, I invite you to talk to NTIA. We welcome all thoughtful approaches to building the Internet of the future.”