The European Union is drafting a directive that proposes to ban anonymous domain name registration. The European Parliament’s proposal will add provisions to force top-level domain name (TLD) registries and other domain name registration services to collect and maintain accurate and complete domain name registration data. Such entities will need to allow “efficient access” to the registration data for legitimate access seekers.
The measure is part of an overall effort to boost cyber resilience and incident response capacities of all European entities. BleepingComputer reported this update earlier.
What is domain registration? What will change?
A domain name is the name of any online website. e.g. www.mylawrd.com. The owner of this domain name will buy it from a domain name system (DNS) service provider, let’s say GoDaddy. At the time of selling the domain, GoDaddy will collect information such as the name of the registrant, email, address, and phone number.
However, GoDaddy does not verify this information. As such, any person can provide false information and stay anonymous. While this is true for activists, whistleblowers, and journalists, it is also true for malware operators and pirated content distributors.
Since the directive proposes to collect and maintain “accurate and complete domain name registration data”, GoDaddy will now need to verify the data that a registrant provides.
The directive reads:
“Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union.”
Timely access to these records will help law enforcement to prevent, investigate, and prosecute criminal offenses, especially cybersecurity incidents. It should ensure that the data contains relevant information to “identify and contact the holders of the domain names”. Further, the directive also says that such access should comply with the data protection regime.
Allowing “Efficient Access”
DNS providers will need to respond to any law enforcement request regarding registrant data without any delay. Such entities will also need to establish policies and access procedures, which may include the use of an “interface, portal, or other technical tool” for requesting and accessing registration data.
The EU Parliament’s Committee on Industry, Research and Energy has also prepared a draft report on the proposed directive.
The Internet Corporation for Assigned Names and Numbers (ICANN) is supporting the directive. It has also suggested ways in which the provisions can be strengthened and help prevent unintended consequences.
If adopted, the directive may force those seeking complete anonymity to make their way towards the dark web.