The European Commission has suggested that law enforcement authorities could soon have restricted access to the WHOIS database that identifies website owners because the system is on a collision course with the EU’s strict new data protection law.
Law enforcement authorities have complained to the Commission about plans to change the system in May because they rely on WHOIS to look up a “significant number” of websites every week as part of criminal investigations.
But the Commission has warned that the sweeping new EU data protection regulation set to take effect on 25 May will mean that at least some personal information about website owners may no longer be displayed in WHOIS directories.
The WHOIS system is publicly available and contains names, email addresses, phone numbers and other information identifying people who registered internet domain names.
It has sparked a dispute between police forces and privacy activists, and the Commission has waded in to press for reforms from the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organisation that requires information about people who register websites to be available in WHOIS databases.
The online directories of personal information are likely to clash with the new EU law, which requires a specific justification for an organisation to obtain Europeans’ personal data.
Three Commissioners wrote to ICANN on 29 January to ask for changes to the system that might “consist in a limitation of the number of records that can be accessed per a given time period”.
The letter from EU Home Affairs Commissioner Dimitris Avramopoulos, Justice Commissioner Vera Jourova and Security Commissioner Julian King suggested that ICANN could restrict access to certain kinds of data. The EU executive suggested several possibilities for reforming the database, and asked that any restrictions “meet the needs of law enforcement in particular with respect to high volumes of requests and swiftness of access”.
“There is a need to comply with the GDPR,” the Commissioners wrote, referring to the data protection regulation.
Law enforcement authorities are up in arms over the threat of having limited access to information to identify people who run websites.
Last month, EC3, the cybercrime division of EU police agency Europol, sent ICANN a document describing its position on the overhaul. The agency asked for there to be no access restrictions limiting analysts who use WHOIS in order to prevent cybersecurity breaches, citing investigators’ use of the database after last year’s WannaCry hacking and an attack on Deutsche Telekom’s networks that affected 900,000 customers.
WHOIS “is an essential element of the cybersecurity community’s efforts to maintain the overall security and stability of the global internet, and any loss of access would seriously degrade these efforts,” EC3 wrote.
Any restrictions to WHOIS could also have effects outside the EU. In its response to ICANN’s proposals, the US government warned that it “cannot accept a situation whereby the WHOIS system is fractured” if, for example, new rules apply only to websites registered in Europe.
In January, ICANN published a list of three options it is considering to reform WHOIS, which include a system for very limited data access by legal and court order, an accreditation programme, and a simpler process allowing people who self-certify to use the directories.
The Commission has told ICANN that it prefers a combination of the three options to break the WHOIS deadlock. On 23 January, diplomats from EU member states approved a solution that’s similar to the Commission’s demands, according to one source with knowledge of the agreement.
The EU executive is now facing a backlash. Privacy campaigners blasted the Commission for giving too much weight to law enforcement authorities’ concerns.
“We’d have wished for the Commission to have defended the GDPR with more teeth,” said Maryant Fernández Pérez, a policy advisor at the NGO European Digital Rights, which submitted a recommendation favouring the most restrictive of ICANN’s proposals to make the database private.
Fernández pointed to the Commission’s suggestions for reforming WHOIS to benefit law enforcement and the intellectual property industry. But details on the privacy rights of people who register domain names were thin.
WHOIS has been scrutinised by European privacy regulators before. In December, the powerful umbrella group of EU data protection watchdogs warned ICANN in a letter that “the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice”.
ICANN wants to announce by the end of the month how exactly it will make the system more private. That would give three months’ notice about the reform to any WHOIS directories that display personal data about website owners, since they will need to comply with new privacy rules by the time the EU law kicks in.
But that timeline has also sparked controversy.
The Commission suggested that ICANN should wait to announce a solution until after it holds a large meeting in mid-March with its stakeholders, a group that includes academics, NGOs and tech lobbyists.
“We consider that it would be better to delay ICANN’s final decision on the interim model while keeping the current momentum, so that it is possible to arrive at a good solution for all parties involved,” the Commission wrote in its six-page analysis of ICANN’s proposals.
A spokeswoman for ICANN said the Commission’s suggestion to wait one extra month before deciding would leave too little time to make the system private.
“Anything shorter will give them less time to prepare,” she said.