|
The European Union (EU) has set a high bar by tackling domain name system (DNS) abuse head on via government regulation and seems to have successfully resisted attempts to water down DNS stewardship obligations. Recent guidance from a key European Commission cooperation group (the NIS Cooperation Group) handling sections of the Network and Information Security Directive (NIS2) intends for a robust implementation of Article 28, which will go a long way toward helping to mitigate some of the longstanding problems that persist in the DNS.1
The cooperation group advising EU member states on transposition of Article 28—the NIS2 article critical to those in the domain name industry—clarifies the treatment of domain name registration data (“WHOIS”) under the General Protection Data Regulation (GDPR) and establishes specific duties for all parties along the domain name supply chain to fulfill:
While these measures certainly do not go as far as they could in terms of the strength of available anti-abuse tools, they’re a significant improvement over the status quo, which offers very little to parties seeking to protect end users, businesses, rights holders, and others suffering from online criminal behavior. European regulators understand that while cybercrime is seemingly always on the increase, they would be negligent to not equip responsible authorities with the tools they need.
Detractors will no doubt say these steps are too burdensome for them to put in place, that they’ll unreasonably drive-up registration costs, that the criminals are too smart or too evasive to get caught in this intensified net, or come up with some other excuses for not acting. However, the time for arguing is over—the good guys need backup against the bad guys, and right now the bad guys have the upper hand thanks to lax registration requirements and the lack of access to accurate WHOIS data. A fresh set of tools will undoubtedly help. There’s no excuse for not trying.
Belgian authorities have advanced helpful requirements via their full transposition of Article 28 into their national law, including:
This reads like the consumer protection law that it is shaping up to be and is very much needed. This is a strong development—consumers and businesses need to know about unscrupulous businesses online.
Industry authorities continue to weigh in as well on the practicalities of NIS2’s requirements. For example, refer to Recital 110 of NIS2, which defines “legitimate access seeker(s)” of domain name registration data (commonly known as WHOIS) as “any natural or legal person making a request pursuant to Union or national law.”
As expressed in a letter dated May 2024, Amy Cadagin, Executive Director of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) stated:
“It is the experience of M3AAWG members that law enforcement agencies often collaborate with and rely upon independent researchers and non-governmental organizations to track and combat illegal online activity.”2 Cadagin added that that “This is consistent with the approach taken by the European Cybercrime Centre, which aims to engage public and private sector stakeholders whose skills, resources, and reach are needed alongside law enforcement efforts to create a safer digital environment.”3
Members of our coalition, plus the countless others that have been desperate for help for many years, are grateful for the European Commission coordination group’s and Belgium’s robust national law implementation as well as the authoritative voices of those on the front lines of abuse. We hope that other EU Member States will follow the excellent example that Belgium has set and will continue to heed good advice when offered. We look forward to continuing the battle against DNS abuse, both within the ICANN sphere and with governmental partners in the months to come.
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
I guess onlineaccountability.net could use SSL/TLS so we could know whether we are looking at the real website or at a forgery ?
Also, it’s curious that it seems WHOIS data is for a different organization:
Registrant:
Name: PERFECT PRIVACY, LLC
Email: .(JavaScript must be enabled to view this email address)
Whois Server: whois.register.com
Phone: +1.5707088622
Mailing Address: 5335 Gate Parkway care of REGISTER.COM, Jacksonville, FL, 32256, US
Rubens,
Thank you for pointing this out.
The information on onlineaccountability.net has now been unmasked, and we will add a SSL certificate as well.