EU ban on anonymous domain registration hailed by threat intelligence firm

“This raises the bar and makes it costly for easy cybercrime,” says DomainTools

Upcoming European Union regulations that would curtail anonymous domain registration have been welcomed by a security company despite concerns from some, including Germany’s top-level domain registry, DENIC.

Broad proposals to achieve a ‘high common level of cybersecurity across the Union’ and to update the 2016 network and information systems (NIS Directive) would restrict anonymous domain registration, between other measures.

Follow the latest news and analysis on the Internet infrastructure

Anonymous domain registration is often associated with illegal activities, including the distribution of malware and hosting of phishing sites as well as the authorized distribution of copyrighted works.

Whois data

People or organizations registering domains are already systematically required to provide their name, email address and physical address. As it stands, this information is rarely verified, so registration under false or assumed names is commonplace.

The rule change would introduce provisions that would require domain registrars to collect more information from registrants and (essentially) verify that information.

This is necessary, in part, to ensure the stability of the Domain Name System (DNS), as explained in the draft regulation (PDF).

In order to contribute to the security, stability and resiliency of the DNS, Member States shall ensure that TLD registries and entities providing domain name registration services for the TLD collect and maintain registration data accurate and complete domain names in a dedicated database. due diligence facility subject to Union data protection law in relation to data which is personal data.

While broadly welcoming Article 23, which covers domain name databases and registration data, the German TLD registry DENIC expresses significant reservations about the proposals in its comments to the European Commission. He is concerned that collecting registration data may not necessarily help prevent abuse.

“Although accurate and complete registration data is already collected in the context and for the purposes mentioned in the previous paragraph, it is not clear to us how failure to do so would affect the security, stability or the resiliency of the DNS as such, “said DENIC.

The German registry added: “The holder identification does not provide information about the entity exercising actual technical control over the delegated namespace and even less about the entities providing content or services within that. namespace. “

DO NOT MISS Hong Kong’s anti-doxxing law takes effect despite human rights criticism

However, Chad Anderson, senior security researcher for DomainTools, a domain name and DNS-based cyber threat intelligence firm, said access to registration information would provide a vital tool for security advocates. networks.

“We’ve certainly found other ways to fingerprint actors based on tactics, techniques, and procedures (TTPs), but removing large swathes of domains related to a single individual is much faster when they can. really relate to that individual and time is running out. more and more gasoline, ”according to Anderson.

Anderson compares domain registration (a form of digital property) to operating a property registration system for homes.

Doxxing fears

According to German Pirate Party MEP Patrick Breyer, the plans could spell the end of “privacy whois” services for proxy domain registration, threatening the safety of activists and whistleblowers.

“This policy of blind identification of domain holders is a big step towards abolishing anonymous posts and internet leaks,” Breyer warned in a blog post.

“This policy puts website operators at risk, because anonymity alone effectively protects against data theft and loss, harassment and identity theft, doxxing and ‘death lists’.”

Concerns that domain registration would impact whistleblowers and activists are misplaced, according to Anderson of DomainTools.

“They should all be using Tor and pre-built sites anyway to protect their anonymity,” said Anderson, who added, “if anything, it will force them to use better operational security.”

More difficult, more expensive

Even though once the regulations go into effect, cybercriminals can still hide behind companies or registrars in other countries, the result will always be to make malicious activity more difficult and costly, says DomainTools.

Anderson concludes, “This raises the bar and makes it costly for easy cybercrime like Commercial Email Compromise (BEC) and ID phishing campaigns. Additionally, it reduces the attack zone left to watch as it reduces the number of registrars that attackers can use.

The draft directive was amended (PDF) in March and can still be amended before ratification. The changes clearly specify that telephone numbers must be included in the information collected.

Member States shall ensure that the domain name registration data database infrastructure… contains relevant information, which includes at least the name of registrants, their physical and electronic addresses, as well as their telephone number , to identify and contact the registrants of the domain names and the contact points administering domain names under TLDs.

The amended measures also specify that registrars will be required to provide “domain name registration data, including personal data, upon duly substantiated request from legitimate access seekers, in accordance with the legislation of the Data Protection Union ”within 72 hours of receiving a request.

A full catalog of comments on the proposals can be found here.

The ITRE steering committee is expected to take a position on the proposals by the end of October. Even after this step, the bill still needs to be negotiated with the EU Council and may be subject to further amendments before entering into force.

YOU MAY ALSO LIKE NSA warns of increased risk of generic TLS certificate

Comments are closed.