New Lobby Against EU’s Domain-Name Privacy Rules Sparks Congressional Interest

A growing coalition of cybersecurity companies, consumer advocates, and anti-piracy groups are pushing for a new law to reopen the internet’s white pages—and lawmakers are intrigued.

The Internet Corporation for Assigned Names and Numbers has stopped updating its WHOIS database, sparking outcry from industry and advocacy groups.
AP Photo/Tim Hales
Feb. 7, 2019, 8 p.m.

Eight months after Europe’s General Data Protection Regulation sent shockwaves across the tech industry, a new lobbying organization aiming to scuttle one of its most disputed provisions is gaining traction on Capitol Hill.

Since beginning its life last fall, the Coalition for a Secure and Transparent Internet has picked up the support of The App Association, the Motion Picture Association of America, the Recording Industry Association of America, the Alliance for Safe Online Pharmacies, the Center on Illicit Networks and Transnational Organized Crime, and several other high-profile groups.

And this week, its lobbyists spread out across the House and Senate, meeting with lawmakers from both parties to push draft legislation that would overrule the GDPR and reopen the public’s access to WHOIS domain-name data.

The WHOIS database is perhaps best understood as the internet’s white pages. It contains the identifying information for any individual or business who’s purchased a specific domain name onlineincluding things like a name, address, and phone number. The database was publicly accessible from the advent of the internet to the dawn of the GDPR, allowing cybersecurity researchers and consumer advocates to trace nefarious activities from the websites hosting or perpetrating them to the real-world entities responsible.

But the database abruptly ceased updating once the GDPR came into effect last May. The Internet Corporation for Assigned Names and Numbers, the international body that regulates WHOIS, issued a temporary rule claiming that the GDPR prevented the public release of any new domain-name information.

And as ICANN mulls making that change permanent in the coming months, a growing chorus of industry and advocacy groups are calling on Congress to prevent “the open web” from becoming “the dark web.”

“It’s a great time to be a cybercriminal,” said John Horton, the chief executive of LegitScript, a company that tracks nefarious activity online.

During a House briefing organized by CSTI on Thursday, Horton laid out how websites selling OxyContin or other deadly opioids without a prescription can launder their illegal gains through legitimate-looking websites that appear to sell innocuous products. Access to the WHOIS database once enabled Horton’s firm and others to connect the dots between those sites, ultimately facilitating the tracking and apprehension of the people behind them.

The same goes for tracking the piracy of intellectual property—such as apps, music, and movies—and the monitoring and prevention of cybersecurity crimes. And Dave Piscitello, the longtime former head of security at ICANN, said WHOIS access was instrumental in tracking the Russian government’s online meddling during the 2016 presidential election.

“We can’t respond in the same manner that we were able to respond in,” Piscitello said, calling the situation “dire.”

Federal agencies, including the National Telecommunications and Information Administration and the Federal Trade Commission, are aware of the issue, with the NTIA in particular calling on ICANN to change course. But Libby Baney, a partner with Faegre Baker Daniels Consulting and one of the chief lobbyists for CSTI, said that process “continues to lag.”

So the coalition has turned to Congress. It's pushing legislation that would require domain-name registrars who sell U.S. domains or operate in the U.S. to publish that information and make it searchable in a WHOIS database. The FTC would then levy any penalties for noncompliance. The coalition wants the law to apply only to commercial entities.

“If I’m selling things, placing bots, tracking people, collecting data, engaged in commerce, a consumer should have the ability to know who’s on the other side of that transaction,” Baney said. “It’s just basic consumer protection, and at scale, it has a real impact on cybersecurity investigations.”

The group stresses that it isn’t seeking to kneecap the GDPR or other online-privacy efforts, but to balance the need for privacy with the desire to keep the internet safe. “The benefits of anonymity exponentially accrue to the bad guys,” said Tim Chen, the chief executive of cybersecurity firm DomainTools.

A spokesman for ICANN declined to comment on the draft legislation or CSTI’s lobbying efforts.

The bill has yet to be picked up by lawmakers in either chamber, but there are powerful voices on both sides of the aisle whose interest has been piqued.

“Access to registrar data through WHOIS is critical to the ongoing security and resiliency of the internet,” said Rep. Doris Matsui, the Democratic vice chair of the Energy and Commerce Communications and Technology Subcommittee and cochair of the High Tech Caucus. “Acknowledging the important individual privacy interests involved, access to WHOIS information for legitimate purposes must not be so overly burdensome that it undercuts the necessary service it provides to global internet users. It is important that we consider our options for achieving this balance.”

Republican Rep. Bob Latta, the ranking member on the same subcommittee, also voiced his support. "Congressman Latta does have significant concerns about the ramifications of the public’s loss of access to the WHOIS database,” a Latta spokesperson told National Journal in an email. “For example, the inability of law enforcement and other important entities to obtain domain information could stifle investigations. The Congressman is looking at possible solutions and has been engaged with multiple stakeholders including NTIA and the FTC.”

Things are more nebulous in the Senate. A spokesperson for Commerce Committee Chairman Roger Wicker declined to comment, while the office of Sen. John Thune, the majority whip and the chairman of the technology subcommittee, did not respond to multiple requests for comment.

One Senate staffer who was not authorized to speak publicly said they hadn’t heard talk of a Senate office on either side of the aisle taking up the legislation, but added that it may be too early to tell.

“We don’t have someone saying, ‘I’m introducing the bill tomorrow,’” said Baney, who’s met with staffers across both chambers about the issue. “But we have a lot of people saying, ‘I could be introducing this bill next week; let me get back to you.’”

The ultimate prospect of the draft legislation remains uncertain. But Paul Vixie, the head of Farsight Security and a key architect of several domain-name system protocols, gave the idea high marks.

“ICANN has flubbed this from the beginning,” said Vixie, who is not involved in the ongoing lobbying effort. He said the draft bill clearly overreaches by including overseas registrars who sell domain names to U.S. parties. But he expects the lobbyists will moderate their position, and said their plan “could actually work."

“It would be great if this could be the beginning of rising up against the civil libertarians who have been pushing back against WHOIS and against accountability and against recourse,” Vixie said. “I love GDPR, but I also want recourse against anyone who uses any of these unique, publicly-granted identifiers in a way that does harm to others.”

What We're Following See More »
HE PLANNED TO LEAVE ONCE BARR WAS CONFIRMED
Rosenstein to Leave DOJ in March
5 hours ago
THE LATEST
SUIT LED BY CALIFORNIA AG BECERRA
Sixteen States Sue Trump over Emergency Declaration
6 hours ago
THE DETAILS

"A coalition of 16 states filed a federal lawsuit Monday to block President Trump’s plan to build a border wall without permission from Congress, arguing that the president’s decision to declare a national emergency is unconstitutional. The lawsuit, brought by states with Democratic governors — except one, Maryland — seeks a preliminary injunction that would prevent the president from acting on his emergency declaration while the case plays out in the courts."

Source:
CITES FAMILY CONCERNS
Nauert Withdraws from Consideration as U.N. Ambassador
6 hours ago
THE DETAILS

"President Trump’s pick to serve as ambassador to the United Nations withdrew from consideration on Saturday, citing family concerns. His intended nominee, Heather Nauert, a spokeswoman at the State Department since 2017, said in a statement that 'the past two months have been grueling for my family and therefore it is in the best interest of my family that I withdraw my name from consideration.' Ms. Nauert dropped from the running because she had a nanny who was in the United States legally but did not have the proper work visa, according to people familiar with the process."

Source:
RELEASE DATE NOT SET
Bernie Sanders Preparing 2020 Announcement Video
6 hours ago
WHY WE CARE

"Bernie Sanders, inching closer to a second bid for the White House, has recorded a campaign video in which he says he is running for president in 2020, according to two people familiar with the spot. It’s the latest sign the independent senator, the runner-up in the 2016 contest for the Democratic nomination, is nearing a presidential announcement."

Source:
AVOIDS SHUTDOWN WITH A FEW HOURS TO SPARE
Trump Signs Border Deal
3 days ago
THE LATEST

"President Trump signed a sweeping spending bill Friday afternoon, averting another partial government shutdown. The action came after Trump had declared a national emergency in a move designed to circumvent Congress and build additional barriers at the southern border, where he said the United States faces 'an invasion of our country.'"

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login