Eight months after Europe’s General Data Protection Regulation sent shockwaves across the tech industry, a new lobbying organization aiming to scuttle one of its most disputed provisions is gaining traction on Capitol Hill.
Since beginning its life last fall, the Coalition for a Secure and Transparent Internet has picked up the support of The App Association, the Motion Picture Association of America, the Recording Industry Association of America, the Alliance for Safe Online Pharmacies, the Center on Illicit Networks and Transnational Organized Crime, and several other high-profile groups.
And this week, its lobbyists spread out across the House and Senate, meeting with lawmakers from both parties to push draft legislation that would overrule the GDPR and reopen the public’s access to WHOIS domain-name data.
The WHOIS database is perhaps best understood as the internet’s white pages. It contains the identifying information for any individual or business who’s purchased a specific domain name online—including things like a name, address, and phone number. The database was publicly accessible from the advent of the internet to the dawn of the GDPR, allowing cybersecurity researchers and consumer advocates to trace nefarious activities from the websites hosting or perpetrating them to the real-world entities responsible.
But the database abruptly ceased updating once the GDPR came into effect last May. The Internet Corporation for Assigned Names and Numbers, the international body that regulates WHOIS, issued a temporary rule claiming that the GDPR prevented the public release of any new domain-name information.
And as ICANN mulls making that change permanent in the coming months, a growing chorus of industry and advocacy groups are calling on Congress to prevent “the open web” from becoming “the dark web.”
“It’s a great time to be a cybercriminal,” said John Horton, the chief executive of LegitScript, a company that tracks nefarious activity online.
During a House briefing organized by CSTI on Thursday, Horton laid out how websites selling OxyContin or other deadly opioids without a prescription can launder their illegal gains through legitimate-looking websites that appear to sell innocuous products. Access to the WHOIS database once enabled Horton’s firm and others to connect the dots between those sites, ultimately facilitating the tracking and apprehension of the people behind them.
The same goes for tracking the piracy of intellectual property—such as apps, music, and movies—and the monitoring and prevention of cybersecurity crimes. And Dave Piscitello, the longtime former head of security at ICANN, said WHOIS access was instrumental in tracking the Russian government’s online meddling during the 2016 presidential election.
“We can’t respond in the same manner that we were able to respond in,” Piscitello said, calling the situation “dire.”
Federal agencies, including the National Telecommunications and Information Administration and the Federal Trade Commission, are aware of the issue, with the NTIA in particular calling on ICANN to change course. But Libby Baney, a partner with Faegre Baker Daniels Consulting and one of the chief lobbyists for CSTI, said that process “continues to lag.”
So the coalition has turned to Congress. It's pushing legislation that would require domain-name registrars who sell U.S. domains or operate in the U.S. to publish that information and make it searchable in a WHOIS database. The FTC would then levy any penalties for noncompliance. The coalition wants the law to apply only to commercial entities.
“If I’m selling things, placing bots, tracking people, collecting data, engaged in commerce, a consumer should have the ability to know who’s on the other side of that transaction,” Baney said. “It’s just basic consumer protection, and at scale, it has a real impact on cybersecurity investigations.”
The group stresses that it isn’t seeking to kneecap the GDPR or other online-privacy efforts, but to balance the need for privacy with the desire to keep the internet safe. “The benefits of anonymity exponentially accrue to the bad guys,” said Tim Chen, the chief executive of cybersecurity firm DomainTools.
A spokesman for ICANN declined to comment on the draft legislation or CSTI’s lobbying efforts.
The bill has yet to be picked up by lawmakers in either chamber, but there are powerful voices on both sides of the aisle whose interest has been piqued.
“Access to registrar data through WHOIS is critical to the ongoing security and resiliency of the internet,” said Rep. Doris Matsui, the Democratic vice chair of the Energy and Commerce Communications and Technology Subcommittee and cochair of the High Tech Caucus. “Acknowledging the important individual privacy interests involved, access to WHOIS information for legitimate purposes must not be so overly burdensome that it undercuts the necessary service it provides to global internet users. It is important that we consider our options for achieving this balance.”
Republican Rep. Bob Latta, the ranking member on the same subcommittee, also voiced his support. "Congressman Latta does have significant concerns about the ramifications of the public’s loss of access to the WHOIS database,” a Latta spokesperson told National Journal in an email. “For example, the inability of law enforcement and other important entities to obtain domain information could stifle investigations. The Congressman is looking at possible solutions and has been engaged with multiple stakeholders including NTIA and the FTC.”
Things are more nebulous in the Senate. A spokesperson for Commerce Committee Chairman Roger Wicker declined to comment, while the office of Sen. John Thune, the majority whip and the chairman of the technology subcommittee, did not respond to multiple requests for comment.
One Senate staffer who was not authorized to speak publicly said they hadn’t heard talk of a Senate office on either side of the aisle taking up the legislation, but added that it may be too early to tell.
“We don’t have someone saying, ‘I’m introducing the bill tomorrow,’” said Baney, who’s met with staffers across both chambers about the issue. “But we have a lot of people saying, ‘I could be introducing this bill next week; let me get back to you.’”
The ultimate prospect of the draft legislation remains uncertain. But Paul Vixie, the head of Farsight Security and a key architect of several domain-name system protocols, gave the idea high marks.
“ICANN has flubbed this from the beginning,” said Vixie, who is not involved in the ongoing lobbying effort. He said the draft bill clearly overreaches by including overseas registrars who sell domain names to U.S. parties. But he expects the lobbyists will moderate their position, and said their plan “could actually work."
“It would be great if this could be the beginning of rising up against the civil libertarians who have been pushing back against WHOIS and against accountability and against recourse,” Vixie said. “I love GDPR, but I also want recourse against anyone who uses any of these unique, publicly-granted identifiers in a way that does harm to others.”