As someone who wants to maintain his own blog: This is pretty concerning. Why should I need to publish my address for all to see in order to make a blog? And yes, I know that blogging platforms exist, but I don't want to rely on them.
It kinda makes me wonder if this is a push towards further centralization on the web.
> "Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data."
Your address is personal data, so is email, phone number, more or less any contact information etc.
So what is not personal data? Mainly thinks like that the domain had been registered through godaddy, i.e. thinks a police agency needs to know, to know where to go with a curt order for actual private information.
Also interesting: It's for the TLD, I wonder if they have a clear definition of it, or else .co.uk and similar would no longer be covered (not that it matters anymore). But what definitely should not be covered are sub-domain registrars.
Through I haven't read the draft of the directive, so I can't tell you if there are some uncanny effects between article 23 and other articles.
The article doesn’t state that it will be published. It states that the registrar must have it. The Pirate Party member, as mentioned in the article, didn’t read the proposal.
That's a bit separate from the notion of privacy - warantless searches violate privacy, but there is (nor should be) any expectation of privacy given a valid warrant; valid warrants is the scenario where we the people have decided (and written in our laws and constitutions) that you should not be able to keep things hidden.
What's left of the old web may just have to move behind subdomains so only one person gives up their privacy. I'm glad I bought a 5 letter url for a project like that.
My understanding is this would make it illegal to not put your real address there. You can willingly break the law, but that'll create other issues for you.
Maybe if the web becomes bad enough people will start using onion hidden services for everything instead. Why not publish blogs that way? It even allows you to be anonymous.
The speed of light is a hard limit on improving the performance of onion sites. Having your requests routed through six (edit: random) servers is always going to be slow.
Your traffic is certainly going over more than six links to get to you today, the only difference is clearnet traffic direction is organized for efficiency. TOR has inefficiency baked into the design for the purpose of privacy.
> Most of these things were once said about sites that used SSL.
in the sense that every possible thing has been said about everything, sure. and to a slightly greater extent maybe they were said about trying to SSL-ify _everything_.
but "gee maybe shouldn't SSL-ify sites handling sensitive data" has never been a serious talking point.
Because you're supposed to be responsible for what you publish? Or as quoted in the article itself:
> For those that say this is a hit to privacy: this operates the same way it would if you were buying property anywhere else. Yes, it's digital property, but you should have to be responsible for that permissive SPF record allowing relay of malware spam in the same way you have to be responsive when there's a gas leak on physical property.
In any case, self hosting a blog seems like a pretty weird step if what you're after is good anonymity.
i dont quite unerstand this. does this imply we are forced to give out our verifiable home address? i remember buying domains and just putting "001, abc street, 892032, india" in the fields. is this forcing me to change that to my home address?
In Canada, if a copyright holder notices you are downloading something they own the rights to, e.g. because you are using torrent, they cannot ask the ISP for your name or address. The only recourse they have, short of going through the expensive and lengthy court process, is that they can give the ISP a note which they are legally required to forward to the client. It's a simple system. Your privacy remains preserved and you get the messages too. Why not mandate an email forwarding service by registrars if that's what they are after?
From the full text quote at the bottom of Breyer"s blog:
> 4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, in accordance with Article 6(1)(c) and Article 6(3) of Regulation (EU) 2016/679 and without undue delay after the registration of a domain name, certain domain name registration data, such as the domain name and the name of the legal person.
That does read pretty ambiguously like at the very least my name becoming public when I register a domain. Opening for example an anti-fascist blog under its own domain this would become a real life threat if you don't happen to be called John Smith or the local equivalent.
Overall I come down pretty hard on Breyer's side of the argument here. This is the DNS equivalent to enforcing operators of online forums to check users' real names. It's ripe for abuse and it will inevitably be used to chill dissenting voices.
The fact that the register (and the people they interviewed) see this differently seems to be that they trust that data collected will only be used by "trusted" authorities. But with the above quote I don't see that being the case, and the trust in authorities is really only an effective protection if your website happens to defend the status quo, good luck otherwise.
It’s always been the rule in the German-speaking world that websites had to disclose someone responsible, both on-site and in Whois. It’s a continuation from the analog world, where even flyers handed out at a protest have to state someone’s name & address.
The expectation is that you don’t have to fear anything for lawful activity. For the most part, that’s not too far from reality, and even a few anti-fascist organizations have complied and not had any trouble.
For individuals (and the not-exactly-anti fascists) it’s a bit harder, and they tend to skirt the rules by choosing other TLDs or finding some strawperson/organisation to register the domain for them.
I am from a non-German-speaking part of the EU and I believe that anonymity is an important value that helps unpopular speech survive.
Societal trust levels in the EU are all over the map, with some countries being really low, and in that situation, the 'you don’t have to fear anything for lawful activity' principle isn't really exportable from Germany. You do not want to try this out in a country where mafias are strong, for example.
> It’s always been the rule in the German-speaking world that websites had to disclose someone responsible, both on-site and in Whois.
Only onsite in the publishing information ("impressum"), not in the whois.
Also it is only required for websites "used for commercial(1) purpose", but not on private sites not used for commercial purpose. (1: Not perfect translation of the word used in the law. Websites from various organizations can count as "commercial purpose" in that context even if they don't sell you anything and the organization is a political one. Similar in some cases private websites can also count as such.)
Similar flyers handed out by organizations, companies etc. have to have publishing information. But flyers handed out by a private person for no commercial purpose and without in anyway being related to a organization do not need publishing information as far as I know. So if you go to a demo and hand out flies of cat pictures you have drawn you don't need an impressum (publishing information) I think.
> The expectation is that you don’t have to fear anything for lawful activity. For the most part, that’s not too far from reality
This worldview is so far outside of mine that I'm not sure how to address it or respond to it. It's just a completely foreign idea to me. Is doxing not a thing in Germany?
In America, even if I'm not doing something controversial, even if I'm just streaming video games on Twitch, I might still choose not to share my real name, or I might choose to set up a virtual avatar, it's turned out to be way too easy to find other information using just a real name.
I've basically never done even a single thing in my life worth paying attention to on a large scale, I don't have an online following, I'm not particularly active or famous in any communities, and I'm a privileged/uncontroversial person. Even so, I've still had people that I've never met contact me unprompted and try to figure out my real address before (fortunately all nice people who weren't stalkers). Any subject or project at all where I'm even remotely scared of that happening (or even where I just don't want it to happen because it would be inconvenient), I don't release under my real name. I assume that if I ever was the target of harassment online, if they know my real name there's enough information about me that's slipped outside of my control that they would be able to find me. I don't need to do anything illegal for that to happen, we've seen targeted harassment over ridiculous things like girls playing video games.
And the harassment concerns are separate from the branding issues where I try to keep my identity online relatively consistent when possible. If I'm building an experimental project or something that's outside of my normal persona that I normally project online, then just for pure branding purposes I often try to release it under a different identity. That too is a concern I feel is more important than many people realize, if you ever become a subject of attention online, my understanding is that people expect a kind of unreasonable consistency in all of your activity beyond what they expect in real life.
I don't know how Germany wouldn't suffer from those same problems, but if it doesn't, I guess that seems like a nice place to live? I release a fair amount of stuff under my real name, and I generally advocate that other people do the opposite. If you're building an online identity today my feeling is you should completely unlink it from your physical identity, if I could go back in time to my early computing years I wouldn't use the handle `danshumway` online.
When I host projects or enter conversations online I am to some extent inviting people into my personal life. If I'm using a consistent identity across time or across multiple sites, I'm also to some degree inviting people to correlate those posts/sites together. That's an intentional action I'm taking, but being able to set boundaries around that invitation is important to me. I use anonymity/privacy to set those boundaries.
I am cautious about rendering judgement on the actual policy one way or another. The current Whois policy is bad imo, and I don't necessarily trust the EU to make it better, but my very brief skim of the proposal suggests that this is more about enforcing the current policy then making a new one? There may be implementation details I am overlooking.
I think a lot of this depends on what the EU counts as "personal information" that registrars shouldn't publish, which I would assume includes real names, but I'm not an expert on GDPR laws. It would be better if disclosing this information wasn't required at all for registering a domain name, but I'm not sure that the proposal as described makes the situation worse, beyond just cementing it more as something the EU cares about.
> What won't be happening, however, is the free publication of names and contact details. Currently the draft text of article 23 states: "Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data."
It's unclear to me what data would be newly exposed with the proposed directive.
Here you can see a multi-year plan and no one complained when it was possible:
- let's force everyone to use https.
- but https relies on verified domain names and this comes with a cost... Solution: here is let's encrypt, so https everywhere is justified
- last step, use the fact that registrar are centralized to ensure the identity of all domain names holders, anonymous servers without https will not be reachable by normal people!
There are stakeholders who want Real Name digital signatures for git commits to "critical" open-source software and every dependency. There is already a numerical score for OSS which determines whether bug fixes will be funded by Google and others,
Before you could use ips, or alternative name system, or just private/personal DNS.
This will not work anymore as the https will require to have an official/qualified domain name.
Look at the case of the .dev domain names that were used by a lot of persons, and suddenly google bought the top domain and enforced https mandatory for it in chrome to ensure that no one else could use it anymore.
Also, imagine if the next step is to check that only "approved/legitimate" top domains, respecting some Google policies, are allowed for your own safety...
I know, but I still don't understand how this is related to the news at hand. You'll have to publish your info regardless of which protocols you're using (if any).
For most of us that means an untrusted cert, and hence a browser warning, but that's equivalent to the browser padlock icon when browsing http (and arguably safer).
Plus, if you are browsing or publishing using plain ip addresses you are already outside the "regular behaviour" so users doing that will be happy to click through.
However this subthread is irrelevant to the main thread. The https/http question is unrelated to the dns question, since dns applies to both equally.
1. This affects http, too. I mean it affects anything using domains names.
2. It's generally a bad argument as there are so many more ways state agencies can mess with you when you use http then when you use https.
3. did you read the article? (I guess no)
4. The problem is DNS and DNS only, everything else is just a side effect from DNS being conceptually broken (wrt. privacy protection and decentralization). Https everywhere is inevitable and good, what isn't is that due to how DNS works we ended up with a (kinda) centralized-only certificate system. Https happens to need certificates, but it doesn't care what system provides them for it. So a complete privacy preserving decentralized certificate (and DNS replacement) could totally work with HTTPS.
This week I literally dug through the documentation of whois query APIs of all registrars and registries.
The RIPE servers (and therefore APNIC, AFRINIC, too) are much more detailed in what you can find out about their assigned number ranges via inverse queries. [1]
ARIN and LACNIC both use their own response format (which is outdated, sucks and is super hard to parse).
But now to the interesting part: You can query "the internet" for all customers that have specific IP ranges by that specific ISP.
For example, this will show all customers with a static IP at Unitymedia, which is a VODANET subsidary ISP in Germany. I've chosen this example to reduce the wall of text, use VODANET with expectancy to get blocked due to too large response:
The responses are - from an OSINT perspective - a nightmare, too.
Because I know that literally all of those customers probably have an outdated router hardware that they cannot patch or update. It also nails down the possible hardware to less than 5 models (from ARRIS, AVM and UPC), which makes it very open to router exploits. (Remember UBEEkey? yeah, that's those routers [2]).
Also, what the article only mentions marginally: WHOIS got deprecated since GDPR, back then by RIPE which seems to lead in terms of specification compliance.
The new protocol that is pretty much the same, but in JSON is RDAP; which also allows to search for nameservers, for domains etc. and therefore superseeds the featureset of the WHOIS protocol. [3]
Actually, it's not that many that have documentation available. /s
But, given that Donuts Inc are the overlord of the internet in terms of (g)TLDs, there's not as many as some might think.
The native whois client on most distributions is on github and contains a self-maintained list of whois servers in case you're curious [1].
It also contains a list of all new gTLDs [2], which, for the most part are registered via Donuts Inc. in the end. It's kinda ridiculous that something like ".gmbh" is owned, hosted, and distributed by an American company in Texas :-/
The interesting part is that some companies like "dotBERLIN GmbH & Co KG" (for .berlin) operate their own whois servers but seemingly reuse the infrastructure that Donuts Inc. provides for them.
The ICANNWiki also has some nice side-facts about registrars if you're more curious about their organizational structure [3].
Donuts Inc. also has some chinese TLDs (like .游戏 or .xn--unup4y which means "games") registered via the Spring Fields LLC company that is a subsidary of Donuts Inc. [4] and [5]
So yeah, I guess I kind of agree with the centralization of the internet argument here.
Yes if we're talking about _registries_ (like the one for .se and .nu which I work for :) ) there are not that many (I'm on mobile so hard to search for up to date information but in 2018 it was ~800). But if you also looked at all the _registrars_ those numbered ~2500 in 2018, but yes those numbers are for registry operators many of which outsource to donuts et al.
Touché. I now know what you meant with the previous reply. I used registries and registrar wrong in the previous comment.
In my project I was focussing on getting the organization information for specific IP ranges in my project. So I dealt only with NICs and RIRs (or ICANN directly as they bootstrap the ASNs) in that case.
I'm building a peer to peer Browser network that relies on trust ratios in order to find out seed/leech ratios or the trustworthiness of other peers in the sense of whether they could be malicious actors (sharing content too much, producing/modifying content too much etc).
The problem I'm currently trying to solve is that I had the idea to have a pre-shipped vendor profile that contains the necessary information for IP ranges (ASN, organization, region, country, ISP/NAT etc) so that the discovery service for that doesn't have to do this and maybe I can get rid of a centralized peer discovery service completely.
It's like the basic idea of an offline "map of the internet" that should be an approximation of who does what in which amount of network bandwidth and data. For example, data center IPs aren't as trustworthy or peers in the same ISP-NAT could also be censored when it comes to blocked websites, modified DNS responses etc).
At this point it's a big experiment and I'm not sure whether I'm fundamentally wrong about this as I don't have any data to back it up.
If you're curious, it's part of the Stealth Browser I'm building [1] and [2]
> So yeah, I guess I kind of agree with the centralization of the internet argument here.
Is it not still the case that anyone can set up a DNS server that reallocates TLDs differently from how ICANN has (e.g. what projects like OpenNIC do)?
Arguments for & against aside, who the frell does the EU think it is that they're going to try to bully the internet into doing what they want?
Incredibly rage inducing era we're entering that after decades of the internet functioning relatively well, via good technical agreement mostly, the bloody bureaucrats of XYZ keep showing up & telling the entire planet how they have to operate. I cant stand the entire internet being ongoingly bullied around whenever this country or that gets some funny notion. I wish we saw more of the national &c threats to disconnect various services or systems go through, wish we saw less negotiation with the random governments of the world, wish we saw services that valued who they are & the right of their network users more than they feared the hundreds and hundreds of arms of bureaocracy that constantly threaten them. Let yourself get disconnected damn it, someone make a stand, stop agreeing to every demand and let these fools punch themselves in the face. If this nation cant abide by the informal rules of the internet too damned bad for them. They've gotta figure outnwhatbthey want to do about ut themselves; they cant unilaterally keep redefining thr rules of the road for everyone.
The right to be forgotten is another prime example of colossal sovereign overreach. After a decade in the courts it seems like, in spite of much much much belly aching & shitstirring, nations generally have to accept that they cant legislate what contentnis available in other territories, but for a while it seemed like the dastardly rich were going to be able to demand any coverage they didnt like get disappeared from the internet entirely.
At some point we need to stop treating politicians & poltician consequneces as things to adjust to, & start telling these nations off. The internetnis more important than your territory.
This comment is triggering my whataboutism reflex. So many words, yet the real motives behind this rant remain unclear.
If you operate in the EU, you are expected to follow the local rules. Not sure why would you object to that. I mean, I have my suspicions but I'd wait for a clarification before accusing you of exceptionalism
I wonder what you have to say about your country (US, I bet) bending most of the world to its will via the very real threat of violence.
What's unclear? My motivation is obvious as day. I don't want a tightly coupled world where random spots on the earth get to tell the entire internet how they have to operate. It would be so easy to let endless rules beset us, would be so natural if the greatest, vastest, most available frontier humanity has available to it got snuffed out, bricked up by each & every law someone wanted to make.
there's no signs of hope. nations are going to be endlessly greedy, demanding end to frontiers forever. even projects like gdpr, which seemingly help citizens defend themselves against big powers that be online, still do little to create positive-liberties, positive-rights of citizens: a citizen with a VPS can't do anything more than they could yesterday.
> What won't be happening, however, is the free publication of names and contact details. Currently the draft text of article 23 states: "Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data."
> That italicised line seems to have passed by an awful lot of very shouty people.
This makes it look like personal data is not involved at all, or like the issue is really about what data TLD registries would be forced to publish. But of course they would be forced to collect, verify and store personal data, and that's the problem.
This link should be changed to the original story[1], which is already discussed on HN[2].
It's like this all day, every day, and that's only what's gotten through after several manual efforts to hard reject common offenders by domain and IP addresses.
I appreciate there needs to be a middle ground of some sort, but the old defaults were an absolute problem and should never have been able to persist for so long.
Id assume this simply means that you will have a legal representative firm with a PO box and hardened phone number act as the whois holder instead rather than just paying godaddy to do it?
In some countries something like this has been mandatory for a long time.
In Germany and its lapdog Austria there’s the mandatory impressum: fully doxxed whether you want it or not.
In Spain if you handle a database with personal information (like a forum or a blog where people can leave their email addresses along with comments) you also have to put all your data somewhere in the page so people can contact you to have themselves removed.
>In Germany and its lapdog Austria there’s the mandatory impressum: fully doxxed whether you want it or not.
Yep, the big eye-opener for me was when that Austrian politician complained about being "harassed" by someone calling her a "corrupt traitor" on Facebook, so the Austrian authorities got involved and the person behind that account got doxxed and charged with libel. Unreal.
In Austria/Germany the freedom of speech is only free
until it impacts the elite. Then you get the book thrown at you.
I'm a little tired too, but as far as I can tell, the Register is referring to an old draft,[0] while Breyer is referring to a much newer proposal to the same article.[1]
Pay particularly attention to the wording of 23.4., where it correctly in the text proposed by the commission would exclude personal data, but this amendment to the proposal would remove that exclusion.
However, I am not awake enough to deduce who makes these amendments, and how likely they are to pass in their current form. I am also not entirely sure with the LIBE Committee is.
But it feels like the Register is referring to an old draft, and have failed to notice a newer proposal to modify that draft.
> The EU is currently drafting legislation to increase cyber security (revised NIS Directive, in short “NIS 2”). According to this directive, the registration of internet domain names will in future require the correct identification of the owner in the Whois database, including name, address and telephone number. So far, registries such as denic do not register telephone numbers of the holders. The leading Industry Committee wants to additionally mandate „verification“ of the registration data. The plans could mean the end of “whois privacy” services for proxy registration of domains, threatening the safety of activists and whistleblowers.[1]
Proxy registration referred to in that quote isn't what Whois privacy generally refers to though, no?
When I've seen it used by typical registrars it has meant that the owner's details aren't disclosed on public Whois lookups but are still required to be correct.
Yes, the current status is that the GDPR basically outlaws whois as "Domain holders must publish public contact information". ICANN's plan B, after failing to fight that requirement, is that registrars must hold contact information and provide it to parties with legitimate interests. The EU privacy regulators have been clear in their interpretation that IP lawyers do not have sufficient "legitimate interests" to be party to such a system, though they are ok with law enforcement having access. Part of that argument is IP lawyers are such a broad group as to make the information de facto public.
Anyway, this proposal seems to be basically a GDPR exception to make "whois" in some form allowable, which is backsliding on the current state.
I’ve had these things up for years since I first registered a domain back in 2008. I’ve never been doxxed, or had any negative effect from this information being public.
I think at some point my registry stopped showing address information, but the name and email are still public.
I know that’s just anecdotal, but I feel the fears here are a bit overblown.
That tells me you're either self censoring or hold no controversial opinions which you share in public.
You doxxing yourself and nothing bad happening is lucky for you, but you should have enough self awareness to realize that nothing bad happened simply because you were not an interesting target. For others, the content they share makes them more interesting to potential attackers.
That's very trusting of you, Bart, and perhaps the police in Suginami, Japan are less likely to SWAT you than those in the USA, but you are placing trust in the population of the internet not to misuse the information you've shared, and that, in my view, is simply a case of security by obscurity.
That said, we used to have phone books with everyone’s name, number (and address?) distributed to everyone in town. I guess people are just bigger assholes when they’re not within throwing distance?
> placing trust in the population of the internet not to misuse the information
As far as this draft goes there is no such thing going on. The end of anonymous websites in EU as one member of the pirate party put it (and this article is claiming/accusing him of not reading the draft) has no bearing on the public.
In this context it is similar to the end of anonymous bank accounts. Even thou there are no anonymous bank accounts I, as a member of the public, still can't get anybodies personal information from a bank.
It kinda makes me wonder if this is a push towards further centralization on the web.