From the full text quote at the bottom of Breyer"s blog:
> 4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, in accordance with Article 6(1)(c) and Article 6(3) of Regulation (EU) 2016/679 and without undue delay after the registration of a domain name, certain domain name registration data, such as the domain name and the name of the legal person.
That does read pretty ambiguously like at the very least my name becoming public when I register a domain. Opening for example an anti-fascist blog under its own domain this would become a real life threat if you don't happen to be called John Smith or the local equivalent.
Overall I come down pretty hard on Breyer's side of the argument here. This is the DNS equivalent to enforcing operators of online forums to check users' real names. It's ripe for abuse and it will inevitably be used to chill dissenting voices.
The fact that the register (and the people they interviewed) see this differently seems to be that they trust that data collected will only be used by "trusted" authorities. But with the above quote I don't see that being the case, and the trust in authorities is really only an effective protection if your website happens to defend the status quo, good luck otherwise.
It’s always been the rule in the German-speaking world that websites had to disclose someone responsible, both on-site and in Whois. It’s a continuation from the analog world, where even flyers handed out at a protest have to state someone’s name & address.
The expectation is that you don’t have to fear anything for lawful activity. For the most part, that’s not too far from reality, and even a few anti-fascist organizations have complied and not had any trouble.
For individuals (and the not-exactly-anti fascists) it’s a bit harder, and they tend to skirt the rules by choosing other TLDs or finding some strawperson/organisation to register the domain for them.
I am from a non-German-speaking part of the EU and I believe that anonymity is an important value that helps unpopular speech survive.
Societal trust levels in the EU are all over the map, with some countries being really low, and in that situation, the 'you don’t have to fear anything for lawful activity' principle isn't really exportable from Germany. You do not want to try this out in a country where mafias are strong, for example.
> It’s always been the rule in the German-speaking world that websites had to disclose someone responsible, both on-site and in Whois.
Only onsite in the publishing information ("impressum"), not in the whois.
Also it is only required for websites "used for commercial(1) purpose", but not on private sites not used for commercial purpose. (1: Not perfect translation of the word used in the law. Websites from various organizations can count as "commercial purpose" in that context even if they don't sell you anything and the organization is a political one. Similar in some cases private websites can also count as such.)
Similar flyers handed out by organizations, companies etc. have to have publishing information. But flyers handed out by a private person for no commercial purpose and without in anyway being related to a organization do not need publishing information as far as I know. So if you go to a demo and hand out flies of cat pictures you have drawn you don't need an impressum (publishing information) I think.
> The expectation is that you don’t have to fear anything for lawful activity. For the most part, that’s not too far from reality
This worldview is so far outside of mine that I'm not sure how to address it or respond to it. It's just a completely foreign idea to me. Is doxing not a thing in Germany?
In America, even if I'm not doing something controversial, even if I'm just streaming video games on Twitch, I might still choose not to share my real name, or I might choose to set up a virtual avatar, it's turned out to be way too easy to find other information using just a real name.
I've basically never done even a single thing in my life worth paying attention to on a large scale, I don't have an online following, I'm not particularly active or famous in any communities, and I'm a privileged/uncontroversial person. Even so, I've still had people that I've never met contact me unprompted and try to figure out my real address before (fortunately all nice people who weren't stalkers). Any subject or project at all where I'm even remotely scared of that happening (or even where I just don't want it to happen because it would be inconvenient), I don't release under my real name. I assume that if I ever was the target of harassment online, if they know my real name there's enough information about me that's slipped outside of my control that they would be able to find me. I don't need to do anything illegal for that to happen, we've seen targeted harassment over ridiculous things like girls playing video games.
And the harassment concerns are separate from the branding issues where I try to keep my identity online relatively consistent when possible. If I'm building an experimental project or something that's outside of my normal persona that I normally project online, then just for pure branding purposes I often try to release it under a different identity. That too is a concern I feel is more important than many people realize, if you ever become a subject of attention online, my understanding is that people expect a kind of unreasonable consistency in all of your activity beyond what they expect in real life.
I don't know how Germany wouldn't suffer from those same problems, but if it doesn't, I guess that seems like a nice place to live? I release a fair amount of stuff under my real name, and I generally advocate that other people do the opposite. If you're building an online identity today my feeling is you should completely unlink it from your physical identity, if I could go back in time to my early computing years I wouldn't use the handle `danshumway` online.
When I host projects or enter conversations online I am to some extent inviting people into my personal life. If I'm using a consistent identity across time or across multiple sites, I'm also to some degree inviting people to correlate those posts/sites together. That's an intentional action I'm taking, but being able to set boundaries around that invitation is important to me. I use anonymity/privacy to set those boundaries.
I am cautious about rendering judgement on the actual policy one way or another. The current Whois policy is bad imo, and I don't necessarily trust the EU to make it better, but my very brief skim of the proposal suggests that this is more about enforcing the current policy then making a new one? There may be implementation details I am overlooking.
I think a lot of this depends on what the EU counts as "personal information" that registrars shouldn't publish, which I would assume includes real names, but I'm not an expert on GDPR laws. It would be better if disclosing this information wasn't required at all for registering a domain name, but I'm not sure that the proposal as described makes the situation worse, beyond just cementing it more as something the EU cares about.
> 4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, in accordance with Article 6(1)(c) and Article 6(3) of Regulation (EU) 2016/679 and without undue delay after the registration of a domain name, certain domain name registration data, such as the domain name and the name of the legal person.
That does read pretty ambiguously like at the very least my name becoming public when I register a domain. Opening for example an anti-fascist blog under its own domain this would become a real life threat if you don't happen to be called John Smith or the local equivalent.
Overall I come down pretty hard on Breyer's side of the argument here. This is the DNS equivalent to enforcing operators of online forums to check users' real names. It's ripe for abuse and it will inevitably be used to chill dissenting voices.
The fact that the register (and the people they interviewed) see this differently seems to be that they trust that data collected will only be used by "trusted" authorities. But with the above quote I don't see that being the case, and the trust in authorities is really only an effective protection if your website happens to defend the status quo, good luck otherwise.