Glistening blue water, a stunning coastline, the smell of the sea, all nearby a bustling European city: The exquisite seaport of Trieste in northeastern Italy was supposed to be the idyllic in-person venue for this year’s European Dialogue on Internet Governance, or EuroDIG 2021. Unfortunately, due to the pandemic, the majority of sessions took place online. But one group—the Dynamic Coalition on Data and Trust, of which I have the good fortune to be a coordinator—met in person to discuss issues around the Domain Name System, or DNS, and practical responses to DNS abuse and cybercrime.
Geographically speaking, Trieste sits at the intersection of Germanic, Slavic, Latin and Greek traditions, where Central Europe meets the Mediterranean Sea. It’s a perfect metaphor for the interconnected nature of modern life, but also for the need to rejuvenate voluntary coalitions and digital diplomacy between different sectors in order to make cyberspace safer for all of its users.
Trusted DNS data, or the personal registration data relating to owners of domain names or websites, has for many years been an integral part of tackling cybercrime and protecting intellectual property rights online, through a free, publicly available service called WHOIS. For those investigating cybercrime or online brand infringement, WHOIS used to be a useful first step, providing the name, address and other contact details of the person or organization responsible, along with vital technical information, for every domain name. Rapid access to that information was vital in the investigation of DNS abuse—for example, the detection and takedown of a website distributing illegal or harmful content or selling counterfeit goods.
As a result, domain name registrations, registries and registrars, which play a key role in tackling DNS abuse, also help to mitigate cybercrime. Yet policy discussions over issues like copyright-infringing content, misinformation and criminal or abusive uses of the internet give a fraction of the attention to the domain name system as they do to social media.
With U.S. President Joe Biden emphasizing the importance of public-private partnerships in the fight against cybercrime, the Dynamic Coalition on Data and Trust has never been more relevant. Observing that policy discussions are too siloed, the Dynamic Coalition aims to fill a governance gap by encouraging an inclusive policy dialogue among all stakeholders who are interested in exploring issues of data and trust in the online environment. Indeed, the past year has seen a plethora of other industry-led initiatives aimed at mitigating DNS abuse.
Unfortunately, the kind of productive and collaborative relationships between international law enforcement agencies and private industries that Biden has called for are still a long way off when it comes to the DNS industry. While EUROPOL, the EU’s law enforcement agency, enjoys a productive cooperation with EURid—the .eu registry—in tackling online abuses, unless there is coverage across the entire DNS ecosystem, the vision that Biden has outlined cannot be fulfilled. This is especially the case as international cooperation in the fight against cybercrime is patchy at best, and national laws often conflict. It all adds up to a situation where cybercriminals can act with impunity.
The fight against cybercrime, however, must be reconciled with the need to protect customer privacy, while avoiding undue disruption to legitimate business and innovation. Here, the balance of power has shifted in favor of data privacy, due in large part to the European Union’s General Data Protection Regulation, or GDPR, which utterly changed the data privacy landscape when it was introduced in May 2018. GDPR’s extraterritorial impact means that companies that offer services to EU citizens are within its scope, no matter where in the world those organizations are headquartered. The combination of long-arm European privacy laws and the litigious culture of the U.S. led to a conservative approach to the implementation—or over-implementation—of GDPR’s requirements by some U.S. companies.
The balance of power has shifted recently in favor of data privacy, due in
large part to the GDPR, which utterly changed the data privacy landscape when it was
introduced in May 2018.
The effect on the WHOIS database was acute and immediate: With the arrival of GDPR, the WHOIS simply “went dark.” The nongovernmental organization responsible for the coordination of policy relating to domain names—the Internet Corporation for Assigned Names and Numbers, or ICANN—removed personal data from publicly available WHOIS records, a measure that was supposed to be temporary while an expedited policy process would thrash out a permanent solution.
But finding a solution for WHOIS data that balances the legitimate but sometimes conflicting rights of privacy and need for access had already been an ongoing battle for the multistakeholder ICANN community for more than 20 years, with discussions characterized by polarization and lack of compromise on all sides. The Expedited Policy Development Process, or EPDP, which ICANN set up in May 2018, has so far only wasted even more time and energy for more than two years.
Meanwhile, the redaction of WHOIS data to comply with GDPR requirements has increased the challenges around identifying bad actors and combating online harms, creating a further obstacle to law enforcement. At the Dynamic Coalition on Data and Trust event last week, speakers from EUROPOL and EUIPO, the EU Intellectual Property Office, noted the importance of access to good-quality DNS data in combating cybercrime and intellectual property infringement. The EUROPOL speaker, Bogdan Ciinaru, highlighted that, with GDPR, “it was quite challenging … to investigate the domains again.” All speakers emphasized the value of voluntary cooperation between the private sector and law enforcement, and practical responses are starting to emerge. The Internet & Jurisdiction Policy Process has produced a toolkit on DNS action to reduce abuses, for instance.
But there is also a trust deficit between the parties. In some cases, members of the domain industry view the requests of law enforcement and brand protection for improvements in the quality of data, or availability of registration, as an imposition that gets in the way of doing business. For example, Michele Neylon of Blacknight, a registrar who spoke at the event, complained: “A lot of what we’ve seen over the last 18 months being pushed from certain governments and from certain registries was in my view completely insane. … It’s not for us to spend our time worrying about the 1 or 2 percent of people or organizations or whatever that might do something criminal, something fraudulent.”
There are steps that both sides can take to enable a safer DNS space, by increasing due diligence around the registration of domains, for instance, as well as preventative measures and coordination between law enforcement and the private sector. For progress to be sustained, however, all parties need to explore and capitalize on common ground, rather than digging into their respective trenches.
In any event, EU regulators are running out of patience. In March 2021, the European Commission introduced proposals for a revised directive on the security of network and information services, the so-called NIS 2 Directive, designed to “achieve a high common level of cybersecurity” across the union’s member states. Among other things, Article 23 of the proposed NIS 2 Directive as currently drafted would mandate the publication of nonpersonal WHOIS data and the provision of lawful access to data, cutting through the failure by both the private sector and the ICANN community to reach a voluntary accommodation on WHOIS for the past 20 years.
It would be ironic if the notoriously lengthy EU legislative process ends up taking less time than the ICANN’s “expedited” process to find a compromise on WHOIS. But it would also be damning for advocates of a multistakeholder approach to internet governance, while dampening hopes for the kind of voluntary public-private partnership that is needed to tackle cybercrime.
Emily Taylor is the CEO of Oxford Information Labs and an associate fellow with the International Security Program at Chatham House. She was chair of the ICANN WHOIS Review Team from 2009 to 2011 and a member of the EPDP (Phase I) from 2018 to 2019. She is a co-founder of the ICANN-accredited registrar, Netistrar Limited, and of the IGF Dynamic Coalition on Data and Trust. EURid is a longstanding client of Oxford Information Labs, of which Emily is CEO. Follow her on Twitter at @etaylaw. Her WPR column appears each Tuesday.