ICANN notes that GDPR makes it harder to snuff out DNS abuse.
ICANN has sent tardy commentary to the Call for Evidence launched by the European Commission (EC) on the European Union’s (EU) Toolbox Against Counterfeiting (wow, that’s a mouthful).
Basically, this Toolbox Against Counterfeiting and associated report analyzed DNS abuse and what to do about it. The ICANN Business Constituency previously submitted feedback to the EU, and now ICANN has contributed (but after the deadline).
ICANN explained the limited role that it plays in the internet and also stated, “ICANN is not the Internet’s content police.”
But it also took the opportunity to pass the buck back to the EU for making it harder to investigate DNS abuse at the domain level. It was the EU, after all, that forced registrars to stop displaying public Whois information under GDRP.
It wrote:
This [GDPR] has fragmented a system that many rely upon for reasons as varied as law enforcement investigations, intellectual property, and security incident response, among others.
GDPR also makes it hard to check the accuracy of registration data:
In addition, GDPR affected ICANN org’s ability to investigate inaccuracy of registration data and take steps to address it with gTLD registrars. Pre-GDPR, ICANN org investigated the accuracy of gTLD registration data both in response to external complaints and in the context of the WHOIS Accuracy Reporting System project, in which ICANN org proactively identified potential inaccuracies and addressed them with registrars. This project was paused upon the effective date of the GDPR, given that much of the registrant contact information is now redacted from public view and, thus, not accessible for analysis.
In other words, the EU took away one of the critical tools that security researchers use to snuff out DNS abuse.
It is the Registrars themselves who should be policing DNS abuse among their Registrants. We should not be relying on ‘third parties’ to clean up the DNS.