This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at https://www.theguardian.com/technology/2018/feb/06/gdpr-data-protection-law-scammers-whois-tools-internet-european-privacy
The article has changed 4 times. There is an RSS feed of changes available.
| Version 0 | Version 1 |
|---|---|
| EU data protection law may end up protecting scammers, experts warn | EU data protection law may end up protecting scammers, experts warn |
| (2 days later) | |
| Sweeping new European data protection regulations may have the accidental effect of protecting scammers and spammers by killing the WHOIS system used to link misdeeds online to real identities offline, security experts have warned. | Sweeping new European data protection regulations may have the accidental effect of protecting scammers and spammers by killing the WHOIS system used to link misdeeds online to real identities offline, security experts have warned. |
| The General Data Protection Regulation (GDPR), which comes into effect in May, contains a raft of measures intended to strengthen data protection for Europeans.But some of the new rights and responsibilities will conflict with decades-old technologies that have provided much-needed transparency on the internet, says Raj Samani, the chief scientist at cybersecurity firm McAfee. | The General Data Protection Regulation (GDPR), which comes into effect in May, contains a raft of measures intended to strengthen data protection for Europeans.But some of the new rights and responsibilities will conflict with decades-old technologies that have provided much-needed transparency on the internet, says Raj Samani, the chief scientist at cybersecurity firm McAfee. |
| The European Union's new stronger, unified data protection laws, the General Data Protection Regulation (GDPR), will come into force on 25 May 2018, after more than six years in the making. | The European Union's new stronger, unified data protection laws, the General Data Protection Regulation (GDPR), will come into force on 25 May 2018, after more than six years in the making. |
| GDPR will replace the current patchwork of national data protection laws, give data regulators greater powers to fine, make it easier for companies with a "one-stop-shop" for operating across the whole of the EU, and create a new pan-European data regulator called the European Data Protection Board. | GDPR will replace the current patchwork of national data protection laws, give data regulators greater powers to fine, make it easier for companies with a "one-stop-shop" for operating across the whole of the EU, and create a new pan-European data regulator called the European Data Protection Board. |
| The new laws govern the processing and storage of EU citizens' data, both that given to and observed by companies about people, whether or not the company has operations in the EU. They state that data protection should be both by design and default in any operation. | The new laws govern the processing and storage of EU citizens' data, both that given to and observed by companies about people, whether or not the company has operations in the EU. They state that data protection should be both by design and default in any operation. |
| GDPR will refine and enshrine the "right to be forgotten" laws as the "right to erasure", and give EU citizens the right to data portability, meaning they can take data from one organisation and give it to another. It will also bolster the requirement for explicit and informed consent before data is processed, and ensure that it can be withdrawn at any time. | GDPR will refine and enshrine the "right to be forgotten" laws as the "right to erasure", and give EU citizens the right to data portability, meaning they can take data from one organisation and give it to another. It will also bolster the requirement for explicit and informed consent before data is processed, and ensure that it can be withdrawn at any time. |
| To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m or 4% of annual global turnover, which is several orders of magnitude larger than previous possible fines. Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable, ie strongly encrypted. | To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m or 4% of annual global turnover, which is several orders of magnitude larger than previous possible fines. Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable, ie strongly encrypted. |
| The WHOIS protocol allows anyone to look up the contact details for the owner of a domain name, such as theguardian.com, google.com or parliament.uk. First standardised in the 1980s, it has become a key part of the toolkit for anyone trying to trace online wrongdoing back to its roots- a digital equivalent of Companies House or the Land Registry, Samani says. | The WHOIS protocol allows anyone to look up the contact details for the owner of a domain name, such as theguardian.com, google.com or parliament.uk. First standardised in the 1980s, it has become a key part of the toolkit for anyone trying to trace online wrongdoing back to its roots- a digital equivalent of Companies House or the Land Registry, Samani says. |
| “As an industry one of the first things we often do is use WHOIS data to determine whether something is likely malicious, or whether there’s an indicator of suspiciousness,” Samani explains. “It could be something as simple as ‘hey, look, this name is a name we find registered with other domains’, or ‘this metadata is used for other things’.” | “As an industry one of the first things we often do is use WHOIS data to determine whether something is likely malicious, or whether there’s an indicator of suspiciousness,” Samani explains. “It could be something as simple as ‘hey, look, this name is a name we find registered with other domains’, or ‘this metadata is used for other things’.” |
| But domain registrations are commercial contracts, meaning that those making a registration have a right to privacy that is hard to square with publishing contact details on the internet, as Sarah Wyld, a product manager at internet services company OpenSRS, wrote in November: | But domain registrations are commercial contracts, meaning that those making a registration have a right to privacy that is hard to square with publishing contact details on the internet, as Sarah Wyld, a product manager at internet services company OpenSRS, wrote in November: |
| “It’s certainly difficult to argue that there’s a legal basis for openly sharing contact details of a domain’s owner, administrator, or technical contact in the public WHOIS record. And we can’t claim that it helps to accomplish the original purpose for which the information was collected (registering the domain). This means that the public WHOIS system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.” | “It’s certainly difficult to argue that there’s a legal basis for openly sharing contact details of a domain’s owner, administrator, or technical contact in the public WHOIS record. And we can’t claim that it helps to accomplish the original purpose for which the information was collected (registering the domain). This means that the public WHOIS system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.” |
| A further wrinkle is that GDPR-induced changes to the WHOIS system are likely to affect users worldwide, not just in Europe – as with Facebook’s decision to improve privacy tools for its own users. It has prompted a minor geopolitical scuffle, with David Redl, the head of the US National Telecommunications and Information Administration, noting that “the US government expects this information to continue to be made easily available through the WHOIS service.” | A further wrinkle is that GDPR-induced changes to the WHOIS system are likely to affect users worldwide, not just in Europe – as with Facebook’s decision to improve privacy tools for its own users. It has prompted a minor geopolitical scuffle, with David Redl, the head of the US National Telecommunications and Information Administration, noting that “the US government expects this information to continue to be made easily available through the WHOIS service.” |
| Some argue the change is unlikely to have as large an impact as it might initially seem. Many registrars have long offered the ability to keep details private when buying a domain, instead registering the site in their own name, which limits the ability of researchers to catch canny criminals. And law enforcement already has a wider array of tools than private security researchers, such as demanding the registration details direct from the registrars themselves. | Some argue the change is unlikely to have as large an impact as it might initially seem. Many registrars have long offered the ability to keep details private when buying a domain, instead registering the site in their own name, which limits the ability of researchers to catch canny criminals. And law enforcement already has a wider array of tools than private security researchers, such as demanding the registration details direct from the registrars themselves. |
| But the information published by WHOIS can be useful to more people than just the professionals, Samani says. “A friend of mine was buying a camera over Christmas, and what they did is they looked a the WHOIS information for this website and actually the website had only been registered for a couple of weeks. And it was clearly fake information that had been put in: it was registered under something like “Mickey Mouse”, something equally obvious.” | But the information published by WHOIS can be useful to more people than just the professionals, Samani says. “A friend of mine was buying a camera over Christmas, and what they did is they looked a the WHOIS information for this website and actually the website had only been registered for a couple of weeks. And it was clearly fake information that had been put in: it was registered under something like “Mickey Mouse”, something equally obvious.” |
| Tim Chen, the chief executive of analytical firm Domain Tools, agrees, noting “it’s difficult to make broad statements about the interest of a ‘typical’ member of the public. | Tim Chen, the chief executive of analytical firm Domain Tools, agrees, noting “it’s difficult to make broad statements about the interest of a ‘typical’ member of the public. |
| “Yes, members of the public who strongly favour their own privacy will likely look kindly on a change like this. Other members of the public want their information to be in WHOIS so that anyone navigating to their website can know who they are dealing with. | “Yes, members of the public who strongly favour their own privacy will likely look kindly on a change like this. Other members of the public want their information to be in WHOIS so that anyone navigating to their website can know who they are dealing with. |
| “There are more thoughtful and effective ways to meet privacy concerns than simply redacting all the contact fields.” | “There are more thoughtful and effective ways to meet privacy concerns than simply redacting all the contact fields.” |
| New UK data protection rules are a cynical attack on immigrants | New UK data protection rules are a cynical attack on immigrants |