GDPR should not be a license for “Masked Cyber Stone Pelters” to disturb global peace

The recent fight between ICANN with the German judiciary on what is the “legitimate interest” in ICANN collecting and making available to public the domain name registration details is an indication of the war that is going on between EU and US for economic supremacy on the global platform. EU wants to snatch away the advantage that US enjoys as a global IT player.  In this war, EU is trying to use GDPR as an instrument to make US business bow before the EU authorities. In this fight, the EU Administrators and Courts will stand with the interpretation of GDPR which favours EU. This bias is visible in the case of ICANN issue.

We must understand that ICANN already has a contract under which the registrars have obtained the license and running the commercial activity. Now GDPR is being interpreted as a superimposing law that invalidates the earlier contract. If GDPR has to be brought into domain name contracts, then the existing contracts will have to be revised or ICANN should cancel the registrar licenses of all those who fail to adhere to the contractual terms.

Already Domain Name registrations are often done under unverified e-mail addresses and are used for committing many crimes including phishing and fake news distribution. There is an urgent need to build a trust worthy internet and prevent the misuse of the liberties that enable easy registration of domain named under fake e-mail addresses or e-mails registered with service providers who are dark web constituents untouchable by the international law. Now GDPR is giving legitimacy to such dark web activities and reducing the law enforcement powers of global authorities.

If a EU Citizen books a domain name and hosts a website which is delivering content to people outside EU, then it is an activity outside the EU law making jurisdiction. There is no reason that the world should accept an anonymous registration of a website from a EU registrar. 

The objective of GDPR is protecting the Privacy Right of an EU Citizen. It cannot be an instrument of launching a Cyber War on non EU Citizens through the websites registered by EU registrars. If EU wants to have a system of domain name registrations allowing secrecy of the registrant, they are welcome to create a closed Internet system in which no information goes out of EU borders.  It can be a dark web within the current dark web which non EU countries should be able to block off.

The provision of registrant details and its preservation by registrars is an essential aspect of Cyber Security and EU authorities have displayed a blind faith in Privacy and ignored the adverse effect of the legislation if it is interpreted as it is sought to be interpreted now.

Currently the disputing registrar in EU is taking a stand that they will not collect the admin contact and technical contact details and no registrant details are to be made available under WhoIs search because such details are not required for delivering the service.

Domain Name Registration is a Commercial Activity

Registering a domain name is not a fundamental right of a person in which the Privacy right is embedded. It is a commercial decision that a person takes so that the content of the website can be used for some benefit either directly as in an E Commerce Website or indirectly through advertisement generation or brand building.

Hence when an individual books a domain name there is no fundamental right of privacy under which the domain name registrant should be allowed to hide himself and use the services. If this argument is extended, no Government should collect details of promoters and directors of a company because the personal details of the promoters and directors gets recorded and made available to a number of reasons to a number of authorities.

Hence the decision of the German Court was incorrect and there is no reason why GDPR should impinge on activities such as IP address displays on E Mails and WhoIs data in case of domain names.

In fact providing the contact details and ownership particulars of a website is a necessary disclosure under law in India. Hiding the IP address of the sender of an e-mail by email service providers such as Google is an open assistance to criminal activities. Present remedies such as contacting a relationship manager by Police through a notice is causing delay in investigations and impeding Cyber Crime prevention.

The demand of GDPR on the ICANN activities is a symptom of a larger malaise where criminals who want to hide are taking over the current transparent systems of administration and in the long run will seriously damage the law enforcement. As a result Cyber Crimes will increase, Cyber Terrorists will use EU as their base to launch attacks on the world.

Hence we should oppose the move of the German Court and demand from ICANN that all domain name registrations from EU registrars should be immediately transferred to other registrars for which a new “Domain Name Transfer Auction” can be arranged by ICANN to redistribute the domain names presently under the control of EU registrars to other registrars.

The EU registrars may exit from the business and develop an internal EU only internet system where they can introduce anonymous domain name registrations similar to the numbered Swiss Bank system. Just as the Swiss authorities benefited from the global black money, now EU can benefit from the darkweb activities which can effectively run as EU-Internet.

If we donot take a firm stand on this, gradually EU registrars may take over the business from the registrars from the rest of the world since there is a majority community who would like to hide and throw stones at others. If these masked stone pelters keep working along with the genuine domain name registrants, then there will be no value for honest web operators.

Remedy in India

While there is an economic fight going on between US and EU which is using GDPR as a weapon, India is being caught in the cross fire since a good part of Indian IT business provides services to US companies who in turn provide services to EU. Indian companies also have a part of their business with EU directly. Under both categories, GDPR is trying to impose itself as if it is the law applicable in India.

There is also the impending Indian Data Protection Act (IDPA) and the pressure of the Aadhaar related demands on Privacy protection which is clouding the judgement of many experts.

Media as usual does not understand the real issues and is only interested in TRP based reporting.

If therefore IDPA becomes a replica of GDPR like what UK has shamelessly done in drafting UK DPA, there will be many in the media patting Justice Srikrishna and his team to say “Wow, India is as great as EU in drafting Privacy law” .

But the law makers should put the interest of the country ahead of the temporary headlines in news papers that may praise them while drafting the Indian DPA.

Some time back there was discussion in India that websites have to be registered with the Government. Now to move into the GDPR suggested regime of “Anonymously registered domain names” is a step which would be a significant departure from the earlier thinking.

The Ministry of Home Affairs, in the Central Government is responsible for maintenance of Law and Order in the country along with the State Governments. It is clear that Cyber Crimes is a matter of increasing concern to the MHO not only because there is an increasing digital push to the commercial activities but also because the mis-application of certain laws such as privacy laws.

I urge the MHO to be aggressive and take up with the Justice Srikrishna Committee that under no circumstance, Cyber Security should be compromised in drafting the Privacy Law. The Supreme Court should also take a stand in the interest of the security of the county rather than a misplaced importance on anonymous Cyber transactions for protecting Privacy.

I am sure there are enough experts in India who are so committed to Privacy that they would not mind “Masked cyber stone pelters” being protected  in the garb of human rights while those who get hit are not considered to having any human rights. They would all hail GDPR and push Indian authorities to adopt a “Cyber Criminal Friendly Indian Data Protection Act”.

But I fondly hope that Justice Srikrishna would resist such pressure and suggest a law that is fair on honest people and donot err on the unsafe side.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.