Fake stores: Federal Council wants to end anonymous domain registrations

According to the Federal Council, a significant number of fake stores in Germany have a DE domain that is considered "particularly trustworthy" by consumers. In a statement on the federal government's draft bill to implement the 2nd EU Network and Information Security Directive (NIS2), the chamber of the federal states therefore calls for an "obligation to verify the identity of domain registrations and domain transfers via qualified identification procedures". VideoIdent mechanisms or the presentation of an electronic proof of identity (eID), which is contained in the ID card, among other things, should be considered for this. In any case, providers must be able to "obtain certainty about the identity of the person involved".

The "precise and complete domain name registration data" should be kept "in the database for querying authorized persons" (Whois), according to the Federal Council's submission adopted on Friday. The federal states want domain registrars and registration service providers to be obliged to make this data available to authorized enquirers such as security authorities, consumer advice centers or special service providers "in real time if possible". The German government should also advocate clear rules on the conditions under which domains "can be blocked in the event of misuse". The extent to which "automated procedures" can be used should be examined.

"The prompt and complete availability of registration data is essential for detecting and responding to incidents to combat fake stores in the event of abuse," the federal states explain their initiative, referring to a general resolution passed by the Consumer Ministers' Conference. As fraudulent online stores "with the legitimate address of another company are particularly dangerous", a "comparison of the location in the imprint of the fake store with the relevant information stored in the Denic registration data", which is unobjectionable about the General Data Protection Regulation ( GDPR), is essential.

Government plan to be significantly tightened

In line with the NIS2 Directive, the government draft also provides for an obligation to maintain a database with "accurate and complete domain name registration data" as well as "immediate" access to – within 72 hours at the latest. However, the Federal Council is pushing for these passages to be made much stricter.

This would further restrict the anonymous use of the internet. Forced identification would endanger website operators, as only anonymity on the internet provides effective protection against data theft, stalking, identity theft, doxing and so-called death lists, criticized former MEP Patrick Breyer when the NIS2 Directive was adopted.

Marginalized groups, whistleblowers and political activists in particular need options for anonymity. Denic, which is responsible for the DE domain, also contradicted claims that accurate and complete registration data is essential for the security, stability and resilience of the Domain Name System (DNS).

The Federal Council is campaigning for the police and constitutional protection authorities of the federal states to continue to receive "support services" – and not just administrative assistance – from the Federal Office for Information Security (BSI), which is easier to reject. Particularly in view of the current security situation, events are also conceivable at local level in which the Bonn authority would have to actively support the federal state authorities.

The IT security label awarded by the BSI should also consider "data protection issues", be extended to "all consumer-related products and services with digital elements" and expanded to include an intuitive star scale. The executive should also "appropriately reflect the ever-increasing security threat to hospitals" as a result of digitalization. However, the Federal Council is not bothered by the fact that no increased cybersecurity requirements should apply to municipalities and districts.

(usz)