Every week brings new details of the negative externalities of social media and e-commerce websites. But fake bots aren’t the only wrongdoers trying to find anonymous hiding places online to harm Americans. With deadlier consequences than election interference, online criminal enterprises posing as pharmacies are selling adulterated or counterfeit drugs.
What connects them all — along with other online harms from harassment and cyberbullying to piracy and theft — is internet security and in particular the ability to pierce the shield of anonymity and find out basic information about who we are dealing with online.
This will be a hot topic at hearings in the Senate Commerce Committee when the Senate Intelligence Committee brings in executives from Facebook, Google and Twitter. And it is already causing havoc around the world as the entity in charge of managing the internet “domain name” system, ICANN, wrestles with the newly implemented European “GDPR” privacy regulations and law enforcements need for access to basic website data in order to bring internet criminals to justice.
ICANN has ordered changes to the “WHOIS” database that identifies the domain name owners in order to comply with the GDPR, resulting in a gross overcompliance that severely limits the ability of law enforcement and others to identify bad actors online.
The problems are severe. Anonymity fueled online pharmacies have become “notorious for selling unapproved, substandard, counterfeit and falsified medicine.” Recent reports show that more than half of online pharmacies offer controlled substances, with 40 percent of them offering one or more of the drugs frequently adulterated with fentanyl.
Unfortunately, consumers have little ability to separate legitimate operations from rogue drug mills. A seemingly authentic Oxycodone prescription might be laced with fentanyl — a drug that is highly addictive and much more potent than heroin, placing patients at a severe risk of accidental overdose. This is a crisis — a recent study by the National Association of Boards of Pharmacy found that 95.7 percent of online pharmacies were out of compliance with state and federal law and applicable safety standards.
That’s why domain registries such as “WHOIS” are vital. The database offers identity and contact information for domain owners, allowing law enforcement and other investigators to find out who is selling illegal or adulterated controlled substances and connect the dots to other illegal operations. But ICANN’s implementation of GDPR places roadblocks in the way of the WHOIS system, by limiting access to WHOIS information.
ICANN had the opportunity to interpret GDPR to sustain WHOIS and keep online privacy rules consistent with long accepted and vital limitations common in the physical world. Car owners must register motor vehicles and provide information about their true identity. This database allows officers faced with a hit and run to quickly identify the owner of any vehicle that flees an accident.
When malicious actors sell opioids online laced with fentanyl that kill unsuspecting patients, law enforcement should able be to do no less. And the same is true for purveyors of fake news, online bullies and harassers, and mass digital piracy operations.
Compliance with GDPR might well require the WHOIS database to shield some information from being provided to third parties unless and until a showing is made that the domain is being used for illegal activity. But such “tiered access” should not eliminate the public availability of email addresses or basic business information. To do so would erode law enforcement and other stakeholders’ ability to connect the dots and link up different websites run as part of large criminal enterprises. This is critical when sites are selling counterfeit drugs, child pornography or phishing to compromise computer systems.
The GDPR itself certainly does not draw these lines or require “tiered access” to business information — it plainly states that the rules exist to protect private information about “natural persons.”
Unfortunately, ICANN has taken an overbroad view of the GDPR, and neutered WHOIS by cutting off public access to this resource where the data is associated with a business, applying the rules globally rather than within the applicable GDPR jurisdiction, and not providing clear, reasonable guidelines for access to personal information that isn’t available publicly for law enforcement and other legitimate purposes.
That is why the National Association of Boards of Pharmacy is part of the Coalition for a Secure and Transparent Internet (CSTI), which includes advocates for cybersecurity and protection of American products from online theft. CSTI has joined together to urge ICANN to avoid overreacting in this way.
As Congress looks back at the election interference in 2016, one lesson is that Cambridge Analytica’s abuses of data requires better privacy protections. But another is that Russian bots, online opioid mills, hackers and child pornographers use online invisibility to do harm, and a safe internet requires users to have better information about who they are dealing with, not less.
When the Senate Commerce Committee meets to discuss online governance, it should ask questions about whether ICANN’s WHOIS reforms are furthering or thwarting these aims.