The Internet Association of Ukraine (InAU) turned to the National Bank of Ukraine (NBU) with a request to initiate a change in the mechanism for blocking phishing domains. InAU sent an open letter this week to the head of the central bank, the security department, the legal department, the risk management department, the office of the board of the National Bank and institutional relations.
Today, the NBU creates and provides the National Cyber \u200b\u200bSecurity Coordination Center (NCCC) under the National Security and Defense Council with a list of phishing domains that it hosts on its server.
After that, Internet providers configure their DNS servers in such a way that they redirect their requests to domains from the list on the landing page on the NCC server without the knowledge and consent of Internet users. It is assumed that the NCCC server collects and stores detailed information about Internet users redirected to the server. In particular, the system stores technical information containing the date and time, the IP address from which the redirect is made, the domain name or URL of the phishing page to which the redirect is made, user-agent.
Therefore, officials or employees of the NCCC collect, store, use and disseminate the specified information, which is personal information about the individual, since it discloses such details of the person's actions on the Internet, such as: which domain he intended to visit, the date and time of the visit attempt, IP address.
According to the conclusion of InAU, this violates the provisions of a number of articles of the laws “On the protection of information in information and communication systems”, “On electronic communications”, the Constitution of Ukraine. Collection, storage and dissemination of information by the NCCC is illegal, InAU is convinced.
“In the described situation, it seems that the National Bank of Ukraine is being used to give some legitimacy and decency to the above-described illegal activities. This can seriously damage the impeccable reputation of the NBU in Ukraine and throughout the civilized world,” the letter states..
In order to avoid such a situation and at the same time achieve the initial goal - blocking phishing domains, InAU suggests considering the possibility of using another mechanism.
It provides that the NBU forms and constantly updates the list of phishing domains (as it happens), provides Internet providers with access to the list. In turn, Internet providers voluntarily upload this list, while being able to send a reasoned refusal to block a particular domain to the NBU, which reduces the likelihood of erroneous blocking of non-phishing domains..
If an Internet user tries to visit one of the domains from the list, he is redirected to a landing page hosted on the servers of his provider, which solves the privacy problem, the text of the proposals says..
“We are sure that such a mechanism, built on the interaction of the National Bank of Ukraine and the Ukrainian telecommunications industry and respecting the rights of Ukrainian Internet users, will not only not damage the reputation of the NBU, but will once again prove its high level,” InAU summarized in the letter..
Earlier, the association asked parliamentarians to evaluate the draft law No. 9250 “On Amending the Law of Ukraine “On Electronic Communications” (to combat phishing) taking into account the arguments of InAU, which unites 220 enterprises in the information and communication technology industry.