Under a proposed Verisign initiative, all .COM/.NET domains exist at the pleasure of the United States government.
Verisign just released an overview of their proposed “Anti-Abuse Domain Use Policy” Under ICANN’s Registry Services Evaluation Process. The program’s chief aim is to provide a takedown mechanism of malicious websites distributing malware. In itself, not a bad thing, considering some registrars are unresponsive toward abuse or network stability issues.
However, lumped in with the conditions under which Verisign can invoke their takedown capabilities are some troubling “add ons”, as quoted below:
“The new anti-abuse policy, would be implemented though a change to the .com. ,net and .name Registry Registrar Agreements and would allow the denial, cancellation or transfer of any registration or transaction or the placement of any domain name on registry lock, hold or similar status as necessary:
(a) to protect the integrity, security and stability of the DNS;
(b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process;
(c) to avoid any liability, civil or criminal, on the part of Verisign, as well as its affiliates, subsidiaries, officers, directors, and employees;
(d) per the terms of the registration agreement,
(e) to respond to or protect against any form of malware (defined to include, without limitation, malicious code or software that might affect the operation of the Internet),
(f) to comply with specifications adopted by any industry group generally recognized as authoritative with respect to the Internet (e.g., RFCs),
(g) to correct mistakes made by Verisign or any Registrar in connection with a domain name registration, or
(h) for the non-payment of fees to Verisign. Verisign also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute;
The main problem here is Section (b), which let’s Verisign takedown any domain that is inimical toward a government “requirement” or at the “request” of a law enforcement or other governmental or quasi-governmental agency.
What does this mean?
It means domains can be taken down without judicial process and in the absence of any overt network abuse. I refer anybody who thinks the possibility of abuse of this policy is remote to the actions of Senate Committee on Homeland Security and Governmental Affairs Chairman Joe Lieberman, last December regarding Wikileaks – an entity which has still never been charged with any offence in any jurisdiction and which continues to operate in a perfectly legal manner. (Lieberman called on “any company or organization that is hosting Wikileaks to immediately terminate its relationship with them.” – Which sounds like a “request” to me.)
What Wikileaks did was expose bad actions of the various governments themselves, some of those – illegal. It can be assumed that governments that are acting against the interests of their constituents or committing actual crimes have a “requirement” that everybody shuts up about it. Thus any whistleblower, journalist or egregious truth-teller using a domain under .com or .net to bringing light on issues such as these could find themselves with their domain unplugged under this policy.
In the case of Wikileaks, Lieberman’s staff telephoned various web services providers and demanded that they sever ties and cease providing services. Next time all they would have to do is call Verisign and tell them that the government “requires” them to takedown their domain. (Of course, Wikileaks is under .org, not .com or .net, but next time it may not be Wikileaks. Maybe it’ll be Zerohedge. Maybe it’ll be easyDNS. Maybe it’ll be you.)
Under the proposed rules, it’s not just the government that could initiate takedowns but even “quasi” governmental agencies. What’s a quasi-governmental agency? It’s a government created entity that undertakes commercial activities on behalf of the government. That would mean entities like Fannie Mae and Freddie Mac or the Federal Crop Insurance Corporation could takedown any .com or .net domain based on having a “requirement” or making a “request” to do so.
Section (c) is also troublesome: providing that Verisign can takedown any domain to avoid liability to themselves. So if other avenues of removing a troublesome domain fail, you could just simply sue, or threaten to sue Versign and they can unplug the underlying domain.
Last year the US Department of Homeland Security (Immigration and Customs Enforcement) began a series of domain takedowns intended to enforce copyright violations. In one case they seized a third-level domain provider (mooo.com) which resulted in the takedown of over 84,000 unrelated and innocent websites.
Since the ICE takedowns were arbitrary and widening in scope, there became a perceived benefit to using non-US based Registrars for domain registration, as the takedowns were being implemented via court orders to those US-based registrars.
If this policy goes into effect, there are no safer jurisdictions for any .com or .net domain anywhere in the world. They all come under US government, quasi-governmental and law enforcement agency “requirements”.
The Verisign proposal concedes that:
“ Registrants may be concerned about an improper takedown of a legitimate website. Verisign will be offering a protest procedure to support restoring a domain name to the zone. “
Which is not very comforting. What is the “protest procedure” and how long will it take? Will a contested takedown put the domain in an online or offline state while the procedure is implemented, and how long does that take?
If this is to move forward, our recommendations are as follows:
- Section b should be stricken, and the current model that government inspired domain takedowns be requested via the Registrar of record be retained.
- In cases of court-ordered takedowns, Verisign should only intercede in the case of a non-responsive Registrar and again, under a court order.
- Section c should be stricken. Verisign already insulates itself from liability in its Agreements with Registrars and under the various Registrant Agreements already in place. This should not be a back-door method into taking down a domain.
- If a Registrar feels a false-positive takedown has occurred, there needs to be a mechanism to bring the domain back online immediately pending the outcome of a challenge or disputed takedown.
- First They Came For the FileSharing Domains
- easyDNS Comments on Anti-Abuse Domain Use Policy on ICANN’s registryservice archives
George Kirikos says
Well said, Mark. I hope you will submit comments to ICANN (via email@example.com). Archives of comments are at:
(I’ve already submitted three comments) Read their definition of “malware”, and it’s a joke. Not only does it include “web bugs” (used by many sites for monitoring), but it includes “other abusive behavior”, leaving things open to their own interpretation. Even cookies might be considered “malware” by their definition.
If Verisign wanted to reduce abuse, they could require verified WHOIS (i.e. a PIN activation code sent by snail mail to registrants, before a domain name can resolve in the DNS). That would drastically cut down on “throwaway” domain names registered maliciously, and would be relatively inexpensive for legitimate registrants (e.g. if I own 500 domains, I’d only need 1 PIN code to be sent to validate my address).
Alternatively, allow legitimate registrants to whitelist themselves (via address verification or a similar scheme), so that they can “opt-out” of this takedown mechanism (except for a valid court decision, of course, in a valid jurisdiction).
We’ve not even talked about valid jurisdictions yet. Will VeriSign shut down a domain name owned by an American (or Canadian), hosted in the UK, based on a police complaint from China or Iran?
ICANN needs to open up a widely publicized comment period, where domain name registrants can contemplate these important issues.
David Ulevitch says
It has now been withdrawn: http://www.icann.org/en/registries/rsep/#2011008
Good to hear it has been withdrawn.
Doesn’t mean this initiatives won’t come back in the future of course 😉