Verisign just released an overview of their proposed “Anti-Abuse Domain Use Policy” Under ICANN’s Registry Services Evaluation Process. The program’s chief aim is to provide a takedown mechanism of malicious websites distributing malware. In itself, not a bad thing, considering some registrars are unresponsive toward abuse or network stability issues.
However, lumped in with the conditions under which Verisign can invoke their takedown capabilities are some troubling “add ons”, as quoted below:
“The new anti-abuse policy, would be implemented though a change to the .com. ,net and .name Registry Registrar Agreements and would allow the denial, cancellation or transfer of any registration or transaction or the placement of any domain name on registry lock, hold or similar status as necessary:
(a) to protect the integrity, security and stability of the DNS;
(b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process;
(c) to avoid any liability, civil or criminal, on the part of Verisign, as well as its affiliates, subsidiaries, officers, directors, and employees;
(d) per the terms of the registration agreement,
(e) to respond to or protect against any form of malware (defined to include, without limitation, malicious code or software that might affect the operation of the Internet),
(f) to comply with specifications adopted by any industry group generally recognized as authoritative with respect to the Internet (e.g., RFCs),
(g) to correct mistakes made by Verisign or any Registrar in connection with a domain name registration, or
(h) for the non-payment of fees to Verisign. Verisign also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute;
The main problem here is Section (b), which let’s Verisign takedown any domain that is inimical toward a government “requirement” or at the “request” of a law enforcement or other governmental or quasi-governmental agency.
What does this mean?
It means domains can be taken down without judicial process and in the absence of any overt network abuse. I refer anybody who thinks the possibility of abuse of this policy is remote to the actions of Senate Committee on Homeland Security and Governmental Affairs Chairman Joe Lieberman, last December regarding Wikileaks – an entity which has still never been charged with any offence in any jurisdiction and which continues to operate in a perfectly legal manner. (Lieberman called on “any company or organization that is hosting Wikileaks to immediately terminate its relationship with them.” – Which sounds like a “request” to me.)
What Wikileaks did was expose bad actions of the various governments themselves, some of those – illegal. It can be assumed that governments that are acting against the interests of their constituents or committing actual crimes have a “requirement” that everybody shuts up about it. Thus any whistleblower, journalist or egregious truth-teller using a domain under .com or .net to bringing light on issues such as these could find themselves with their domain unplugged under this policy.
In the case of Wikileaks, Lieberman’s staff telephoned various web services providers and demanded that they sever ties and cease providing services. Next time all they would have to do is call Verisign and tell them that the government “requires” them to takedown their domain. (Of course, Wikileaks is under .org, not .com or .net, but next time it may not be Wikileaks. Maybe it’ll be Zerohedge. Maybe it’ll be easyDNS. Maybe it’ll be you.)
Under the proposed rules, it’s not just the government that could initiate takedowns but even “quasi” governmental agencies. What’s a quasi-governmental agency? It’s a government created entity that undertakes commercial activities on behalf of the government. That would mean entities like Fannie Mae and Freddie Mac or the Federal Crop Insurance Corporation could takedown any .com or .net domain based on having a “requirement” or making a “request” to do so.
Section (c) is also troublesome: providing that Verisign can takedown any domain to avoid liability to themselves. So if other avenues of removing a troublesome domain fail, you could just simply sue, or threaten to sue Versign and they can unplug the underlying domain.
Last year the US Department of Homeland Security (Immigration and Customs Enforcement) began a series of domain takedowns intended to enforce copyright violations. In one case they seized a third-level domain provider (mooo.com) which resulted in the takedown of over 84,000 unrelated and innocent websites.
Since the ICE takedowns were arbitrary and widening in scope, there became a perceived benefit to using non-US based Registrars for domain registration, as the takedowns were being implemented via court orders to those US-based registrars.
If this policy goes into effect, there are no safer jurisdictions for any .com or .net domain anywhere in the world. They all come under US government, quasi-governmental and law enforcement agency “requirements”.
The Verisign proposal concedes that:
“ Registrants may be concerned about an improper takedown of a legitimate website. Verisign will be offering a protest procedure to support restoring a domain name to the zone. “
Which is not very comforting. What is the “protest procedure” and how long will it take? Will a contested takedown put the domain in an online or offline state while the procedure is implemented, and how long does that take?
If this is to move forward, our recommendations are as follows:
- Section b should be stricken, and the current model that government inspired domain takedowns be requested via the Registrar of record be retained.
- In cases of court-ordered takedowns, Verisign should only intercede in the case of a non-responsive Registrar and again, under a court order.
- Section c should be stricken. Verisign already insulates itself from liability in its Agreements with Registrars and under the various Registrant Agreements already in place. This should not be a back-door method into taking down a domain.
- If a Registrar feels a false-positive takedown has occurred, there needs to be a mechanism to bring the domain back online immediately pending the outcome of a challenge or disputed takedown.
Editorial Add-on by Frank Michlick
I completely agree with the comments by Mark, but I’d like to one step further and comment on the plan to pro-actively scan the domain registration base for malware sites as highlighted in the Domain Name Wire article on the same topic. While I am not a lawyer, I think it is very dangerous grounds for a registry operator to start actively monitoring registered domain names for their content and its compliance with laws. Once a registry does this as a pro-active service, it could imply that the registry becomes liable for sites that it misses in its scans, since it should be aware of the content of the sites for the domains registered through them. I think that a registry should act as a technology provider and facilitator the registry should not be active in developing the policy that decides what is illegal and what isn’t.