Verisign just released an overview of their proposed “Anti-Abuse Domain Use Policy” Under ICANN’s Registry Services Evaluation Process. The program’s chief aim is to provide a takedown mechanism of malicious websites distributing malware. In itself, not a bad thing, considering some registrars are unresponsive toward abuse or network stability issues.
However, lumped in with the conditions under which Verisign can invoke their takedown capabilities are some troubling “add ons”, as quoted below:
“The new anti-abuse policy, would be implemented though a change to the .com. ,net and .name Registry Registrar Agreements and would allow the denial, cancellation or transfer of any registration or transaction or the placement of any domain name on registry lock, hold or similar status as necessary:
(a) to protect the integrity, security and stability of the DNS;
(b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process;
(c) to avoid any liability, civil or criminal, on the part of Verisign, as well as its affiliates, subsidiaries, officers, directors, and employees;
(d) per the terms of the registration agreement,
(e) to respond to or protect against any form of malware (defined to include, without limitation, malicious code or software that might affect the operation of the Internet),
(f) to comply with specifications adopted by any industry group generally recognized as authoritative with respect to the Internet (e.g., RFCs),
(g) to correct mistakes made by Verisign or any Registrar in connection with a domain name registration, or
(h) for the non-payment of fees to Verisign. Verisign also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute;
The main problem here is Section (b), which let’s Verisign takedown any domain that is inimical toward a government “requirement” or at the “request” of a law enforcement or other governmental or quasi-governmental agency.
What does this mean?
It means domains can be taken down without judicial process and in the absence of any overt network abuse. I refer anybody who thinks the possibility of abuse of this policy is remote to the actions of Senate Committee on Homeland Security and Governmental Affairs Chairman Joe Lieberman, last December regarding Wikileaks – an entity which has still never been charged with any offence in any jurisdiction and which continues to operate in a perfectly legal manner. (Lieberman called on “any company or organization that is hosting Wikileaks to immediately terminate its relationship with them.” – Which sounds like a “request” to me.)
What Wikileaks did was expose bad actions of the various governments themselves, some of those – illegal. It can be assumed that governments that are acting against the interests of their constituents or committing actual crimes have a “requirement” that everybody shuts up about it. Thus any whistleblower, journalist or egregious truth-teller using a domain under .com or .net to bringing light on issues such as these could find themselves with their domain unplugged under this policy.
In the case of Wikileaks, Lieberman’s staff telephoned various web services providers and demanded that they sever ties and cease providing services. Next time all they would have to do is call Verisign and tell them that the government “requires” them to takedown their domain. (Of course, Wikileaks is under .org, not .com or .net, but next time it may not be Wikileaks. Maybe it’ll be Zerohedge. Maybe it’ll be easyDNS. Maybe it’ll be you.)
Under the proposed rules, it’s not just the government that could initiate takedowns but even “quasi” governmental agencies. What’s a quasi-governmental agency? It’s a government created entity that undertakes commercial activities on behalf of the government. That would mean entities like Fannie Mae and Freddie Mac or the Federal Crop Insurance Corporation could takedown any .com or .net domain based on having a “requirement” or making a “request” to do so.
Section (c) is also troublesome: providing that Verisign can takedown any domain to avoid liability to themselves. So if other avenues of removing a troublesome domain fail, you could just simply sue, or threaten to sue Versign and they can unplug the underlying domain.
Last year the US Department of Homeland Security (Immigration and Customs Enforcement) began a series of domain takedowns intended to enforce copyright violations. In one case they seized a third-level domain provider (mooo.com) which resulted in the takedown of over 84,000 unrelated and innocent websites.
Since the ICE takedowns were arbitrary and widening in scope, there became a perceived benefit to using non-US based Registrars for domain registration, as the takedowns were being implemented via court orders to those US-based registrars.
If this policy goes into effect, there are no safer jurisdictions for any .com or .net domain anywhere in the world. They all come under US government, quasi-governmental and law enforcement agency “requirements”.
The Verisign proposal concedes that:
“ Registrants may be concerned about an improper takedown of a legitimate website. Verisign will be offering a protest procedure to support restoring a domain name to the zone. “
Which is not very comforting. What is the “protest procedure” and how long will it take? Will a contested takedown put the domain in an online or offline state while the procedure is implemented, and how long does that take?
If this is to move forward, our recommendations are as follows:
- Section b should be stricken, and the current model that government inspired domain takedowns be requested via the Registrar of record be retained.
- In cases of court-ordered takedowns, Verisign should only intercede in the case of a non-responsive Registrar and again, under a court order.
- Section c should be stricken. Verisign already insulates itself from liability in its Agreements with Registrars and under the various Registrant Agreements already in place. This should not be a back-door method into taking down a domain.
- If a Registrar feels a false-positive takedown has occurred, there needs to be a mechanism to bring the domain back online immediately pending the outcome of a challenge or disputed takedown.
Editorial Add-on by Frank Michlick
I completely agree with the comments by Mark, but I’d like to one step further and comment on the plan to pro-actively scan the domain registration base for malware sites as highlighted in the Domain Name Wire article on the same topic. While I am not a lawyer, I think it is very dangerous grounds for a registry operator to start actively monitoring registered domain names for their content and its compliance with laws. Once a registry does this as a pro-active service, it could imply that the registry becomes liable for sites that it misses in its scans, since it should be aware of the content of the sites for the domains registered through them. I think that a registry should act as a technology provider and facilitator the registry should not be active in developing the policy that decides what is illegal and what isn’t.
(c) 2011 DomainNameNews.com (1)
Tap into the most comprehensive Whois database
on the planet: Discover the details of a domain’s current ownership,
learn a domain’s pedigree and find all the domains ever owned by a
specific company or individual by accessing historical information from DomainTools.com.
We’d like to welcome Mark Jeftovic as a guest author. In the domaining world he’s known for stirring up some controversy in the past. Mark lives in Toronto, Canada with his wife and daughter, he’s the founder and president of easyDNS.com – the DNS hosting provider & domain name registrar, a libertarian and former Director to the Canadian Internet Registration Authority (CIRA).
When one looks at the track record of introducing new Top Level Domains it is perplexing to see where all the enthusiasm around unlimited new TLDs comes from. So far every attempt to roll one out owes it’s sustenance to purely defensive registrations (.biz, .info) or else it’s degraded into an utter fracas (.jobs) or just plain flopped (.pro)
The latest TLD that isn’t a country code tarting itself up as a pseudo-generic is probably a good indicator of what to expect going forward: .xxx – reviled by the industry it extorts , err, purports to serve and first new TLD that we are seriously considering making a conscious decision not to “grab our name before somebody else does!”. I’m certain it won’t be the last. I believe one of the first things we will see as all this unfolds is a buyers strike in defensive regs. Once that happens everything will go sideways.
So despite the near frenzied hype around these things, I have already gone on record to predict failure for the vast majority of them.
The forthcoming onslaught of TLDs can be divided into roughly three categories:
1. Generics: these are where “the next .com”‘ TLDs will position themselves. Most will fail because there will be a buyers strike in defensive registrations and the speculators will get crushed. None of them will ever become “bigger than .com”, and I’ll be surprised if one ever catches up with .net.
2. Specifics: these are TLDs which exist for a reason (which I’ve been calling for), but that reason is just a thin premise based on naming. .jobs is a great example of this, because quite frankly, the premise was dumb. That companies would go out and register the .jobs version of their names to post job openings, as opposed to just adding /jobs onto their URL was weak from the outset. There are a lot of these in the pipe: .music, .eco, .money whatever – the ostensible reason for the existence of the TLD is to be the apex of some category vertical. What
I’ve found over the years in this business is that people tend to not order themselves into the categories you set up for them. Once again, the only thing that will hold these TLDs up are defensive registrations and speculators (who will get crushed).
3. Brands: this is where some entity with deep pockets sets its own TLD up to prove that “they’re serious” about their brand. So if Paul McCartney created .beatles and the only 4 domains under it were john, paul, george and ringo, it would be an example of a brand TLD. It would also provide zero value to the brand and probably even fail as call-to-action URLs as people habitually keep adding “.com” onto the end of everything when they type it into a browser location bar.
Still, we cannot stand in the way of .progress, this evolution is inevitable, and I think necessary. This is who I think the big winners and bigger losers will be…because as per usual, the consensus projections for where this is all going are the outcomes that are likely precluded from occurring.
See the losers and winners of the new TLDs after the jump.
Let’s start with THE LOSERS
Business Owners: people who run businesses on the web, or businesses with a web presence will be expected to pony up for non-refundable sunrise claims and landrush pre-orders, at jacked up prices and inflated
minimum terms, all to defend their names. This may work when it happens once a year or so, but anybody who expects to keep working when brand owners get hit with this 10, 20 or 100 times a year better rethink that
calculus. Because I don’t think it will. What is more likely to happen is they decide to just start suing the squatters as they surface, and it will probably culminate in some legal action against the registries themselves, possibly in the form of class actions.
Brand Owners: This hoopla around .brand is stupid. You probably don’t give a crap about your breakfast cereal’s twitter feed. You think it needs it’s own TLD? There are very few brands that make any sense as a
TLD. Something like .Mac comes to mind, but they are an exception. Whatever brand you own, probably isn’t. Don’t waste your money.
Investors: As I’ve posited, most new TLDs will fail. Once the defensive-name buyers’ strike kicks in, most of the new TLDs will not even make it past that initial cashgrab phase which makes them look so lucrative. Couple that with an abysmal renewal cycle as the speculators realize that nobody wants to pony up xxx,xxx for “business.business”, and you have a recipe for epic value destruction. (Memo to VC’s: you can use this as a filter: anything you are pitched that contains a slide that says “and then we get our own TLD”, you can just move onto the
Programmers / Network Engineers / Operators: Will find their jobs become ever more vexing once it becomes impossible to encapsulate the known universe of top-level namespaces and their syntax rules in a usable
format. Think about the present-day intractable problem of trying to create a bulletproof regex for a valid email address and amp up the complexity from there. This will cause all kinds of bugs and usability issues, but hey, that’s why those guys get paid the big bucks.
But it won’t be all bad news, these losers will have their gizards eaten by…
The New TLD WINNERS:
TLD & Registry Providers: When there’s a gold rush on, the people selling picks and shovels make out like bandits. Companies that enable and provide infrastructure to Top Level Domain operators will probably
have an initial wave of success.
DNS Providers: At the end of the day, it’s all just names-to-numbers and for that you need DNS. To run a TLD you would need at least a modicum of global redundancy, preferably anycast deployed and able to withstand DOS attacks. Enter the DNS providers, because they’re the ones who have those capabilities. (Do I have to disclose that I run one at this point? I don’t expect a flood of new TLD applicants to be banging down my door to handle their rootzone DNS).
Dispute Resolution Providers: will enjoy a booming business. As the buyers strike gathers steam, companies will find it is cheaper to “take out” an offending name in an unfashionable TLD than trying to defend
their name in all of them at exorbitant sunrise rates.
Domain Litigation Lawyers: Not only will there be an endless selection of second-level squatters to sue, they can form class actions and snuff out entire registries deemed to have egregious disregard for the IP
rights of others. For them it will be a Golden Age of prosperity.
and finally, the single biggest, winningest winner of them all…..
ICANN: They run the golden goose, they collect the $185,000 per successful application, they get to keep the non-refundable portion of the application fee from all the losers and then the $25,000 in annual
fees per TLD, Nice work if you can get it.
Beyond that, everything I’ve been saying about the new TLDs hinges around this concept: that the days of “register your name under .etc, before somebody else does” are over. I expect out of the first 100 or so TLDs, maybe 1 or 2 will initially do something outside-the-box, something that will change the game and actually add value at the root level.
I don’t know what that is yet, but those are the new TLDs that will succeed, while the rest crap out. Off the top of my head, something different, like maybe .gps, where domains under .gps actually represent GPS coordinates and thus real world locations; or .rfid where domains under that root would carry meta-data about RFID tagged items such as location or status. Who knows. But it will go far beyond that “yourname.bs”.
Those new TLDs will be the signal, everything else will be noise.