VeriSign has been talking quietly to domain name registrars about its newly revealed anti-abuse policies for several months, but some are still not happy about its plans for .com malware scans.
The company yesterday revealed a two-pronged attack on domain name abuse, designed to counteract a perception that .com is not as secure a space as it should be.
The other is an attempt to introduce automatic malware scanning into the .com, .net and .name spaces, rather like ICM Registry has said it will do with all .xxx domains.
Unlike the daily ICM/McAfee service, VeriSign’s free scans will be quarterly, but the company intends to also offer a paid-for upgrade that would search domains for malware more frequently.
On the face of it, it doesn’t seem like a bad idea.
But some registrars are worried about the fading line between registrars, which today “own” the customer relationship, and the registries, which for the most part are hidden away in the cloud.
Go Daddy director of network abuse Ben Butler, asked about both of yesterday’s VeriSign proposals, said in a statement that they have “some merit”, but sounded several notes of caution:
This is going to make all registrars responsible for remediation efforts and negative customer-service clean up. The registrar at this point becomes the “middle man,” dealing with customers whose livelihood is being negatively impacted. As mentioned in their report, the majority of sites infected with malware were not created by the “bad guys.”
While there is an appeal process mentioned, it could take some time to get issues resolved, potentially leaving a customer’s website down for an extended period.
This could also create a dangerous situation, allowing registries to gain further control over registrars’ operations – as registrars have the relationship with the registrant, the registrar should be responsible for enforcing policies and facilitating remediation.
It has also emerged that VeriSign unilaterally introduced the malware scanning service as a mandatory feature of .cc and .tv domains – which are not regulated by ICANN – earlier this year.
The changes appear to have been introduced without fanfare, but are clearly reflected in today’s .tv registration policies, which are likely to form the basis of the .com policies.
Some registrars weren’t happy about that either.
Six European registrars wrote to VeriSign last month to complain that they were “extremely displeased” with the way the scanning service was introduced. They told VeriSign:
These changes mark the beginning of a substantive shift in the roles of registries regarding the monitoring and controlling of content and may lead to an increase of responsibility and liability of registries and registrars for content hosted elsewhere. As domain name registrars, we hold the position that the responsibilities for hosted content and the registration of a domain name are substantially different, and this view has been upheld in European court decisions numerous times. In this case, Verisign is assuming an up-front responsibility that surpasses even the responsibilities of a web hoster, and therefore opens the door to added responsibilities and legal liability for any form of abuse.
In the end, the registrar community will have to face the registrant backlash and criticism, waste countless hours of support time to explain this policy to the registrants and again every time they notice downtimes or loss of performance. These changes are entirely for the benefit of Verisign, but the costs are delegated to the registrants, the registrars and the hosting service providers.
The registrars were concerned that scanning could cause hosting performance hits, but VeriSign says the quarterly scan uses a virtual browser and is roughly equivalent to a single user visit.
They were also worried that the scans, which would presumably ignore robots.txt prohibitions on spidering, would be “intrusive” enough to potentially violate European Union data privacy laws.
VeriSign now plans to give all registrars an opt-out, which could enable them to avoid this problem.
It looks like VeriSign’s plans to amend the Registry-Registrar Agreement are heading for ICANN-overseen talks, so registrars may just be digging into a negotiating position, of course.
But it’s clear that there is some unease in the industry about the blurring of the lines between registries and registrars, which is only likely to increase as new gTLDs are introduced.
In the era of new gTLDs, and the liberalization of ICANN’s vertical integration prohibitions, we’re likely to see more registries having hands-on relationships with customers.
File this one under: “Good for UDRP, terrible for internet users.”
Google has managed to lose a cybersquatting complaint over the domain name goggle.com, after a National Arbitration Forum panel declined to consider the case.
Goggle.com, like so many other typos of the world’s most-popular sites, is currently being used to get people to sign up to expensive text messaging services via bogus surveys and competitions.
As Domain Name Wire reported when the complaint was filed, up until recently the site was using a confusingly similar style to Google’s familiar look and feel.
It’s got bad faith written all over it.
But “goggle” it is also a genuine English word.
And it turns out that the previous owner of goggle.com, Knowledge Associates, had entered into a “co-existence relationship” with Google that enabled it to operate the domain without fear of litigation.
The current owner was able to present NAF with documentation showing that this right may have been transferred when he bought the domain.
So the three-person NAF panel decided not to consider the complaint, concluding: “this case is foremost a business and/or contractual dispute between two companies that falls outside the scope of the Policy.”
The panel wrote:
Does the Co-existence Agreement apply to the disputed domain names? Does Respondent stand in the shoes of the original registrant? Does the consent of Complainant extend in time to the current actions of Respondent and in person to the Respondent? Has the Respondent complied with the obligations of the original registrant? Does the “no public statements” provision in the Co-existence Agreement prohibit its disclosure or use as a defense by Respondent?
These are factual and legal issues that go far beyond the scope of the Policy.
These are factual and legal issues that must be resolved before any consideration of confusing similarity, legitimate rights and interest, and bad faith under the Policy can be made.
This means that the current registrant gets to keep the domain, and to keep making cash from what in the vast majority of cases are likely to be clumsy typists.
Google now of course can either decide to pay off the registrant, or take him to court.
The registrant, David Csumrik, was represented by Zak Muscovitch.
Worm — The First Digital World War, a new book from Black Hawk Down author Mark Bowden, has a surprising cast of characters culled partially from the domain name industry.
The non-fiction hardback, released this month, covers the fight against the Conficker worm, which heavily leveraged DNS to spread when it arrived on the scene three years ago.
A glance inside at Amazon shows the dramatis personæ include then-CEO of ICANN Paul Twomey, Internet Systems Consortium chair Paul Vixie and Alice’s Registry founder Rick Wesson.
Conficker, you may recall, used algorithmically generated domain names to propagate. The coordinated effort aimed at stopping it worked in part by preemptively registering those domains.
Making a readable techno-thriller out of a bunch of geeks bickering sounds like a tough call. I’ve ordered a copy, and it will be interesting to see whether Bowden pulled it off.
In the meantime, I think some harmless speculation about the movie adaptation is called for.
For Twomey, I’m thinking Russell Crowe…
VeriSign’s request for a wide-ranging set of powers that would enable it to shut down .com and .net domain names that are suspected of abuse is already attracting criticism.
The proposals came in a Registry Services Evaluation Process request to ICANN that I reported on for The Register this morning.
It’s asking (pdf) to be able to create a new anti-abuse policy that would refocus many of the controls currently in the hands of registrars to the registry level instead.
The policy would “allow the denial, cancellation or transfer” of any VeriSign-managed domain if any any of these conditions were triggered:
(a) to protect the integrity, security and stability of the DNS;
(b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process;
(c) to avoid any liability, civil or criminal, on the part of Verisign, as well as its affiliates, subsidiaries, officers, directors, and employees;
(d) per the terms of the registration agreement,
(e) to respond to or protect against any form of malware (defined to include, without limitation, malicious code or software that might affect the operation of the Internet),
(f) to comply with specifications adopted by any industry group generally recognized as authoritative with respect to the Internet (e.g., RFCs),
(g) to correct mistakes made by Verisign or any Registrar in connection with a domain name registration, or
(h) for the non-payment of fees to Verisign. Verisign also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute;
As you can see, that’s a pretty broad range of justifications.
Notably, it would enable a domain to be canceled or transferred at the “requests of law enforcement or other governmental or quasi-governmental agency”, which would seem to circumvent the current practice of a court order being obtained before a domain is seized.
The question of what constitutes a “quasi-governmental agency” is also interesting. Is ICANN itself such a thing?
The policy would also enable a take-down “to avoid any liability, civil or criminal”, which seems to be just begging for VeriSign to be named spuriously in commercial lawsuits between .com registrants.
The RSEP also suggests that VeriSign plans to extend its hand of friendship to law enforcement agencies from outside the US:
Pilots with European Law Enforcement, Government CERTS and Registrars are planned, and other global test pilots will follow, to ensure global collaboration in the continuing development of the procedures.
Today, US agencies can get court orders instructing VeriSign to hand over domains. While imposing US law on .com owners from other countries is controversial, at least overseas registrants know where they stand.
Now VeriSign is talking about cooperating with European law enforcement agencies too.
At the risk of getting dangerously close to invoking Godwin’s Law, this brings us back to an old jurisdictional problem – what if the French police demand the seizure of a .com site selling Nazi memorabilia, which is illegal in France but legal in the US, for example?
Taking it a step further, what if VeriSign starts entertaining takedown requests from some of the world’s least pleasant theocracies, banana republics and dictatorships?
Half of .com could disappear overnight.
Since VeriSign has a business to run, that’s obviously not going to happen. So the company is going to have to draw a line somewhere, separating criminality from legitimate behavior and free speech.
I’m speculating wildly here, of course, but the RSEP doesn’t contain nearly enough detailed information about VeriSign’s proposed procedures to make a more informed analysis.
VeriSign knows what it is proposing is controversial. The RSEP says:
Registrants may be concerned about an improper takedown of a legitimate website. Verisign will be offering a protest procedure to support restoring a domain name to the zone.
The proposals have been made following many months of discussions between registries, registrars, law enforcement agencies and other community stakeholders.
It’s not entirely clear from VeriSign’s RSEP, which sometimes confusingly conflates the abuse policy with a separate proposed malware scanning service, how a takedown notice would be processed.
One likely reading is that VeriSign would act almost like a centralized clearinghouse for takedown requests, forwarding them to individual registrars for enforcement.
The registrars could be obliged by the terms of an amended Registry-Registrar Agreement to follow whatever process had been laid down.
There seems to be some concern in the ICANN community about this.
ICANN senior VP of stakeholder relations Kurt Pritz recently sent a document to PIR’s David Maher and Oversee.net’s Mason Cole outlining the procedure for amending the RRA.
The flowchart (pdf) describes a trilateral negotiation between the registry proposing the change, the Registrars Stakeholder Group and ICANN, with the ICANN board having the ultimate decision-making authority.
However this proceeds through ICANN, it’s going to cause some heated community debate.
Advertisers are “beginning to question the effectiveness” of social media marketing, but they’re still mostly sold on the benefits of search engine optimization.
That’s according to a new study from the Association of National Advertisers, the results of which have just been published.
The ANA’s survey of 92 marketers gave SEO an “effectiveness rating” of 52%, the highest rating given to any of the six categories respondents were asked to comment on.
However, that represented a decline of three percentage points from a similar survey in 2009.
Social networking sites (presumably including Facebook, although names were not named) received an effectiveness rating of 28%, up from 17% two years ago, ANA reported.
SEO and social sites were used in marketing by 88% and 89% of respondents respectively.
ANA president Bob Liodice said in a press release:
While marketers have substantially increased their use of newer media platforms over the past few years, they are beginning to question the effectiveness of some of these vehicles. The ANA survey indicates a strong willingness by marketers to integrate innovative new approaches into their marketing mix; however, this enthusiasm is tempered by concerns regarding the return-on-investment of these emerging options.
While it’s all speculation at this point, SEO improvements are often pointed to as a potential (and I stress: potential) benefit of new dot-brand or category-killer top-level domains.
The ANA is the current opponent-in-chief of ICANN’s new gTLD program.