ICANN has made it easier for registries and registrars to opt-out of Whois-related contractual provisions when they clash with local laws.
From this week, accredited domain firms will not have to show that they are being investigated by local privacy or law enforcement authorities before they can request a waiver from ICANN.
Instead, they’ll be also be able to request a waiver preemptively with a statement from said authorities to the effect that the ICANN contracts contradict local privacy laws.
In both cases, the opt-out request will trigger a community consultation — which would include the Governmental Advisory Committee — and a review by ICANN’s general counsel, before coming into effect.
The rules are mainly designed for European companies, as the EU states generally enjoy stricter privacy legislation than their North American counterparts.
European registrars and registries have so far been held to a contract that may force them to break the law, and the only way to comply with the law would be to wait for a law enforcement proceeding.
ICANN already allows registrars to request waivers from the data retention provisions of the 2013 Registrar Accreditation Agreement — which require the registrar to hold customer data for two years after the customer is no longer a customer.
Dozens of European registrars have applied for and obtained this RAA opt-out.
UK police have stated an eyebrow-raising “guilty until proven innocent” point of view when it comes to domain name registrations, in comments filed recently with ICANN.
In a Governmental Advisory Committee submission (pdf) to a review of the Whois accuracy rules in the Registrar Accreditation Agreement, unspecified “UK law enforcement” wrote:
Internet governance efforts by Industry, most notably the ICANN 2013 RAA agreement have seen a paradigm shift in Industry in the way a domain name is viewed as “suspicious” before being validated as “good” within the 15 day period of review.
UK law enforcement’s view is that a 45 day period would revert Industry back to a culture of viewing domains “good” until they are proven “bad” therefore allowing crime to propagate and increase harm online.
The GAC submission was made August 13 to a public comment period that closed July 3.
The Whois Accuracy Program Specification Review had proposed a number of measures to bring more clarity to registrars under the 2013 RAA.
One such measure, proposed by the registrars, was to change the rules so that registrars have an extra 30 days — 45 instead of 15 — to validate registrants’ contact information before suspending the domain.
That’s what the UK cops — and the GAC as a whole — don’t like.
They have a point, of course. Criminals often register domains with bogus contact information with the expectation that the domains will not have a long shelf life. Fifteen days is actually quite generous if you want to stop phishing attacks, say.
The Anti-Phishing Working Group says phishing attacks have an average up-time of 29 hours.
Clearly, ICANN’s Whois accuracy program is doing little to prevent phishing as it is; a switch to 45 days would presumably have little impact.
But the number of domains suspended for lack of accuracy at any given time is estimated to be in the hundreds of thousands, and registrars say it’s mostly innocent registrants who are affected.
Verisign said this March that .com domains “on hold” grew from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.
In June 2014, registrars claimed that over 800,000 domains had been suspended for want of Whois accuracy in the first six months the policy was in place.
“Tens of thousands” of web sites are going dark due to ICANN’s new email verification requirements and registrars are demanding to know how this sacrifice is helping solve crimes.
These claims and demands were made in meetings between registrars and ICANN’s board and management at the ICANN 49 meeting in Singapore last week.
Go Daddy director of policy planning James Bladel and Tucows CEO Elliot Noss questioned the benefit of the 2013 Registrar Accreditation Agreement during a Tuesday session.
The 2013 RAA requires registrars to verify that registrants’ email addresses are accurate. If registrants do not respond to verification emails within 15 days, their domains are turned off.
There have been many news stories and blog posts recounting how legitimate webmasters found their sites gone dark due to an overlooked verification email.
Just looking at my Twitter stream for an “icann” search, I see several complaints about the process every week, made by registrants whose web sites and email accounts have disappeared.
Noss told the ICANN board that the requirement has created a “demonstrable burden” for registrants.
“If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals,” he said.
Noss told DI today that Tucows is currently compiling some statistics to illustrate the scale of the problem, but it’s not yet clear what the company plans to do with the data.
At the Singapore meeting, he asked ICANN to go to the law enforcement agencies that demanded Whois verification in the first place to ask for data showing that the new rules are also doing some good.
“What crime has been forestalled?” he said. “What issues around fraud? We heard about pedophilia regularly from law enforcement. What has any of this done to create benefits in that direction?”
Registrars have a renewed concern about this now because there are moves afoot in other fora, such as the group working on new rules for privacy and proxy services, for even greater Whois verification.
Bladel pointed to an exchange at the ICANN meeting in Durban last July, during which ICANN CEO Fadi Chehade suggested that ICANN would not entertain requests for more Whois verification until law enforcement had demonstrated that the 2013 RAA requirements had had benefits.
The exact Chehade line, from the Durban public forum transcript, was:
law enforcement, before they ask for more, we put them on notice that they need to tell us what was the impact of what we did for them already, which had costs on the implementers.
Quoted back to himself, in Singapore Chehade told Bladel: “It will be done by London.”
Speaking at greater length, director Mike Silber said:
What I cannot do is force law enforcement to give us anything. But I think what we can do is press the point home with law enforcement that if they want more, and if they want greater compliance and if they want greater collaborations, it would be very useful to show the people going through the exercise what benefits law enforcement are receiving from it.
So will law enforcement agencies be able to come up with any hard data by London, just a few months from now?
It seems unlikely to me. The 2013 RAA requirements only came into force in January, so the impact on the overall cleanliness of the various Whois databases is likely to be slim so far.
I also wonder whether law enforcement agencies track the accuracy of Whois in any meaningfully quantitative way. Anecdotes and color may not cut the mustard.
But it does seem likely that the registrars are going to have data to back up their side of the argument — customer service logs, verification email response rates and so forth — by London.
They want the 2013 RAA Whois verification rules rethought and removed from the contract and the ICANN board so far seems fairly responsive to their concerns.
Law enforcement may be about to find itself on the back foot in this long-running debate.
ICANN recently helped break up a Russian child pornography ring.
That’s according to a remarkable anecdote from CEO Fadi Chehade, speaking during a session at the Internet Governance Forum in Bali, Indonesia today.
The “investigative effort” took “months” and seems to have entailed ICANN staff sifting through company records and liaising with law enforcement and domain name companies on three continents.
Here’s the anecdote in full:
We participated in a global effort to break down a child pornography ring.
You think: what is ICANN doing with a child pornography ring? Well, simple answer: where does child pornography get put up? On a web site. Where’s that web site hosted? Well, probably at some hosting company that was given the web site name by a registrar that is hopefully a registrar or reseller in the ICANN network.
We have a public responsibility to help with that.
We have some of the smartest people in the world in that space.
It took us months to nail the child pornography ring.
It took us through LA to Panama. We had to work with the attorney general of Panama to find the roots of that company. One of our team members who speaks Spanish went into public company records until he found, connected — these are investigative efforts that we do with law enforcement — then we brought in the registrars, the registries… and it turned out that this ring was actually in Russia and then we had to involve the Russian authorities.
ICANN does all of this work quietly, in the background, for the public interest.
At first I wasn’t sure what to make of this. On the one hand: this obviously excellent news for abused kids and ICANN should be congratulated for whatever role it took in bringing the perpetrators to justice.
On the other hand: is it really ICANN’s job to take a leading role in covert criminal investigations? Why are ICANN staffers needed to trawl through Panamanian company records? Isn’t this what the police are for?
ICANN is, after all, a technical coordination body that repeatedly professes to not want to involve itself in “content” issues.
Session moderator Bertrand de La Chappelle, currently serving out his last month on the ICANN board of directors, addressed this apparent disconnect directly, asking Chehade to clarify that ICANN is not trying to expand its role.
In response, Chehade seemed to characterize ICANN as something of an ad hoc coordinator in these kinds of circumstances:
There are many topics that there is no home for them to be addressed, so ICANN gets the pressure. People come to us and say: “Well you solve this, aren’t you running the internet?”
We are not running the internet. We do names and numbers. We’re a technical community, that’s what we do.
But the pressure is mounting on us. So it’s part of our goal to address the larger issues that we’re not part of, is to frankly keep us focused on our remit. In fact, ICANN should become smaller, not bigger. It should focus on what it does. The only area we should get bigger in is involving more people so we can truly say we’re legitimate and inclusive.
The bigger issues and the other issues of content and how the internet is used and who does what, we should be very much in the background. If there is a legal issue, if we are approached legally by an edict of a court or… if it’s a process we have to respond to it.
We don’t want to be instigating or participating or leading… we don’t, we really don’t.
A desire to make ICANN smaller doesn’t seem to tally with the rapid expansion of its global footprint of hubs and branch offices and the planned doubling of its staff count.
Indeed, the very next person to speak on today’s panel was Chehade’s senior advisor and head of communications Sally Costerton, who talked about her team doubling in size this year.
I don’t personally subscribe to the idea that ICANN should be shrinking — too much is being asked of it, even if it does stick to its original remit — but I’m also not convinced that it’s the right place to be be carrying out criminal investigations. That’s what the cops are for.
Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.
Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.
They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.
The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.
“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”
“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.
He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.
Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.
Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.
The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.