Latest news of the domain name industry

Recent Posts

Cops tell Nominet to yank 16,000 domains, Nominet complies

Kevin Murphy, November 15, 2017, Domain Registries

Nominet suspended over 16,000 .uk domain names at the request of law enforcement agencies in the last year.

The registry yanked 16,632 domains in the 12 months to October 31, more than double the 8,049 it suspended in the year-earlier period.

The 2016 number was in turn more than double the 2015 number. The 2017 total is more than 16 times the number of suspended domains in 2014, the first year in which Nominet established this cozy relationship with the police.

The large majority of names — 13,616 — were suspended at the request of the Police Intellectual Property Crime Unit. Another 2,781 were taken down on the instruction of National Fraud Intelligence Bureau.

Nominet has over 12 million .uk domains under management, so 16,000 names is barely a blip on the radar overall.

But the fact that police can have domains taken down in .uk with barely any friction does not appear to be acting as a deterrent to bad actors when they choose their TLD.

The registry said that just 15 suspensions were reversed — which requires the consent of the reporting law enforcement agency — during the period. That’s basically flat on 2016.

“A suspension is reversed if the offending behavior has stopped and the enforcing agency has since confirmed that the suspension can be lifted,” the company said.

The company does not publish data on how many registrants requested a reversal and didn’t get one, nor does it publish any of the affected domains, so we have no way of knowing whether there’s any ambiguity or overreach in the types of domains the police more or less unilaterally have taken down.

It seems that the only reasons suspension requests do not result in suspensions are when domains have already been suspended or have already been transferred to an IP rights holder by court order. There were 32 of those in the last 12 months, half 2016 levels.

The separate, ludicrously onerous preemptive ban on domains that appear to encourage sexual violence resulted in just two suspensions in the last year, bringing the total new domains suspended under the rule since 2014 to just six.

Some poor bugger at Nominet had to trawl through 3,410 new registrations containing strings such as “rape” in 2017 to achieve that result, up from 2,407 last year.

ICANN loosens Whois privacy rules for registrars

Kevin Murphy, April 20, 2017, Domain Policy

ICANN has made it easier for registries and registrars to opt-out of Whois-related contractual provisions when they clash with local laws.

From this week, accredited domain firms will not have to show that they are being investigated by local privacy or law enforcement authorities before they can request a waiver from ICANN.

Instead, they’ll be also be able to request a waiver preemptively with a statement from said authorities to the effect that the ICANN contracts contradict local privacy laws.

In both cases, the opt-out request will trigger a community consultation — which would include the Governmental Advisory Committee — and a review by ICANN’s general counsel, before coming into effect.

The rules are mainly designed for European companies, as the EU states generally enjoy stricter privacy legislation than their North American counterparts.

European registrars and registries have so far been held to a contract that may force them to break the law, and the only way to comply with the law would be to wait for a law enforcement proceeding.

ICANN already allows registrars to request waivers from the data retention provisions of the 2013 Registrar Accreditation Agreement — which require the registrar to hold customer data for two years after the customer is no longer a customer.

Dozens of European registrars have applied for and obtained this RAA opt-out.

Registrants guilty until proven innocent, say UK cops

Kevin Murphy, August 19, 2015, Domain Registrars

UK police have stated an eyebrow-raising “guilty until proven innocent” point of view when it comes to domain name registrations, in comments filed recently with ICANN.

In a Governmental Advisory Committee submission (pdf) to a review of the Whois accuracy rules in the Registrar Accreditation Agreement, unspecified “UK law enforcement” wrote:

Internet governance efforts by Industry, most notably the ICANN 2013 RAA agreement have seen a paradigm shift in Industry in the way a domain name is viewed as “suspicious” before being validated as “good” within the 15 day period of review.

UK law enforcement’s view is that a 45 day period would revert Industry back to a culture of viewing domains “good” until they are proven “bad” therefore allowing crime to propagate and increase harm online.

The GAC submission was made August 13 to a public comment period that closed July 3.

The Whois Accuracy Program Specification Review had proposed a number of measures to bring more clarity to registrars under the 2013 RAA.

One such measure, proposed by the registrars, was to change the rules so that registrars have an extra 30 days — 45 instead of 15 — to validate registrants’ contact information before suspending the domain.

That’s what the UK cops — and the GAC as a whole — don’t like.

They have a point, of course. Criminals often register domains with bogus contact information with the expectation that the domains will not have a long shelf life. Fifteen days is actually quite generous if you want to stop phishing attacks, say.

The Anti-Phishing Working Group says phishing attacks have an average up-time of 29 hours.

Clearly, ICANN’s Whois accuracy program is doing little to prevent phishing as it is; a switch to 45 days would presumably have little impact.

But the number of domains suspended for lack of accuracy at any given time is estimated to be in the hundreds of thousands, and registrars say it’s mostly innocent registrants who are affected.

Verisign said this March that .com domains “on hold” grew from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.

In June 2014, registrars claimed that over 800,000 domains had been suspended for want of Whois accuracy in the first six months the policy was in place.

Are Whois email checks doing more harm than good?

“Tens of thousands” of web sites are going dark due to ICANN’s new email verification requirements and registrars are demanding to know how this sacrifice is helping solve crimes.

These claims and demands were made in meetings between registrars and ICANN’s board and management at the ICANN 49 meeting in Singapore last week.

Go Daddy director of policy planning James Bladel and Tucows CEO Elliot Noss questioned the benefit of the 2013 Registrar Accreditation Agreement during a Tuesday session.

The 2013 RAA requires registrars to verify that registrants’ email addresses are accurate. If registrants do not respond to verification emails within 15 days, their domains are turned off.

There have been many news stories and blog posts recounting how legitimate webmasters found their sites gone dark due to an overlooked verification email.

Just looking at my Twitter stream for an “icann” search, I see several complaints about the process every week, made by registrants whose web sites and email accounts have disappeared.

Noss told the ICANN board that the requirement has created a “demonstrable burden” for registrants.

“If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals,” he said.

Noss told DI today that Tucows is currently compiling some statistics to illustrate the scale of the problem, but it’s not yet clear what the company plans to do with the data.

At the Singapore meeting, he asked ICANN to go to the law enforcement agencies that demanded Whois verification in the first place to ask for data showing that the new rules are also doing some good.

“What crime has been forestalled?” he said. “What issues around fraud? We heard about pedophilia regularly from law enforcement. What has any of this done to create benefits in that direction?”

Registrars have a renewed concern about this now because there are moves afoot in other fora, such as the group working on new rules for privacy and proxy services, for even greater Whois verification.

Bladel pointed to an exchange at the ICANN meeting in Durban last July, during which ICANN CEO Fadi Chehade suggested that ICANN would not entertain requests for more Whois verification until law enforcement had demonstrated that the 2013 RAA requirements had had benefits.

The exact Chehade line, from the Durban public forum transcript, was:

law enforcement, before they ask for more, we put them on notice that they need to tell us what was the impact of what we did for them already, which had costs on the implementers.

Quoted back to himself, in Singapore Chehade told Bladel: “It will be done by London.”

Speaking at greater length, director Mike Silber said:

What I cannot do is force law enforcement to give us anything. But I think what we can do is press the point home with law enforcement that if they want more, and if they want greater compliance and if they want greater collaborations, it would be very useful to show the people going through the exercise what benefits law enforcement are receiving from it.

So will law enforcement agencies be able to come up with any hard data by London, just a few months from now?

It seems unlikely to me. The 2013 RAA requirements only came into force in January, so the impact on the overall cleanliness of the various Whois databases is likely to be slim so far.

I also wonder whether law enforcement agencies track the accuracy of Whois in any meaningfully quantitative way. Anecdotes and color may not cut the mustard.

But it does seem likely that the registrars are going to have data to back up their side of the argument — customer service logs, verification email response rates and so forth — by London.

They want the 2013 RAA Whois verification rules rethought and removed from the contract and the ICANN board so far seems fairly responsive to their concerns.

Law enforcement may be about to find itself on the back foot in this long-running debate.

ICANN helps bust Russian child porn ring

Kevin Murphy, October 24, 2013, Domain Policy

ICANN recently helped break up a Russian child pornography ring.

That’s according to a remarkable anecdote from CEO Fadi Chehade, speaking during a session at the Internet Governance Forum in Bali, Indonesia today.

The “investigative effort” took “months” and seems to have entailed ICANN staff sifting through company records and liaising with law enforcement and domain name companies on three continents.

Here’s the anecdote in full:

We participated in a global effort to break down a child pornography ring.

You think: what is ICANN doing with a child pornography ring? Well, simple answer: where does child pornography get put up? On a web site. Where’s that web site hosted? Well, probably at some hosting company that was given the web site name by a registrar that is hopefully a registrar or reseller in the ICANN network.

We have a public responsibility to help with that.

We have some of the smartest people in the world in that space.

It took us months to nail the child pornography ring.

It took us through LA to Panama. We had to work with the attorney general of Panama to find the roots of that company. One of our team members who speaks Spanish went into public company records until he found, connected — these are investigative efforts that we do with law enforcement — then we brought in the registrars, the registries… and it turned out that this ring was actually in Russia and then we had to involve the Russian authorities.

ICANN does all of this work quietly, in the background, for the public interest.

Wow.

At first I wasn’t sure what to make of this. On the one hand: this obviously excellent news for abused kids and ICANN should be congratulated for whatever role it took in bringing the perpetrators to justice.

On the other hand: is it really ICANN’s job to take a leading role in covert criminal investigations? Why are ICANN staffers needed to trawl through Panamanian company records? Isn’t this what the police are for?

ICANN is, after all, a technical coordination body that repeatedly professes to not want to involve itself in “content” issues.

Session moderator Bertrand de La Chappelle, currently serving out his last month on the ICANN board of directors, addressed this apparent disconnect directly, asking Chehade to clarify that ICANN is not trying to expand its role.

In response, Chehade seemed to characterize ICANN as something of an ad hoc coordinator in these kinds of circumstances:

There are many topics that there is no home for them to be addressed, so ICANN gets the pressure. People come to us and say: “Well you solve this, aren’t you running the internet?”

We are not running the internet. We do names and numbers. We’re a technical community, that’s what we do.

But the pressure is mounting on us. So it’s part of our goal to address the larger issues that we’re not part of, is to frankly keep us focused on our remit. In fact, ICANN should become smaller, not bigger. It should focus on what it does. The only area we should get bigger in is involving more people so we can truly say we’re legitimate and inclusive.

The bigger issues and the other issues of content and how the internet is used and who does what, we should be very much in the background. If there is a legal issue, if we are approached legally by an edict of a court or… if it’s a process we have to respond to it.

We don’t want to be instigating or participating or leading… we don’t, we really don’t.

A desire to make ICANN smaller doesn’t seem to tally with the rapid expansion of its global footprint of hubs and branch offices and the planned doubling of its staff count.

Indeed, the very next person to speak on today’s panel was Chehade’s senior advisor and head of communications Sally Costerton, who talked about her team doubling in size this year.

I don’t personally subscribe to the idea that ICANN should be shrinking — too much is being asked of it, even if it does stick to its original remit — but I’m also not convinced that it’s the right place to be be carrying out criminal investigations. That’s what the cops are for.