CircleID

Brian Krebs has a post up the other day on his blog indicating that the amount of spam ending in .cn has declined dramatically due to steps taken by the Chinese government making it more difficult to get a domain ending in .cn:

In mid-December 2009, the China Internet Network Information Center (CNNIC) announced that it was instituting steps to make it much harder to register a Web site anonymously in China, by barring individuals from registering domains ending in .cn. Under the new policy, those who want to register a new .cn domain name need to hand in written application forms, complete with a business license and an identity card.

According to data obtained from two anti-spam experts, new registrations for sites advertised in spam began migrating from .cn to .ru just a few weeks after the Chinese domain policy took effect. In early January 2010, and indeed in the months leading up to the new year, the percentage of domains advertised in spam registered in the .cn space dwarfed the number of .ru spam-related domains, according to figures gathered by the University of Alabama at Birmingham. But by mid-January, the number of .cn spam domains began to fall off dramatically, while the number of .ru spam domains increased markedly, UAB found.

A cursory glance seems to confirm that the amount of spam from .cn as opposed to .ru has switched places. Indeed, if the CNNIC requires people to start writing in application forms, with a business license and identity card, that is seriously going to slow down the rate at which spammers can sign up and register new domains. They can no longer automate the process of creating new domains; even if they did create some software to fill out the applications, auto-generate a new domain and then give the applications to some trained monkeys to walk down to the CNNIC office and deposit the applications (in order to save money on postage), this still wouldn't work. They would be rate-limited by the speed at which the CNNIC would be able to process all of these applications.

However, Krebs also reports the following:

Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet.

Is this an attempt by Chinese authorities to crack down on the Internet? Or are human rights and privacy groups getting it wrong here? I would surmise that the advocacy groups don't understand the gravity of the abuse that spammers had over the .cn domain. On the one hand, we know that giving stuff away for free (or almost free) invites abuse from spammers because they can automate the process of signing up for new domains. They can use the throwaway domains in spam and clog up the rest of the Internet with their nonsense. And in fact, this is exactly what they have been doing as the .cn domain has been used in piles upon piles upon piles of spam.

We also know that one of the better ways to stop spammers is not necessarily to stop them, but to disrupt them such that it makes their cost model ineffective. One of the ways of disrupting them is by requiring them to do something that requires human effort. One such technology already used today is the CAPTCHA — where you type in the clear text after deciphering what the squiggly text says. The theory behind this is that automated technologies cannot perform these requisite actions and a human wouldn't sit there one thousand times in a row filling them out. Of course, we know that today CAPTCHAs can be broken part of the time, or with offshore low-cost labor breaking them. Still, those are technological solutions to rate limiting abusive users.

Requiring people to sign up with a written application form is yet another form of rate limiting. However, instead of using technology to do it (which has proven to be inconsistent as evidenced by the amount of abuse from free webmail accounts), China is using human capital. Using human capital is a definite rate limit because people can only work so fast, work so long, and work so hard. You just can't push out nearly as much stuff when people have to do the work. And that's the goal behind the CNNIC's actions — technology cannot stop the spammers so they need to regress it and slow them down even more. That's it, really.

Here in the west, human rights groups' positions are that China has a long history of clamping down on human rights. By requiring people to fill out application forms — presumably accurately — dissenters of the government will be unable to advance their cause. The government will screen out their applications and not allow them to exercise their rights to speech. In other words, we in the west see the Internet as the single greatest mode of exercising our rights to free speech. China does not grant those types of rights to its citizens but the Internet is a kind of back-door point-of-entry around these restrictions. By clamping down on who gets a .cn domain, China has reasserted its control over dissenters, and free speech, and advocacy groups see this as a regression on humans rights in China. Whereas before dissenters could retain their anonymity and launch a new site, now they can no longer remain anonymous. And if they aren't anonymous, then Chinese officials can either deny their applications or even monitor and arrest them if they see fit. Given China's sketchy human rights record, privacy groups have a point.

It's difficult to say who's side I am on. The Internet is a big place and you don't necessarily need to register a .cn domain to get your message out. You can start a blog, use an existing .cn domain, lie on your application, register a .com.hk domain (but be subject to the Great Firewall of China), and so forth. Can China really monitor all of its Internet traffic? The Internet is a big place, and nobody can possibly control all of it. But on the other hand, China does have some pretty lax enforcement of some of the worst offenders on the Internet. They have bad registrars, bullet proof hosters and a lot of spamming sites. Making it harder to abuse the .cn TLD is a step in the right direction. Until the technology catches up to prevent automated abuse, it's going to be difficult for China to drop these measures.

The situation is complicated. If China relaxes its requirements for .cn registration, we will be subject to piles of abuse in the .cn domain. If it tightens down, we possibly have clamp down on human rights groups. Which are we prepared to live with?

By Terry Zink, Program Manager. Visit the blog maintained by Terry Zink here.

Related topics: Domain Names, Registry Services, Policy & Regulation, Security, Spam, Top-Level Domains