Home / Blogs

Of Canaries and Coal Mines: Verisign's Proposal and Sudden Withdrawal of Domain Anti-Abuse Policy

Milton Mueller

Too many techies still don't understand the concept of due process, and opportunistic law enforcement agencies, who tend to view due process constraints as an inconvenience, are very happy to take advantage of that.

That's the lesson to draw from Verisign's proposal and sudden withdrawal of a new "domain name anti-abuse policy" yesterday. The proposal, which seems to have been intended as a new service to registrars, would have allowed Verisign to perform malware scans on all .com, .net, and .name domain names quarterly when registrars agreed to let them do it. But it appended to this potentially useful service a generic "domain name anti-abuse" policy that would also have allowed it to suspend domains for practically any reason, if asked to do so by law enforcement and possibly by copyright or trademark interests. The proposal to ICANN's Registry Services Evaluation Process (RSTEP) thus awkwardly combined a voluntary service, narrowly focused on technical detection and action against botnets, with a gigantic alteration of domain name due process. Some of the people involved in preparing this proposal literally did not understand the distinction between those two facets of the proposal. Fortunately, the proposal, which seems to have bypassed internal checks within the company, kicked up a lot of fuss; wiser heads in the company noticed and yanked it.

For civil libertarians, this incident is an important signal. ICANN's administration of the global domain name system creates a new jurisdiction, and rights and due process protections often can be reinvented in the new context. There are a variety of interests who are poised to take advantage of that opportunity and they are very actively talking to and shaping the attitudes of the people with their fingers on the keyboard that control things operationally. For many people out there, "domain name anti-abuse" means open season for abuse of domain name registrants. This isn't over.

By Milton Mueller, Professor, Georgia Institute of Technology School of Public Policy
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Thanks Milton - I do hope you agree the proposal needs to be reintroduced after changes Suresh Ramasubramanian  –  Oct 16, 2011 8:14 PM PDT

It needs to be respectful of privacy and shouldn't be used as an open hunting license. But a takedown policy does need to be implemented.

And registrars that are abused (or are set up to abuse) by registering malicious domains need to be handled appropriately, as a subsequent step

Interesting conclusion Christopher Parente  –  Oct 19, 2011 12:42 PM PDT

Interesting post. Question on this sentence:

Fortunately, the proposal, which seems to have bypassed internal checks within the company, kicked up a lot of fuss; wiser heads in the company noticed and yanked it.

Do you have knowledge of internal company discussions around this proposal? Or is this sentence your conclusion based on public VeriSign statements?

To post comments, please login or create an account.

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API