Crime, fraud, scams etc., they're all very bad things. They're also not going to go away anytime soon.
As a domain name registrar and hosting provider we're constantly "at risk", as we sell a lot of services that are both cost-effective and also give criminals the tools they need to attack 3rd parties.
Again, this isn't exactly news.
We've always taken a very pro-active approach to dealing with criminal activity and network abuse. If your website gets compromised, for example, you might get an email from our technical team asking you to fix it. If you don't act on our notification we might go so far as taking the website offline until you fix it.
And we like to get paid by our clients, so we've implemented our own anti-fraud checks. It makes sense. We want to get paid. We don't want people paying us with stolen credit card details.
Any and all of the things we do in order to keep our network clean and our operations running is done with the least amount of disruption to our clients.
But recently I've been losing sleep.
What's Going On?
Let me explain.
We are an ICANN accredited registrar. That means we are one of the relatively small number of companies in the world that has a contract, or "license", both with ICANN and the various domain name registries such as Verisign to provide domain names. The contract we have with ICANN is like the "bible" for how we are meant to conduct ourselves. It includes a combination of obligations and rights for both us, as a registrar and you, as a registrant (the person who registers domains).
The contract is called the Registrar Accreditation Agreement or RAA for short and we signed ours most recently in 2009. It's now under review and while some of the changes being proposed aren't going to have a negative impact on either us or you, our clients, there are several aspects of the proposals that simply do not sit right with me.
I am personally very concerned about some of the proposals being pushed by Law Enforcement and ICANN, which, if successful, would mean that we'd be forced to demand a LOT more information from our clients than we should have to. It's not reasonable and some of the requests could put us in direct conflict with Irish and EU law.
Just for the sake of transparency I'm posting the two documents outlining the proposals as PDFs further down this page and you can read more about what's being going on over here.
There's quite a bit of legal mumbo jumbo but the bottom line is that Law Enforcement want us to gather a LOT of information about you when you register a domain name.
They also want us to validate a lot of the information you provide.
Both of these concepts aren't abhorrent at some levels, but when you take them too far and make them a binding obligatory part of our contract with ICANN they result in me losing sleep. (And in case you're asking if this change is made then it'll impact ALL .com domain registrations whether you do it directly via a registrar like us or via a reseller like a lot of the smaller hosting providers etc., out there)
There's a lot of issues with both concepts, but let's take them one at a time.
Collecting data that you need to do what you're asked to do i.e. register a domain name for someone, is fine, but asking for a whole lot more data is an issue. Not only are we expected to collect it, but we're also expected to hold on to it for way longer than you'd normally retain transaction data. (Remember a domain can be registered for up to 10 years and the registrant can renew it for up to 10 years at any time. )
In several jurisdictions (including Ireland) there are limitations on the amount of non-essential data that you can collect as part of a transaction. Take a look at any UK website since the beginning of this week and you'll see what they're being forced to do when they want to collect cookies, which, in many cases, are fairly innocuous. How we can be expected to collect data about how you might use your domains is beyond me. And I don't even see that is being within the scope of ICANN's role.
You can read over the document here: LE_Rec_coll2012 (it's a PDF)
Validation & Verification
The other side of the "coin" is the entire validation/verification thing.
Now don't get me wrong. I don't have an issue with there being better data in systems. I just think that there are ways to improve data quality without making the entire domain registration process akin to pulling teeth.
Law Enforcement have provided an explanation on what they'd like to see us doing (see: LEA Validation). Some of the stuff they're asking about isn't abhorrent as a concept, but forcing us to conduct this kind of validation and verification on every single domain name registrant is going to have a detrimental impact on the entire domain name system. (And note the usage of terminology — a "registrant" might be a customer of ours, but it could be a friend, or customer of one of our clients.
Our account holders, however, are our clients and we'd have a pretty good idea if they were up to no good as we do vet them)
A couple of highlights, or low points from the document… (take your pick)
When a prospective registrant submits a registration request, the Registry will send a unique HTML link to the registrant's email of record or to the email of record of the beneficial registrant
Couple of issues with this. First off the "registry" doesn't have the registrant data or access to it if the domain in question is a .com. And asking registrars to send emails to thousands of people who've never had any direct dealings with them is going to cause more issues than it solves.
Registrar will call or SMS the phone number provided during the registration form.
So you can only register a domain name if you have a mobile phone number? And who is going to pay for all these phone calls and texts? Validating registrants for .xxx costs in the region of $7 per domain, so you'd easily see the price of a .com rise to €30 or €40, which doesn't benefit us, ICANN or anyone else. (And did I mention it won't actually stop online crime?)
But the real kicker is this bit:
No domain name will be placed into the zone file and will not resolve until the account e-mail and telephone number have been verified
Translation — unless you jump through hoops you don't get your domain name and it won't actually work until you do backflips for it.
Note how we got over 10 thousand businesses to go online over the last year (for free)? And that they went with the quickest and easiest route a .com, .eu or .biz domain name.
Putting extra barriers in the way of ordinary individuals and businesses when they want to take their business online is a bad idea.
Are The Criminals Winning?
Why vilify the majority for fear of a minority?
The Internet is one of the few areas where business is still thriving. For a lot of people and businesses taking themselves online offers them a chance of survival.
Or if you want to get into other areas of this I can sum it up with two words: digital divide.
When you get into an arena where you're demanding that people handover loads of data AND that they already have working email AND working phones AND verifiable physical addresses etc., you're immediately narrowing the field. You're stopping some people from getting online. And these are innocent bystanders. They haven't committed any crimes, but they're being treated like criminals. In fact we all are and we're being forced to play "piggy in the middle".
This is not a good move and if we're forced to sign a new agreement with ICANN which includes these kind of terms I can only see negative outcomes.
Comments, questions and general feedback welcome!
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
Minds + Machines