Back when I started working in this industry in 2001, ICANN was small, the industry was tight, and things moved slowly as interest groups negotiated a balance amongst the impacts of change. Change often meant added overhead and, at the very least, a one-time cost effort to implement on the commercial side. Registries and registrars preferred to be hands-off when it came to how their domains were being used. But e-crime became big business during the 2000s. We all became aware of the dangers posed by malware, phishing, scams, and of the billions of spam e-mails spewed by criminal-controlled botnets. The costs of the criminal use of the DNS began hitting everyone — Internet users, big and small businesses, and governments too.
Answering GAC requests, the ICANN Board has now inserted two significant new contractual requirements about domains abuse into the nTLD Registry Agreement. The first is pretty non-controversial, and most TLD applicants had already pledged to do it:
"Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name."
But the second new requirement is more substantial and difficult:
"Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request."
ICANN calls this a "public interest commitment," and the Board committee must have seen it as an affirmation that all parties have a role in keeping the Internet a safe place, and should manage the resources they control in a responsible way. (And who can disagree with that sentiment?) But it's not an easy thing to implement. It takes specialized knowledge and data to understand when your domains are being used for no good, much less what to do about it.
If you are a current registry operator, it's about understanding the extent of the problem you have, and if you are a new operator, it's about understanding the extent of the problem you face. Then, most importantly, it's about having tools in place to manage the abuse. Unchecked abuse can (and has) operationally impaired domain registries by steady reputational poisoning, and has hurt registrars through payment fraud and complaint-handling costs.
Finally, ICANN's new analysis and reporting requirement will receive some refinement. There will be additional public discussion and policy-making to flesh it out. We at Architelos will be watching these developments closely. But it's clear that registries will be required to know what's going on in their zones, must be able to quantify and categorize it, and must be able to report what they did about it.
I've watched the domain space grow to almost ten times the size it was when I started in 2001. Growth of a successful medium is inevitable, but continued success depends on maintaining the value proposition — in this case, keeping the domain space safe for everyone's use. It's time to fight for what's valuable to us.
I think Bob Dylan put it well when he said:
Come gather 'round people
Wherever you roam
And admit that the waters
Around you have grown
And accept it that soon
You'll be drenched to the bone
If your time to you
Is worth savin'
Then you better start swimmin'
Or you'll sink like a stone
For the times they are a-changin'.
By Michael Young, Chief Technology Officer at Architelos. He built the first modern EPP Top Level Domain registry in 2001 (.info) and subsequently built and operated the backend systems for numerous gTLDs, ccTLDs, IDN enabled registries and sponsored TLDs such as .org, .mobi, .in, .me and others. Architelos provides new gTLD application guidance and registry management services for clients in the DNS and IP industry. Mr. Young can be reached directly at email@example.com.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines