Home / Blogs

Law Enforcement Agencies Will Have Authority on Registries and Registrars

Jean Guillon

This one is for European Law Enforcement Agencies only, and no matter what the GDPR says.

Accessing Whois information and acting on a litigious domain name is becoming a nightmare for law enforcement agencies. Law enforcement agencies must have an access to the information provided by registrants in the Whois database and, in specific cases, have authority to act FAST on a domain name. The EU has a solution for this and it's coming in 2020. Is this mechanism welcomed now that the GDPR is causing problems for law enforcement agencies trying to do their job? I'd say… yes it is.

What it is

The Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004. It is directly applicable in all Member States.

What it does say

A few things that I extracted from the regulation:

  1. Competent authorities should be able to request any relevant information from any public authority, body or agency within their Member State, or from any natural person or legal person, including, for example, payment service providers, internet service providers, telecommunication operators, domain registries and registrars, and hosting service providers, for the purpose of establishing whether an infringement covered by this Regulation has occurred or is occurring.
  2. Where no other effective means are available to bring about the cessation or the prohibition of the infringement covered by this Regulation and in order to avoid the risk of serious harm to the collective interests of consumers: where appropriate, the power to order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to register it.

Coming in 2020

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 17 January 2020.

The regulation is available here.

By Jean Guillon, New gTLDs "only".
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

>>"the power to order domain registries or Charles Christopher  –  Oct 26, 2018 7:44 AM PST

>>"the power to order domain registries or registrars to delete a fully qualified domain
>>name and to allow the competent authority concerned to register it."

Stunning, the slippery slope at work.

Now EU law is the law of the planet. Any country that has a different view on life and liberty is overruled by EU law enforcement taking ownership of any domain it disagrees with.

This is not caused by the EU, it is caused by the rest of of us so quickly and willingly caving in to unelected bureaucrats claiming control over the rest of the world via GDPR. There will be no end to their arrogance from here.

France.com Jean Guillon  –  Oct 26, 2018 8:31 AM PST

Are you referring to France.com's lawsuit?
:-)

I think it makes sense to allow Law Enforcement Agencies to act fast in special circumstances: agencies should not be treated like an average customer how has to stand in line and take a ticket...just because it takes too long.

I'm referring to administrative law, and Judge Charles Christopher  –  Oct 26, 2018 10:00 AM PST

I'm referring to administrative law, and Judge Dredd "I am God" philosophy.

Gaining access to whois info, or having DNS values changed, is COMPLETELY different than a deletion registration cycle. Did you notice that? The domain is not transferred to law enforcement, its DELETED and then PREFERENTIALLY registered. That very intentionally launders accountability of this very creative administrative "transfer", moving accountability to the registry shielding the so called "Competent authority". Anybody that thinks getting a domain back when law enforcement makes a "mistake" has no clue how domains work, especially cross border. The domain is gone, and the previous registrant will NEVER get it back.

Law enforcement makes claims, judges and courts decide if the claim is valid. Here Law enforcement is now the judge to. Accountability does not exist, despite skimming the regulation and seeing claims of accountability. Yeah right, a mom and pop shop in Iowa is going to be able to bring a case in Germany and win.

But lets roll up our sleeves even more on this.

I sat in a city council meeting and listened to a councilman offer an ordinance to deny the city's residence the ability to sue the city judge over a very specific matter. There was no statement as to the lawsuit having merit or not, and from what I heard there likely were questions worth presenting and questioning about the Judge's actions. This saved the city from accountability, and the Judge from a lawsuit, at least to some degree as the cost to bring the lawsuit was now raised on those bringing it. The ordinance PASSED without question.

And there is the rub of what is going on here in many layers of this. Administrative law is now accepted as equal to civil and criminal law. A city can pass "a law" (administrative) and then tell its chief of police, who these days is often a private contractor, to enforce it. He knows where his paycheck is coming from. This eventually leads to fines and levies against property inside the city versus anybody going to jail.

But now we have this regulation, who will treat the law enforcement contractor as a "Competent authority" to make the request without any review of the claim. That is why they are called "Competent". The power of that independent contractor now goes beyond just fines and levies, this regulation allows them to DESTROY a business.

Like GDPR this will not stay in the EU, look at California which used GDPR as a blueprint for its own state law.

In particular, small business on the internet needs the assurance that the time and money it invests in building a business is protected. The fear, uncertainty and doubt that this regulation causes will have profound effects. Any small business can be accessed by someone in the EU, and law enforcement can in turn potentially take the domain and destroy that business. It will be no different than when ICE screwed up, took control of a sub domained domain name, and then zoned it to a page reporting all 84,000 web sites accusing them of hosting child porn.

Once a domain is taken, and Law Enforcement put a notification page on it to "save consumers", that business will be destroyed. There will be no recovery.

Giving law enforcement Judge Dredd powers in lunacy .... Except for the case of those seeking the growth in censorship power, in which case this makes sense.

"This Little Thing Called the Internet ... Makes It Much Harder to Govern"
- John Kerry, United States Secretary of State

Never worry John, the EU and China are working on that "problem" right now. And the rest of the world seems very pleased to embrace anything they come up with.

We've already seen how this plays out Todd Knarr  –  Oct 27, 2018 8:49 AM PST

We've already seen how this plays out here in the US: in the majority of cases charges are never even filed, and in the majority of cases where they are filed there isn't sufficient evidence to get a conviction. I stand by a position I've held for decades: forfeiture should only happen as a result of a judge's order as part of a final ruling in a case, and suspension should require charges to be filed and should be immediately reversed if charges are dismissed for any reason or not filed within short order. Due process of law shouldn't be tossed out merely because law enforcement finds it "inconvenient".

Too long maybe? Jean Guillon  –  Oct 30, 2018 4:21 AM PST

All this takes a lot of time, doesn't it?

The problem with these long procedures is that end users hare harmed...sometimes a lot. They also keep being harmed during procedures which can take...months. I don't see a mechanism where fast technical actions can be taken. Are there any?

Ideally yes. But without getting into LE Derek  –  Oct 30, 2018 5:19 AM PST

Ideally yes. But without getting into LE blaming, how does this play out in reality?

I've had numerous communications with US LE. A victim was defrauded, but the loss too low. Add most LE are not cyber savvy. The perpetrator is abroad. All evidence supplied. The case goes nowhere, LE have finite resources and are being overwhelmed with cyber cases. (Ditto UK/EU/AU/NZ/...). This sees a low percentage only being investigated. As you correctly say, only a few report. Official stats says 10% of victims report. New stats suggest this is even lower. A such nobody really knows the extent of the issue.  Jurisdictional issues also does not allow a national, much less a global view, on the harm one bad actor does. And there are jurisdictions where certain things that are illegal does not see cooperation from local authorities.

If a registrar self blinds to obvious abuse, as we see happening, this is a massive problem and it leads to enormous harm of innocent people. That harm includes privacy loss.

We need to look at the big picture.

Reality Derek  –  Oct 30, 2018 2:41 AM PST

This whole GDPR issue in WHOIS is the consumer's worst nightmare. While in theory a great idea, we only have to look at what some registrars allows into a registry. Junk in, junk out. Essentially the GDPR implementation has made Registrars the custodians of consumer trust. Yet they do not accept that responsibility. Nor does ICANN. So where to now?

If we have a malicious domain targeting consumers, the consumer has no way to see who owns the domain and has no chance to decide on that (yes - consumers actually do know about WHOIS). We find that after consumers have been harmed, MLAT processes may (or may not) kick off, take a few months, only to uncover totally garbage WHOIS that should not have been in any registry. Sometimes we find a proxy protection behind the GDPR hidden WHOIS. Another MLAT follows. From past experience we know what passes at some of these proxy providers. Even though the RAA stipulates how proxy providers should behave, we find this massively gamed. So a year can go by with a malicious domain like the following targeting consumers:

Registrant Name: jkl jkl
Registrant Organization:
Registrant Street: no 45
Registrant Street:
Registrant Street:
Registrant City: Roma
Registrant State/Province: Roma
Registrant Postal Code: 45544
Registrant Country: IT
Registrant Phone: +1.554434566456
Registrant Email: fgdgdfgf@protonmail.com

^^ This is used for a phishing domain.

Now off to the email provider ... we are looking at a 12 to 18 month process. How long are logs kept?

Understanding all this, we now suddenly realize why alternate processes are needed. Much as we need privacy, we will not find it in the GDPR as implemented in WHOIS in the current Registrar environment, it rather further undermines consumer privacy. Some registrars try their best while others could not care two hoots. Their is a very good reason why some of these registrars are popular for abusive registrations and much gossiped about in the true security circles.

In the meantime, the miscreants abusing domains have no problem with undermining consumer privacy and will even sell these details or abuse it in many other ways. The problem starts at registrars flouting ICANN policies with impunity, where anything goes.

If we want to be realistic, a nice fat fine of a millions against a registrar or two - an those supposed to oversee them - would go down well and would also serve consumers, sending out a strong message.

Of course the bigger problem starts where law enforcement does not engage in such abuse and that problem just becomes bigger where the perpetrators are in untouchable jurisdictions.

Much of the abuse that takes place with domains daily, targeting the ordinary small guy, is not acknowledged.

>Junk in, junk out.Seems to me, long Charles Christopher  –  Oct 30, 2018 7:07 AM PST

>Junk in, junk out.

Seems to me, long ago, I recall a law in the US requiring Whois be accurate. Then the desire to enforce it disappeared.

Have a policy that allows Law Enforcement, for a fee, and some type of proof that they TRIED to make contact, to require the Registry to mail a card with a code to the address in the Whois and also phone the code to the listed phone number, perhaps emailed as well. If the code is not entered into the registry (Just an SSL page with domain name and code entry) within say 14 days the domain gets dezoned until proof of ownership occurs. Domain SHALL NOT be deleted (to protect honest people, perhaps away or sick), but can't be zoned again until entry. Dezoning is what we are really after here, database control of the domain record means nothing if is cant be instantiated in the root.

Of course having public Whois then creates a level of accountability that is now lost. With public Whois, as you point out, it becomes easy to see bad whois values. Of course the EU fails to acknowledge this, let alone its benefit to consumers.

I am still waiting for the EU to make land registry info hidden to protect consumers ....

Registries can act fast...so why don't they? Jean Guillon  –  Oct 30, 2018 3:15 AM PST

Why isn't ICANN making it easier for a registry to have authority and act in the obvious case of phishing for example? A phishing case is something very simple to demonstrate to a registry. When the name is taken down at the registry level, it stops working and the hole phishing operation based on this domain ends (for the benefit of sometimes millions of end users).

Also, phishers (I think you mentioned this too) often use the same registrar for the hundreds (sometimes thousands) of domains they buy for their operations. WE ALL KNOW that such registrars can be identified and "stopped" by the ICANN (thank to their contract): why isn't the ICANN acting? If it is not its role, can't this role be changed?

I am already familiar with the kind of answer I am going to receive here probably (based on the applicable law to every country I guess, the need of an injunction or the role of ICANN) but I am interested in sharing here.

I'm hoping the DAAR project will highlight Derek  –  Oct 30, 2018 3:59 AM PST

I'm hoping the DAAR project will highlight the problematic registrars: https://www.icann.org/octo-ssr/daar-faqs

The other problem is recognizing that something is DNS abuse. Then definitions of abuse. Phishing is a wide blanket term to some, a small subset of abuse to others. This mere fact is massively gamed. Without DNS disruption, that abuse can't be curbed. One domain "host-hopped" no less than 27 times.

>One domain "host-hopped" no less than 27 Charles Christopher  –  Oct 30, 2018 6:51 AM PST

>One domain "host-hopped" no less than 27 times.

If might be helpful if Verisign were required to follow the 60 day transfer hold policy, along with any others that might not be following it.

Host hopping refers to the term where Derek  –  Oct 30, 2018 9:22 AM PST

Host hopping refers to the term where the malicious registrant remains in control of the domain at the same registrar, but the hosting account gets suspended. He simply gets a new hosting account, sets it up and changes the DNS. While a host interaction is normally required for a hacked account (innocent registrant), this approach is not suitable for a malicious domain.

At the registry level is different... Jean Guillon  –  Oct 30, 2018 9:39 AM PST

At the registry level, it is possible to act on the domain name itself and block any action such as changing DNS for a domain name. There are many case figures where the domain name is even forced to specific DNS, pointing to a clear message explaining the infringement (unless I am wrong, the FBI does that). Such actions make sense since they can - also - do a very bad publicity if pointing to the registrar allowing such actions. When 10,000 pages (if not 100,000) point to the same message explaining that "this domain name was used for a phishing operation and the registrar is X, then Registrars might start to do some cleaning (or not).

I am not learning anyone anything explaining that blocking the change of DNS allows to act on the zone file too and block the change of A, MX, CNAME or whatever records exist. For the abuser, it means that he has to change domain name to keep behaving a bad way. If such actions are allowed, industrialized and multiplied at the registry level, it means much more work, costs and possibilities to get caught for bad actors of our industry (phishing is the case here).

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign