Home / Blogs

Another ICANN Meeting Concluded With No Action on DNS Abuse or Privacy/Proxy Policy

Co-authored by Russell Pangborn and Syed Abedi of Seed IP Law Group.

The ICANN 69 meeting has come to a close, with no progress on DNS abuse or implementation of the Privacy/Proxy Services Accreditation policy (PPSAI). While ICANN is uniquely positioned to do so, it refuses to do anything proactive about DNS abuse, with its executives overtly attempting to limit its role to data collection. Moreover, its refusal to implement community-driven initiatives such as the PPSAI points to a growing trend where ICANN is backing away from its public interest responsibilities, to the detriment of the Internet and its users. The ICANN Board should be very worried and demand action from its executives on these key topics.

Stalled implementation efforts simply continue to spawn DNS abuse — evidenced by rising UDRP disputes and obstructive registrar policies. Data obtained from WIPO reflects an increase in domain name related disputes and an increase in those disputes arising from registrants using privacy and proxy services. As noted by an FBI panelist in sessions on DNS abuse at ICANN 68 and 69, privacy/proxy services continue to be a problem for law enforcement and others investigating DNS abuse. The FBI data has similarly shown staggering use of proxy services by registrants in referred fraudulent domain cases. Legitimate disclosure requests continue to be unfulfilled by registrars and their affiliated proxy providers, as evidenced by shared data from online enforcement service providers and from statistics shared by a few registrars. These trends form a dangerous recipe for online enforcement agents, IP owners, and consumers at-large.

Troubling Trend of Increasing UDRP Disputes

Since implementation of GDPR in May of 2018, UDRP filings have continued to increase, suggesting that IP owners are increasingly having to rely on this costly procedure to protect their IP rights and protect their customers from fraud and confusion. In looking at a snapshot from the year before GDPR implementation through the years after, UDRP filings have increased year-over-year:

YearTotal UDRP Actions in WIPO
20172708
20183051
20193342

These results show a 23% increase in UDRP filings from 2017 to 2019. Notably, there has also been a statistically significant jump in UDRP filings with the domain registrants masked by privacy and proxy services:1

YearWIPO cases with privacy or proxyPercentage of cases involving "privacy/proxy"
201765224%
201884828%
2019105131%2

Dismal Privacy/Proxy Disclosure Rates Hinder Mitigation Efforts

The significant increase in UDRP filings, including involving privacy/proxy service providers, is exacerbated by the persistent lack of compliance with reveal requests by certain proxy providers. A recent study demonstrates compliance from proxy providers continues to be abysmal. 91% of proxy requests went unfulfilled.3 A staggering 32% of proxy requests garnered no response at all. See tabulated results below.

WHOIS Request for Redacted Information 4228 RequestsPercentPROXY - 1342 RequestsPercent
Fully Compliant (1037)25%1279%
No Response at all (1177)28%42432%
Rejected for Pay for Reveal or Other Reasons (530)13%1058%
Rejected for Legal Action (UDRP/Subpoena required) (1240)29%20815%
Dropped or Suspended (73)2%81%
Auto Acknowledgement with no Follow-Up (260)6%927%
Requires Additional Action (311)7%776%
Average days for acknowledgement42
Average days for compliant response77

In many instances, registrars or their affiliated proxy providers require IP owners to file UDRP actions or obtain a court-ordered subpoena in order to obtain registrant information.4 It is noteworthy that the PPSAI squarely addresses this issue, and makes clear that non-disclosure for lack of court-ordered subpoena or UDRP filing is prohibited.

ICANN's Delays Significantly Impact Consumer Protection

The lack of compliance with reveal requests explains why IP owners are increasingly having to rely on more expensive UDRP actions, or even lawsuits, to protect consumers' rights as well as their valuable IP.

Additionally, UDRP actions are becoming more time consuming due to registrar redaction of registrant information. The resulting delays can be debilitating in combatting harm from cybercrime, which can cause harm in a matter of minutes. In matters of public health and safety, delay is even more destructive. The National Association of Boards of Pharmacy (NABP) issued a scathing report on the widespread abuse taking place on the internet, where cybercriminals are exploiting COVID-19 to peddle unapproved drugs as COVID-19 treatment. Hundreds of newly created domains were flagged, many of which had ties to known cybercriminals. Notably, "many domain names, both active and inactive, are clustered on 'safe haven' registrars — a practice common among sophisticated internet pharmacy cybercriminals; and ... the domain name registration information for almost all identified websites is anonymized, making it difficult for enforcement agencies to investigate these criminals." In fact, 90% of the domains were masked by privacy/proxy services, causing unnecessary delays in combatting such egregious abuse.

Consistent with this pattern of cybercriminals exploiting the pandemic to defraud people by abusing the DNS, the FBI investigated 1340 complaints related to the pandemic, all filed through its Internet Crime Complaint Center (www.ic3.com). An unbelievable 65% of the domains were hidden through privacy/proxy services and 17% were redacted due to GDPR.5 It was further noted by the FBI at an ICANN68 session on DNS abuse that unmasking underlying registrant data via a criminal subpoena can take three weeks or longer. A civil subpoena, undoubtedly, may take even longer. In that same ICANN 68 session, a representative of the Government Advisory Constituency (GAC) noted the following:

  • Law Enforcement reported that the majority of domains involved in pandemic-related fraud, phishing or malware have employed Privacy/Proxy Services to hide the identity of the registrant.
  • Question: What does the ICANN Board intend to do to ensure that such services can't continue to facilitate threats to the security and consumer trust in the DNS?6

Rapid response is needed because phishing attacks inflict harm in a matter of hours.7 Having to rely on filing a UDRP action even to get a chance at access to cybercriminal information is untenable. But this is what recent data tells us is happening. For IP owners to rely on time-consuming and costly UDRP actions to prevent blatant abuse perpetrated by cybercriminals, including those enabled by the masking of registrant data through privacy/proxy services, is troubling because it suggests that other more reasonable measures may have failed.

Change the Trend – Restart PPSAI

As the above results reflect, from 2017 to 2019, the number of UDRP filings involving privacy and proxy services with WIPO has increased steadily, even after the launch of GDPR. All signs point to 2020 continuing the trend. With obstructive registrars and their affiliated proxy providers, it is disconcerting that ICANN's PPSAI remains on indefinite hold. "Wait for EPDP Phase 2" no longer applies. Government agencies and law enforcement have consistently suggested that the consensus policy of PPSAI is necessary in combating fraud and abuse. Given that at least 25% of top level domains utilize privacy or proxy service providers (putting the total number at approximately 90 million)8, the lack of impetus on moving forward with PPSAI is inexplicable. The COVID-19 related DNS abuse surge should serve as a lesson that the world is unpredictable, and decisions pertaining to PPSAI can have serious and harmful consequences.

In its ICANN 69 communique, the GAC reaffirmed its commitment to work with the community and ICANN to advance the shared goal of mitigating DNS abuse, and noted that there is now momentum for concrete action to advance work in curbing DNS abuse. It is time to take advantage of this momentum, and look forward. It is time for ICANN to reconstitute the IRT to restart the work of implementing the PPSAI and to adopt stricter DNS abuse mitigation obligations under the ICANN contracts.

  1. These numbers are conservative because the search criterion was restricted to the occurrence of "Privacy" or "Proxy" in the name of the respondent. Indeed, it is highly likely that many other privacy or proxy services exist that do not use those terms in their entity names. 
  2. There has also been anecdotal evidence that some registrars are deliberately moving domain registrations to their privacy/proxy services. 
  3. The data was collected based on 4228 WHOIS requests and 1342 proxy requests sent to 221 registrars and 52 registries from two leading enforcement vendors and one law firm as of September 2020. 
  4. See transcript ICANN 69 Session on WHOIS Changes Under GDPR. 
  5. ICANN68 — GAC Session 2: DNS ABUSE, June 21, 2020, Gabriel Andrews (FBI), Laureen Kapin (FTC) 
  6. Id
  7. See Interisle Study, Phishing Landscape 2020, p.7, "The practical lifetime of a phishing attack is only 21 hours," available at http://www.interisle.net/PhishingLandscape2020.html
  8. Verisign report lists 359.8 million domain name registrations across all top-level domains as of Q3 of 2019. 

By Russell Pangborn, Partner at Seed IP

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

ICANN Abdicating Stewardship Role By Cyntia King  –  Nov 05, 2020 10:52 am PST

Excellent points.
The refusal of ICANN to take meaningful action to address DNS abuse & the PPSAI is an abdication of its function "to ensure the stable and secure operation" of the internet.  To “ensure” is by definition to act.  ICANN cannot continue to behave as only an interested observer in the security of the internet.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex