Home / Blogs

.com Is A Clear and Present Danger to Online Safety

Shareholders benefit from registry operator providing sanctuary to online criminals and child sex abusers; Congress instructed NTIA to fix the problem — here's how.

"The Internet is the real world now."

This assessment was offered by Protocol, a technology industry news site, following the very real violence on Capitol Hill during the counting of the electoral college votes that officially determines the next president of the United States. The media outlet went on to say that, "[t]he only difference is, you can do more things and reach more people online — with truth and with lies — than you can in the real world."

Despite a seminal role as the Internet's originator and a global leader in technology adoption, Americans have often struggled with addressing the negative ramifications of technology. One example is the debate about violence in video games, which has been cited as possibly contributing to tragic incidents of gun violence in American schools. Concerns about possible correlations between what teenagers were seeing in video games and what a small number of students then chose to act out in real life sparked a national conversation involving policy makers, parents, teachers, students, video game companies and a myriad of other stakeholders seeking solutions that might address the issue.

This robust engagement by a broad spectrum of stakeholders, particularly the video game industry itself, sits in stark contrast to the anemic, trying-but-not-really, effort seen from ICANN and its registry operators and registrars to make domain name registrant identification data available to U.S. law enforcement, American consumers, intellectual property owners, and other stakeholders with legitimate access needs.

To briefly summarize, following the global adoption of the European Union's General Data Protection Regulation (GDPR), ICANN unilaterally determined that the WHOIS database — which had been operating since the modern Internet's inception and before ICANN was created — contravened the E.U.'s new law and relieved registries and registrars from contractual obligations that required the collection of WHOIS registrant data.

ICANN then convened the comically misnamed and hapless Expedited Policy Development Process, or EPDP, to convene stakeholders and develop a solution. This so-called expedited process — which has been declared a failure of the multistakeholder governance model by ICANN's Governmental Advisory Council along with its Business and Intellectual Property Constituencies and others in minority statements accompanying proposed recommendations — has taken years to develop a proposed solution that enjoys little support from the stakeholders that developed it, isn't likely to be effective, and, in any event, will be implemented at a leisurely pace expected to be completed somewhere between years from now and never.

Considering that the availability of registrant identification data to anyone with access to the Internet has been a stated Internet policy imperative of the U.S. government since before ICANN existed and was referred to simply as NewCo, it is fair to consider that there is more — much more — to this process failure than meets the eye.

The reality is that registry operators and registrars have never been fans of collecting, storing, and making registrant identifiers available. However, before ICANN unceremoniously disposed of WHOIS, every registry operator provided what is known as Thick WHOIS data — which, as the adjective suggests, includes registrant identifiers along with basic Thin WHOIS data about the domain name itself — with one glaring exception: Verisign.

Thick WHOIS was approved for implementation by ICANN's Board in February 2014. Nearly three years passed until a Proposed Policy Implementation plan was issued for .com, .net, and .jobs — all Verisign-operated — to transition to Thick WHOIS and also set deadlines of May 2018 and February 2019 for compliance. Five years would seem a generous allotment of time for complying with a data-collection rule that every single other registry and registrar were already complying with.

However, in October 2017, May 2018, October 2018, and March 2019, ICANN's Board granted six-month extensions requested by Verisign. Finally, in November 2019, ICANN's Board acquiesced to Verisign's fifth extension request by granting an indefinite deferral until a group of conditions are satisfied pertaining to implementation of the EPDP — developed replacement for WHOIS — which, as previously noted, is now known to be somewhere between years from now and never.

It is unclear what persuaded ICANN's Board that these delays affecting a majority of the Internet's domain names were in the public interest or anything other than a terribly awful idea. However, given recent evidence of ICANN's susceptibility to loosening consumer pricing safeguards after receiving $20 million contribution earmarked for "security, stability, and resiliency," one is forgiven for being curious about the street value of such pliancy.

What is beyond certain is that compliance costs weren't prohibitive for any of the much smaller and less profitable registries and registrars who all complied dutifully while their much bigger and much wealthier fellow registry skated by with endless delays. A sentient observer is forgiven for concluding that there is a double standard where, on one hand, the Internet's largest domain name monopolist enjoys a close working relationship and cozy alignment with ICANN that produces tangible beneficial outcomes while, on the other hand, are the hoi polloi, the great unwashed, and les miserables — otherwise known as everybody else.

Regardless, security, stability, and resiliency, or SSR, is an unfortunate, limited, and network-centric view of the mission for Internet policy that is dangerously outmoded. A more modish view, perhaps, would put humans at the center of Internet policy development and this may result in which could result in a more expanded and expansive view, not of authority or mandate, but of obligation and duty as more stakeholders began viewing safety as a necessary addition to the SSR trifecta.

That being said, the consequences of network-centric thinking are clear and terrible things are being perpetrated in the deep shadows cast by the void of registrant identifier data. The harm to American persons and property is undeniable and multiple U.S. federal agencies have weighed in with increasing alarm.

  • In 2006, then-Chairman of the Federal Trade Commission, Jon Leibowitz, traveled to ICANN's meeting in Morocco and warned that, "(t)he FTC is concerned that any attempt to limit Whois to this narrow purpose will put its ability to protect consumers and their privacy in peril."
  • More recently, in 2020, the FTC wrote to Congress and said, "(t)he FTC uses this (WHOIS) information to help identify wrongdoers and their location, halt their conduct, and preserve money to return to defrauded victims."
  • The Department of Homeland Security has also weighed in, saying in a 2020 letter that, "(s)ince the implementation of GDPR, HSI has recognized the lack of availability to complete WHOIS data as a significant issue that will continue to grow." DHS also cited in the same letter that lack of WHOIS information as hindering its response times to criminal activity.
  • Perhaps most damning, however, is the State Department's official statement of U.S. policy regarding GDPR which declared, "...WHOIS no longer functions properly. As a result, criminal investigations necessary to protect the public — including the most vulnerable, such as children who are subject to online sexual abuse — have been impeded."

Let that sink in for a moment: the official position of the United States government is that the deliberate dysfunction of WHOIS directly correlates to the sexual victimization of children. Then consider the words written in a letter by a consortium of groups combatting online sexual abuse of children which said:

"Verisign is uniquely unforthcoming. We have regularly worked and had conversations with just about every Internet company you can think of and quite a few you are unlikely to know. Only Verisign has been so utterly uncommunicative. This is a very poor show and runs completely contrary to the spirit of multi-stakeholderism."

​​The letter continues in strong and unequivocal language:

"To put the matter plainly, it is immoral for a business to attempt to deflect responsibility by arguing these matters are the sole provenance of law enforcement and courts. As the dominant registry in the global system, Verisign should be taking a leadership position, adopting voluntary procedures to combat online child sexual abuse."

​​Considering that a 2017 report of the Internet Watch Foundation found that 79% of all child sexual abuse webpages reside in .com and .net, one might consider appealing to those who are actually benefitting from the registration fees that are collected by Verisign for the domain registrations used for such heinous activity. A quick search online reveals that Verisign is, by and large, owned by a veritable cornucopia of the richest and most powerful institutional investment firms in the world.

There are too many to list here but, as of September 2020, the top four, each with an equity position that exceed $1 billion, are Berkshire Hathaway, Vanguard Group, BlackRock, and Renaissance Technologies. Far from enlightened, however, Verisign shareholders are, in fact, malefactors of great wealth who are profiting from registration fees that are paid to Verisign by intellectual property thieves, child sex abusers, and other criminals that operate in the Internet's largest registries. These bad actors remain unmolested because the registry operator not only didn't implement essential Thick WHOIS data requirements that protect Americans but also stood by and did nothing while ICANN incinerated WHOIS entirely.

It is important to keep in mind that this is a company operating risk-free legacy registries entrusted to it by the U.S. government with the explicit understanding that it could enjoy ridiculously massive profits in exchange for nothing more than protecting the public interest. Considering the literally gross profit margins being generated, the question for shareholders is simple: if they are benefiting from this, then they should know about it; if they aren't, then it shouldn't be happening.

The time for discussion and debate is over. There is too much bad faith, too many agendas, and too much water under the bridge. Fortunately, since there is no requirement that ICANN must oversee the collection of registrant identifiers — and it has more than proven itself incompetent and incapable of doing so — the solution is likely very simple.

Availability of registrant identifiers has always been a priority of the U.S. government and it should solve the problem in much the same way that the E.U. precipitated it: by setting a policy that must be complied with by every registry and registrar that maintains a domain name registration that is, or may be, accessed by an American citizen. Failure to comply should result in the levying of hefty fines and, if necessary, seizures of domain names and other assets just as the U.S. Treasury Department does for money laundering, terrorist financing, narcotics distribution, and other crimes. Why should online sexual abuse of children, illegal opioid sales, intellectual property theft, and other crimes that harm Americans be combatted any less vigorously?

In the past, domain name registrant data could be found online at internic.net and after ICANN's formation, it was granted a license to the InterNic trademark and website. But the trademark is still owned by the U.S. Commerce Department which should send a strong and unmistakable message of no-confidence to ICANN and its contracted parties by cancelling the license and reclaiming its property as the new forever home for registrant identifier data that is "available to anyone with access to the Internet."

By Greg Thomas, Founder of DNSDecrypt – Greg Thomas is founder of DNSDecrypt and author of How to Save the Internet in Three Simple Steps: The Netizen’s Guide to Reboot the Root. The views expressed in this article are solely those of Greg Thomas and and are not made on behalf of or for any other individual or organization. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

WHOIS, GDPR & .COM By John Poole  –  Jan 13, 2021 1:01 am PDT

Greg, your headline is false and your complaints are misdirected. The .COM registry has existed long before ICANN corrupted the global DNS with "ICANN's new gTLDs” that "fail to work as expected on the internet, and .COM has always utilized the "thin WHOIS" model in which each respective registrar collects and holds the personal data associated with a particular .COM domain name registration. This has always worked fine and does not need to change since Verisign does not NEED this data to provide .COM registry services:

"Thin RDDS registries only maintain and provide the information associated with the domain name while registrars maintain and provide information associated with the registrant and contacts of the domain."--ICANN


If you are having a REAL problem with a .COM domain name and don't know who to contact, contact the registrar. How hard is that? Is there a responsible law enforcement official ANYWHERE in the world that does not know how to find and contact the respective registrar of every registered .COM domain name in existence? If so, send them this URL: https://lookup.icann.org/
The PROBLEM, as is almost always the case in these matters, is ICANN. ICANN is incompetent, corrupt and captured. ICANN's ill-conceived "thick WHOIS" policy violates GDPR. ICANN is a failed organization and needs to be replaced by the global internet community as soon as possible.
John, thanks for sharing your thoughts. The By Greg Thomas  –  Jan 16, 2021 11:11 am PDT

John, thanks for sharing your thoughts. The Internet often functions as a digital buffer between ourselves that can make it easy for matters with important considerations like safety to become academic and abstract — to be considered theoretical when an issue of comparable gravity, in real life, is approached more seriously. 

An Internet registry enabling 76% of all websites that are purveying child sexual abuse material is an undeniably clear and present danger to online safety.  This negligence is incentivized — indeed, rewarded — when shareholders directly benefit from revenues that include registration fees paid to Verisign by criminals engaged in the sexual abuse of children for the domain names used to distribute materials depicting this abuse — in legal terms this money is called “fruit of the poisoned tree.”

You are correct that .com existed long before new gTLDs, which makes it all the more appalling, reprehensible, and inexcusable that the grand dame of Internet registries is far and away the most desirable real estate for criminals that distribute and sell imagery of children being sexually abused for the prurient enjoyment of other criminals.  I think you meant to say that .com is — along with its registry operator, Verisign’s mega-rich shareholders, ICANN, and everybody else in a position to help address the problem and don’t — old enough to know better. 

Frankly, I am deeply disappointed by this comment and have found it difficult to reconcile your defense of the indefensible with the incisive and intrepid indictments you've written previously of both ICANN and Verisign.  When did you take up the banner as Verisign’s champion?  Are you now one of Verisign’s countless marionettes with well-veiled strings that are pulled to deflect attention and accountability?  Who are you?  As I’ve mentioned previously, I have been wrongly and unjustly accused of being John Poole and the author of DomainMondo and so I take more than usual interest upon discovering that you're whitewashing Verisign's enablement of child sexual abuse for benefit of Berkshire Hathaway and other fat-cat shareholders. 

But let’s pop the hood and take a closer look, shall we?

First, enquiring minds want to know: how did you make the odd variations in font sizing and color?  It wasn’t from a mere cut-and-paste, as any CircleID contributor knows.  Dandified fonts aside, your arguments extolling the virtues of Thin WHOIS are categorically contradicted by everybody and anybody who matters — namely, law enforcement, victims, policy-makers, child rights advocates, etc.  Your position fails to address the double standard where Verisign-operated registries benefitted uniquely from waivers granted by ICANN while every other registry — including other legacy dinosaurs as old as those operated by Verisign but with dramatically less commanding economies of scale — had adopted thick WHOIS.  Stridently defending this patently unfair and anti-competitive special treatment is a thin-skinned response that I’d expect to hear from an entitled and unrepentantly predatory monopolist which inspires burning curiosity about what exactly your interest is here. 

You mention that ICANN is the problem because it is “incompetent, corrupt, and captured.” I’m willing to stipulate that ICANN is a big part of the problem but it is neither the entirety of the problem nor the source of it.  A very perceptive person once said to me, “ICANN is but a satellite moon to Verisign’s Jupiter.” Being a longtime observer of ICANN and student of the Internet’s history — not to mention a twice-former senior employee of Verisign — this rings true for me.  But you don’t have to take my word for it, just follow the money for a quick reminder that Verisign funds ICANN’s budget, not the other way around.  The only time that ICANN has ever been in the economic catbird seat was in 2019 when Verisign wanted pricing power and ICANN sold it to them for a paltry $20 million. 

It is the combination of the .com registry agreement’s presumptive renewal and ability to increase prices that, according to the 9th Circuit of the U.S. Court of Appeals, plausibly indicates a conspiracy between ICANN and Verisign for the illegal restraint of trade.  By selling pricing power to Verisign for $20 million, ICANN restored the same conditions that troubled the 9th Circuit as plausibly indicating an illegal conspiracy. 

You’re correct that such slapstick is “incompetent” and “corrupt” and you’re also “on the money” that ICANN is captured — but somehow you missed the all-important detail that it is Verisign which holds ICANN in thrall. Or, perhaps it is more accurate to say that each has captured the other and they’ve become bound by chains of codependency.

But riddle me this: when did we decide that it was chill to make money by enabling criminals that sell materials depicting sexual abuse of children?  When did we agree that it was kosher to give the finger rather than lift a finger and make all reasonable efforts to help rightful property owners safeguard their property from pirates and thieves?  Same thing with aiding and abetting the online distribution of illegal opioids.  In the real world such inaction is considered negligent, reprehensible, and often criminal in its own right — but when it is perpetrated by the company operating the Internet’s largest domain name registry, not so much.  Is the “Power of .COM” a special dispensation because Verisign lays golden eggs for malefactors of great wealth like Berkshire Hathaway and BlackRock rather than, say, Jeffrey Epstein? 

Yes, ICANN is a big part of the problem — but Verisign is the source of the problem and no lame lookup.icann.org can whitewash that stain. Thick WHOIS doesn’t violate GDPR, which I’ve stated repeatedly for years and which the EU has itself determined to be the case.  GDPR was nothing more than a pretext for ICANN to destroy WHOIS.  But who benefitted the most?  Who had the means, motive, and — with GDPR — the opportunity to get rid of WHOIS?  Could it have been the vastly rich and powerful registry operator that was the lone holdout on compliance?

In your comment to Fabricio Avaya’s recent post, you said “(f)or .COM domain names, we already have a working, free and fully accessible to everyone in the world....” Are you using the imperial plural when you say “we” or are you affiliated with Verisign or ICANN — which seems likely considering it is only .com lookups that you mentioned in both of your comments.  You also say “if it ain’t broke, don’t fix it” which is something I’d expect from Verisign or ICANN.  How the independent gadfly behind DomainMondo can say that here — well, it’s just Greek to me. 

Your past efforts have admirably helped shed light on the transgressions and misbehavior which have become normalized at the root of the global Internet.  But, with all due respect, on this one you’re just plain wrong. 

Thank you for the benefit of your views.

Regards,
Greg

Greg, what problem are you trying to solve? By John Poole  –  Jan 16, 2021 2:00 pm PDT

Greg, thanks for your reply, but after reading your lengthy, rambling discourse, I hardly know where to begin, so I will start here: what problem are you trying to solve? Child pornography on the internet? "Thick WHOIS" and "legacy WHOIS" do not solve that problem, and never did. You solve that problem with active due process law enforcement by the US Department of Justice, including a court order served on the registrar for immediate takedown of the offending website. WHOIS data is easily manipulated and falsified by criminals. What you want if you are a criminal investigator or prosecutor is the additional data that ONLY registrars have: IP addresses, credit cards and banking information used to pay for registration and renewals, and other information that leaves a trail. Please, please, don't let ICANN, or Verisign, become the "internet police."
I speak only for myself, individually, and as editor of DomainMondo.com, and as a domain name registrant. I have no relationship with, nor own any shares in Verisign (NASDAQ: VRSN). I thank you for reading DomainMondo.com and following my comments on circleid.com, including my recent comment which you noted, and I stand by every word I wrote in each of these comments. You know my positions on other issues involving ICANN and Verisign, which you alluded to in your reply, and therefore I will not reiterate them here.

John, thanks for your additional comments. I By Greg Thomas  –  Jan 19, 2021 6:55 am PDT

John, thanks for your additional comments. I have a few final thoughts:

One man’s “rambling” is another man’s call for reform, not to mention the considerable challenge involved with untangling what is hidden by manufactured complexity in the DNS.  I figured you’d understand since brevity isn’t always evident in your work either.

I don't flatter myself by presuming that I will solve online child pornography.  Doing so requires eradicating demand for it but — considering how many of the world’s rich, powerful and famous were implicated by revelations following the arrest of Jeffrey Epstein — the demand for child pornography isn't likely to be eradicated anytime soon.

The rather more achievable problem that I am trying to solve is to address the “failed state” of the Internet’s root zone which has become dominated by predatory corporate warlords intent on maximizing their control of Internet infrastructure that they don't own but which they feel entitled to.  The pursuit of this anti-competitive aim has so thoroughly corrupted the entire ecosystem of the DNS that it has become normalized as the status quo.  Earlier, you stated that ICANN must be replaced by the global community.  But this is dangerously naive because the exact same fate will befall any successor to ICANN if the structural defects and systemic faults aren't fixed first. 

Doing so requires clearly understanding what the actual problems are. I'll be publishing an article today on CircleID which lays out the reasons why repairing the root needs to be a burning priority and I also outline what in my view are the essential, unavoidable, and therefore non-negotiable reforms that are the bare minimum to be achieved for renewing legitimate governance for the global Internet. 

Lastly, I find your sentiments and the tone with which you chose to communicate them dismaying.  I don't believe that efforts for combatting the sexual abuse of children online are wasted energy or a fool’s errand even if we know that ultimate victory isn't close at hand. But your comments broadcast a derisive sneer at the simpletons in law enforcement that just don't seem to get it that you've made this amazing tool available that solves their problems. But, the thing is, that I think they do get it quite clearly, in fact, and it is you and all of the other accommodationists that aren't getting the message that what was once overlooked and tacitly accepted will no longer be tolerated.  Besides, we aren't called to defeat evil, John, but we are called to try. 

Sneering comments making nonsensical arguments do nothing but obstruct law enforcement from doing their job — and further prove my point about the need for essential reform.  The shameful condoning and irresponsible ignoring of harms perpetrated at the Internet’s root only strengthens my resolve by further proving my point that evil has become normalized to the point where it is accepted and expected — a regular ho-hum affair. 

Every time someone reaches out to me with a horror story of predatory behavior in the DNS and I have to refer them to the Justice Department — it further proves my point.

When a former Deputy Attorney General of the United States sits on VeriSign's board of directors and is compensated with money earned, in part, from registration fees paid by criminals for domain names used for illegal purposes, including the online sexual abuse of children — it further proves my point. 

When rumors abound about how the world’s richest and most powerful institutional investors don't just profit from fees paid by criminals but intervene to shield their investment from scrutiny and sanction — it further proves my point.

When official documents indicate possible improprieties stemming from political interference at the highest level and circumvention of normal processes, such as empirical review and soliciting of differing views, and which caused changes to an agreement that are a spectacularly good deal for a monopoly and terribly awful for everybody else — it further proves my point. 

My point, John, in case it isn't clear, is that the DNS has gone off the rails and rot has set in at the root.  For the issue you’ve raised, the point isn’t whether .com should use Thick or Thin WHOIS, but that there’s a double standard where the rules apply to everyone but Verisign and ICANN is powerless to do anything about it.  While it may be true that the Internet can't be turned off, it is long past time to reboot the root and restore legitimate governance for the global Internet. 

Thank you for your thoughts and this important dialogue. 

Regards,
Greg

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO

Brand Protection

Sponsored byAppdetex

Domain Management

Sponsored byMarkMonitor

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign