ICANN 66 - It's all about abuse
Last week, the 66th ICANN meeting took place in Montréal, Canada. While GDPR compliance has been the main focus of the community for the past five meetingsy, this past week leitmotiv was "DNS Abuse". While this concern is a priori legitimate and straight forward, the fact that some community members (purposefully?) fail to understand what comes within the legal and technical competency of DNS operators is causing frictions.
Lack of specific legal regime
The main issue stems from the fact that contrary to Internet Services Providers or Hosting providers, there is no ad hoc legal regime applicable to registries and/or registrars. This is why each actor of the industry will apply its own interpretation of the laws they believe apply to them. In most cases, those will mainly consist of a mix of hosting services and ISPs legal text or court decisions extrapolated to the activity of registry and/or registrar.
In EuroDNS' case, we have elected to base our abuse handling practices on the French "Act for the trust in digital economy" (LCEN). This act states that hosting services providers will only be liable if they don't suspend their services when a court order is namely instructing them to do so, or in cases where the illegality of their service's use is blatant.
These practices are described further here: https://www.eurodns.com/information
Limited scope of actions
The lack of a legal regime is, however, only one side of the coin. The other one is the technical means available to DNS actors. While hosting providers may in some instances remove a specific content on a webpage or a particular page, registries and registrars can only suspend the whole domain name under their management. For example, if our friendly competitors from Marseille, Safebrand, receive an abuse report concerning a video hosted on Dailymotion's website, the only action they may take will be to suspend the domain dailymotion.com and herewith the entire website.
Ironically, although this type of suspension can significantly hurt legitimate website operators whose services are being abused, it will have little effect against rogue websites operators who don't rely as much on domain names.
For example, when we suspend a domain name pointing to a website hosting a phishing webpage, this page will remain accessible via any other domain names pointing to this page, but more importantly via the IP address of the server hosting this page. We have noticed that criminals are more and more perpetrating their attacks using an IP address rather than a domain name. Thus completely bypassing registries and registrars.
For example, EuroDNS page describing its Wordpress service is reachable via https://www.eurodns.com/managed-wordpress-hosting but also via http://80.92.65.210/managed-wordpress-hosting
The suspension of a domain name does not mean that the website it was associated to, is also suspended, but solely that it is harder to find. Suspending a domain name is akin to removing the road signs for a given geographic place, as long as you have the GPS coordinates (the IP address) you will be able to find it.
Le framework
In an attempt to clarify the cases and type of actions that registries and registrars can take, several members of the industry have drafted the following document: DNS Abuse Handling Framework.
As the practices described in it are in line with EuroDNS' practices, we have decided to sign on this document publicly and are now hosting a copy on our website.
The audience to whom it was presented during several sessions of this ICANN meeting received it very well. However, it was also pointed out that its signatories and more generally the industry actors participating in ICANN policy development are not those failing to act on abuse reports.
The origin
If you are familiar with the industry or merely reading this lawyer's posts for fun (I am sure some of you are!), you will have noticed that "DNS abuse" wasn't part of the ICANN lingo à la mode. This is because this is a new catch-all expression used by certain vocal members of the industry to decry the consequences of the temporary specification implementation.
In the past, ICANN working groups were formed to develop a consensus definition of "abuse" and later on of "registration abuse". Those gave birth to several initiatives aimed at combatting registration abuse, many of which are still active.
DNS Abuse, however, is lacking a definition. It is therefore easy to classify as such, any online abuse, even if clearly outside of the remit of registries and registrars. As mentioned, this trend is easily explained by the fact that the whois databases have seen their content heavily redacted to comply with data privacy laws. Enforcing IP rights requires undeniably more work, but I will not disagree with my evil twin and pretend that enforcement is impossible. It is, in fact, more tedious and time-consuming but still achievable.
New Registration Data Policy
ICANN is working hard at turning into policy the recommendations contained in the report issued by the Expedited PDP Working Group on registration data. The initial implementation date of February 2020 was postponed to August of the same year. Several key elements, such as the data processing agreements to be entered between ICANN and registries and registrars having not yet been drafted, this postponement was unavoidable. In the meantime, the industry continues to rely on the temporary specifications to ensure it complies with both data privacy laws and ICANN policies.
New gTLD next round
The DNS abuse fanfare steered the attention away from the sessions dedicated to this important topic. At this stage, only two working groups need to conclude their work for the new extensions program to restart. One deals with the right protection mechanisms available to right owners and the other with the review of the previous round. As of last week, the 1st quarter of 2021 still seems a plausible date for the launch of the next round.