Feeds

Privacy warning as cops lean on domain registrars

Mind-boggling delays lead to hasty fixes in Dakar

Bridging the IT gap between rising business demands and ageing tools

Internet policy experts have warned about possible threats to privacy and an increased risk of police domain name seizures after domain firms were pressured into overhauling how they do business.

Intense criticism from governments including the US and UK, prompted by their respective cybercrime agencies, this week forced domain name registrars into agreeing to renegotiate their contracts with industry overseer ICANN.

The revamped contract is expected to water down domain name privacy services and could make it easier for law enforcement and intellectual property interests to take down websites.

A dramatic showdown, which saw registrars taking a public kicking from governments and police, played out at the 42nd meeting of ICANN, which has been running all week in Dakar, Senegal.

It started on Sunday with a heated meeting between registrars and ICANN's increasingly powerful Governmental Advisory Committee, which comprises senior civil servants from dozens of nations.

US GAC representative Suzanne Radell led a barrage of criticism, accusing registrars of dragging their feet and offering up "paltry" and "silly" self-regulation proposals.

She was supported by the UK rep, Mark Carvell of the Department of Culture, Media and Sport.

He said: "This is something that is right at the top level in governments, combating abuse and ensuring that this whole organisation, ICANN, works effectively with law enforcement."

ICANN has pseudo-regulatory power over the domain name industry's biggest players through contracts including the standard Registrar Accreditation Agreement, which all registrars must sign.

For years, law enforcement agencies including the FBI, Interpol and the UK's own Serious Organised Crime Agency have been asking for the RAA to be amended to force all registrars to cooperate more fully with criminal investigations.

A wish-list of 12 recommendations has been on the table since 2009. Some are no-brainers, such as an obligation for registrars to publish a physical address and abuse contact on their websites.

Others are more controversial, such as a possible requirement to disclose contact information of domain name owners using proxy services to privacy-protect their Whois records.

After two years of regular talks, law enforcement and governments have grown frustrated by the registrars' lack of progress voluntarily implementing these recommendations.

That frustration turned to incredulity this week after registrars decided to start a Policy Development Process within ICANN, which would force all registrars to publish a contact address and abuse email.

The PDP could take a year or more to become binding, governments were told, and even then it would leave nine of the law enforcement recommendations unaddressed.

"It is simply impossible for us to write a briefing memo for our political managers to explain why you need a policy to simply put your name on your website,” US rep Radell said on Sunday. “It is simply mind-boggling that you would require that.”

Registrars responded by saying that a PDP is the only way, under ICANN's rules, to ensure that new regulations become binding on all of ICANN's 900-plus registrars and not just the ones who already take tackling criminal activity seriously.

The Governmental Advisory Committee took its concerns to ICANN's ruling board of directors regardless, on Tuesday, but by that point registrars were already scrambling in behind the scenes closed-door meetings to address the criticisms.

“We are looking for immediate visible and credible action to mitigate criminal activity using the domain name system,” Radell told the ICANN board.

"We're not talking about rocket science here," said the Australian GAC rep. "We're talking about publishing an address to be served legal notice, or putting and email address on a website... I continue to be astounded that they [registrars] have known about this for two years and nothing has happened."

UK rep Carvell said: "This is politically significant. They shouldn't mess around here. Cybercrime is on the agenda."

Some speakers in Dakar have suggested that a failure by ICANN to act on law enforcement's needs threatened the very ICANN "multi-stakeholder" model itself.

Talking to its Generic Names Supporting Organisation (which includes registrars) on Tuesday, ICANN vice-chair Bruce Tonkin, himself an executive with a registrar, said that an absence of action meant some governments may push for the ITU to take over ICANN's role.

"If the GNSO is not working, that means ICANN is not working, and it means that ICANN should be got rid of," he said, explaining the predicament. "There's a bigger, longer-term risk in these issues."

ICANN chair Steve Crocker had similar words for the GAC. “If all we have is process, process, process, and it gets gamed or it’s ineffective just because it’s not structured right, then we have failed totally in our duty and our mission,” he said.

The registrars' decision to renegotiate their contracts to give governments what they want was welcomed by intellectual property interests, but free speech advocates sounded a warning.

Law professor Wendy Seltzer, co-founder of the Chilling Effects Clearinghouse and a representative of non-commercial interests in ICANN, said she would not support RAA changes that would "reduce the privacy of registrants" or make domain take-downs easier.

Registrars and ICANN have set a deadline of 12 March next year to finalize a new RAA contract.

However, registrars will be under no obligation to sign it until their current contracts expire. In many cases, that could be three or four years from now. ®

The Essential Guide to IT Transformation

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Bring back error correction, say Danish 'net boffins
We don't need no steenkin' TCP/IP retransmission and the congestion it causes
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
What FTC lawsuit? T-Mobile US touts 10GB, $100 family-of-4 plan
Folks 'could use that money for more important things' says CEO Legere
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.