Feeds

Privacy warning as cops lean on domain registrars

Mind-boggling delays lead to hasty fixes in Dakar

Internet Security Threat Report 2014

Internet policy experts have warned about possible threats to privacy and an increased risk of police domain name seizures after domain firms were pressured into overhauling how they do business.

Intense criticism from governments including the US and UK, prompted by their respective cybercrime agencies, this week forced domain name registrars into agreeing to renegotiate their contracts with industry overseer ICANN.

The revamped contract is expected to water down domain name privacy services and could make it easier for law enforcement and intellectual property interests to take down websites.

A dramatic showdown, which saw registrars taking a public kicking from governments and police, played out at the 42nd meeting of ICANN, which has been running all week in Dakar, Senegal.

It started on Sunday with a heated meeting between registrars and ICANN's increasingly powerful Governmental Advisory Committee, which comprises senior civil servants from dozens of nations.

US GAC representative Suzanne Radell led a barrage of criticism, accusing registrars of dragging their feet and offering up "paltry" and "silly" self-regulation proposals.

She was supported by the UK rep, Mark Carvell of the Department of Culture, Media and Sport.

He said: "This is something that is right at the top level in governments, combating abuse and ensuring that this whole organisation, ICANN, works effectively with law enforcement."

ICANN has pseudo-regulatory power over the domain name industry's biggest players through contracts including the standard Registrar Accreditation Agreement, which all registrars must sign.

For years, law enforcement agencies including the FBI, Interpol and the UK's own Serious Organised Crime Agency have been asking for the RAA to be amended to force all registrars to cooperate more fully with criminal investigations.

A wish-list of 12 recommendations has been on the table since 2009. Some are no-brainers, such as an obligation for registrars to publish a physical address and abuse contact on their websites.

Others are more controversial, such as a possible requirement to disclose contact information of domain name owners using proxy services to privacy-protect their Whois records.

After two years of regular talks, law enforcement and governments have grown frustrated by the registrars' lack of progress voluntarily implementing these recommendations.

That frustration turned to incredulity this week after registrars decided to start a Policy Development Process within ICANN, which would force all registrars to publish a contact address and abuse email.

The PDP could take a year or more to become binding, governments were told, and even then it would leave nine of the law enforcement recommendations unaddressed.

"It is simply impossible for us to write a briefing memo for our political managers to explain why you need a policy to simply put your name on your website,” US rep Radell said on Sunday. “It is simply mind-boggling that you would require that.”

Registrars responded by saying that a PDP is the only way, under ICANN's rules, to ensure that new regulations become binding on all of ICANN's 900-plus registrars and not just the ones who already take tackling criminal activity seriously.

The Governmental Advisory Committee took its concerns to ICANN's ruling board of directors regardless, on Tuesday, but by that point registrars were already scrambling in behind the scenes closed-door meetings to address the criticisms.

“We are looking for immediate visible and credible action to mitigate criminal activity using the domain name system,” Radell told the ICANN board.

"We're not talking about rocket science here," said the Australian GAC rep. "We're talking about publishing an address to be served legal notice, or putting and email address on a website... I continue to be astounded that they [registrars] have known about this for two years and nothing has happened."

UK rep Carvell said: "This is politically significant. They shouldn't mess around here. Cybercrime is on the agenda."

Some speakers in Dakar have suggested that a failure by ICANN to act on law enforcement's needs threatened the very ICANN "multi-stakeholder" model itself.

Talking to its Generic Names Supporting Organisation (which includes registrars) on Tuesday, ICANN vice-chair Bruce Tonkin, himself an executive with a registrar, said that an absence of action meant some governments may push for the ITU to take over ICANN's role.

"If the GNSO is not working, that means ICANN is not working, and it means that ICANN should be got rid of," he said, explaining the predicament. "There's a bigger, longer-term risk in these issues."

ICANN chair Steve Crocker had similar words for the GAC. “If all we have is process, process, process, and it gets gamed or it’s ineffective just because it’s not structured right, then we have failed totally in our duty and our mission,” he said.

The registrars' decision to renegotiate their contracts to give governments what they want was welcomed by intellectual property interests, but free speech advocates sounded a warning.

Law professor Wendy Seltzer, co-founder of the Chilling Effects Clearinghouse and a representative of non-commercial interests in ICANN, said she would not support RAA changes that would "reduce the privacy of registrants" or make domain take-downs easier.

Registrars and ICANN have set a deadline of 12 March next year to finalize a new RAA contract.

However, registrars will be under no obligation to sign it until their current contracts expire. In many cases, that could be three or four years from now. ®

Beginner's guide to SSL certificates

More from The Register

next story
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'
This affects every broadcaster, every cable guy
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.