Privacy warning as cops lean on domain registrars
Mind-boggling delays lead to hasty fixes in Dakar
Internet policy experts have warned about possible threats to privacy and an increased risk of police domain name seizures after domain firms were pressured into overhauling how they do business.
Intense criticism from governments including the US and UK, prompted by their respective cybercrime agencies, this week forced domain name registrars into agreeing to renegotiate their contracts with industry overseer ICANN.
The revamped contract is expected to water down domain name privacy services and could make it easier for law enforcement and intellectual property interests to take down websites.
A dramatic showdown, which saw registrars taking a public kicking from governments and police, played out at the 42nd meeting of ICANN, which has been running all week in Dakar, Senegal.
It started on Sunday with a heated meeting between registrars and ICANN's increasingly powerful Governmental Advisory Committee, which comprises senior civil servants from dozens of nations.
US GAC representative Suzanne Radell led a barrage of criticism, accusing registrars of dragging their feet and offering up "paltry" and "silly" self-regulation proposals.
She was supported by the UK rep, Mark Carvell of the Department of Culture, Media and Sport.
He said: "This is something that is right at the top level in governments, combating abuse and ensuring that this whole organisation, ICANN, works effectively with law enforcement."
ICANN has pseudo-regulatory power over the domain name industry's biggest players through contracts including the standard Registrar Accreditation Agreement, which all registrars must sign.
For years, law enforcement agencies including the FBI, Interpol and the UK's own Serious Organised Crime Agency have been asking for the RAA to be amended to force all registrars to cooperate more fully with criminal investigations.
A wish-list of 12 recommendations has been on the table since 2009. Some are no-brainers, such as an obligation for registrars to publish a physical address and abuse contact on their websites.
Others are more controversial, such as a possible requirement to disclose contact information of domain name owners using proxy services to privacy-protect their Whois records.
After two years of regular talks, law enforcement and governments have grown frustrated by the registrars' lack of progress voluntarily implementing these recommendations.
That frustration turned to incredulity this week after registrars decided to start a Policy Development Process within ICANN, which would force all registrars to publish a contact address and abuse email.
The PDP could take a year or more to become binding, governments were told, and even then it would leave nine of the law enforcement recommendations unaddressed.
"It is simply impossible for us to write a briefing memo for our political managers to explain why you need a policy to simply put your name on your website,” US rep Radell said on Sunday. “It is simply mind-boggling that you would require that.”
Registrars responded by saying that a PDP is the only way, under ICANN's rules, to ensure that new regulations become binding on all of ICANN's 900-plus registrars and not just the ones who already take tackling criminal activity seriously.
The Governmental Advisory Committee took its concerns to ICANN's ruling board of directors regardless, on Tuesday, but by that point registrars were already scrambling in behind the scenes closed-door meetings to address the criticisms.
“We are looking for immediate visible and credible action to mitigate criminal activity using the domain name system,” Radell told the ICANN board.
"We're not talking about rocket science here," said the Australian GAC rep. "We're talking about publishing an address to be served legal notice, or putting and email address on a website... I continue to be astounded that they [registrars] have known about this for two years and nothing has happened."
UK rep Carvell said: "This is politically significant. They shouldn't mess around here. Cybercrime is on the agenda."
Some speakers in Dakar have suggested that a failure by ICANN to act on law enforcement's needs threatened the very ICANN "multi-stakeholder" model itself.
Talking to its Generic Names Supporting Organisation (which includes registrars) on Tuesday, ICANN vice-chair Bruce Tonkin, himself an executive with a registrar, said that an absence of action meant some governments may push for the ITU to take over ICANN's role.
"If the GNSO is not working, that means ICANN is not working, and it means that ICANN should be got rid of," he said, explaining the predicament. "There's a bigger, longer-term risk in these issues."
ICANN chair Steve Crocker had similar words for the GAC. “If all we have is process, process, process, and it gets gamed or it’s ineffective just because it’s not structured right, then we have failed totally in our duty and our mission,” he said.
The registrars' decision to renegotiate their contracts to give governments what they want was welcomed by intellectual property interests, but free speech advocates sounded a warning.
Law professor Wendy Seltzer, co-founder of the Chilling Effects Clearinghouse and a representative of non-commercial interests in ICANN, said she would not support RAA changes that would "reduce the privacy of registrants" or make domain take-downs easier.
Registrars and ICANN have set a deadline of 12 March next year to finalize a new RAA contract.
However, registrars will be under no obligation to sign it until their current contracts expire. In many cases, that could be three or four years from now. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016