[Gnso-ppsai-pdp-wg] LE/Ops Sec community input- section 3.18 2013 RAA

Marika Konings marika.konings at icann.org
Mon Jun 9 18:32:35 UTC 2014 

Dear All,

As requested a couple of meetings ago, please find below some feedback
received from our Security Stability Resiliency Team colleagues from the
LE/Ops Sec community in relation to section 3.18 of the 2013 RAA which is
being reviewed by the WG in the context of question D-2.

Best regards,

Marika

____________________________

For domains that are tied to malware or tied directly to brand mis-use
associated with malicious or criminal activity, almost all registrars have
no problem suspending the domains via Section 3.18 of the 2013 RAA. LE
agencies have difficulty only with a handful of registrars.

There are cases in which some registrars provide a standard response back to
the agencies to the effect that they should contact the hosting provider
since the registrar does "not have the ability to oversee what data are
being transmitted through its site". If the hosting provider stops providing
its services, the criminals can simply move to a new hosting provider.
Suspending the domain itself has value for the LE agencies for several
reasons, not least of which some providers unmask the private Whois
information when the domain is suspended.

Agencies encounter p/p domains used for malicious or criminal activity in
ranges that go from small batches (i.e., associated with scams where
fraudsters target hundreds or thousands of investors or phishing victims and
generate millions in losses, however only a few domains are created) to
large numbers where thousands of users are victimized in several countries.
Making the privacy/proxy services accountable with a provision similar to
3.18 of the 2013 RAA would add another layer of protection to help contain
and mitigate the harm caused to consumers on a global scale. It¹s a consumer
protection issue, however any such new obligation to make p/p providers
accountable with regards to abuse and reports of abuse, should not, in any
way whatsoever, dilute contractually or in practice the registrars¹
obligations as they are currently provided by 3.18.

If an agency presents to a registrar or p/p provider evidence that there is
criminal or malicious activity that is harming users or has the potential to
harm users (such as spamming, spreading malware or distributing child abuse
material), the registrar or p/p provider should suspend that domain and
unmask the Whois. The agencies are not requesting subscriber information.
The agencies are reporting abuse of the DNS that implies violations of the
registration agreement between the registrars and the registrants, and that
also imply violations of the agreement between the p/p providers and their
customers (including all cases of criminal and malicious activity as well as
those cases in which the LE agencies¹ own brands are used by criminals in
association with criminal or malicious activity).

The burden should not be higher on the agencies than it was on the
registrant to register the domain (e.g., obtaining a court order to have a
domain suspended).  Since the victims are located in several different
countries, it is *very* difficult to obtain any kind of legal process to
effect takedown. Both registrars and p/p providers must have adequate
provisions in their agreements with their customers that allow them to take
action - on a contractual basis - and suspend domain names when there is
malicious or criminal activity.

Additionally, for those cases in which registrars and p/p providers can
verify the evidence provided by the LE agencies that there is indeed
criminal or malicious activity involving domain names that they sponsor,
there should be no territorial restrictions for LE agencies to submit
reports to them, regardless of whether they are in the same or in a
different country as the registrar or p/p provider. In these cases,
registrars and p/p providers should simply enforce their own agreements with
their registrants/customers and suspend the domain names accordingly and
unmask the Whois information.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140609/2c8af3b4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5056 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140609/2c8af3b4/smime.p7s>

More information about the Gnso-ppsai-pdp-wg mailing list