[Gnso-ppsai-pdp-wg] LE/Ops Sec community input- section 3.18 2013 RAA

Michele Neylon - Blacknight michele at blacknight.com
Tue Jun 10 10:44:32 UTC 2014 

Marika

This is helpful.

I would have some issues with an over-simplification of this, however.

While taking down domain names that are _solely_ registered for abusive purposes is not an issue for me personally, we have to be very careful.
A lot of domain name abuse involves hacking and compromises of CMS without the registrant's knowledge.

We (Blacknight) receive reports from Google and most of the security companies about website and server exploits and take action to remove the threat. We will attempt to work with our clients, but will also suspend access to websites etc., should we feel that it is warranted.

However, the actual volume of purely malicious domain names that we deal with is negligible. If we receive 100 valid "abuse'' reports only about 1% of them would relate to malicious registrations.

The most common vectors we see are things like Wordpress and Joomla CMS being hacked, exploited etc., for the distribution of spam, malware, phishing etc.,

With respect to who submits reports to us, the vast majority are security companies etc.,

In the last 10 years we've been contacted by law enforcement / consumer agencies less than 10 times.

The issue around LEA reports has been discussed at length in relation to the RAA negotiations and I'd be very wary about opening it up again.

Of course we are a small registrar and hosting company, but any policy that ICANN comes up with in this regard should not have a detrimental impact on small businesses that are not causing issues for the DNS ecosystem.

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Domains
http://www.blacknight.co/
http://blog.blacknight.com/
http://www.technology.ie/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845

From: gnso-ppsai-pdp-wg-bounces at icann.org [mailto:gnso-ppsai-pdp-wg-bounces at icann.org] On Behalf Of Marika Konings
Sent: Monday, June 9, 2014 7:33 PM
To: gnso-ppsai-pdp-wg at icann.org
Subject: [Gnso-ppsai-pdp-wg] LE/Ops Sec community input- section 3.18 2013 RAA

Dear All,

As requested a couple of meetings ago, please find below some feedback received from our Security Stability Resiliency Team colleagues from the LE/Ops Sec community in relation to section 3.18 of the 2013 RAA which is being reviewed by the WG in the context of question D-2.

Best regards,

Marika

____________________________

For domains that are tied to malware or tied directly to brand mis-use associated with malicious or criminal activity, almost all registrars have no problem suspending the domains via Section 3.18 of the 2013 RAA. LE agencies have difficulty only with a handful of registrars.

There are cases in which some registrars provide a standard response back to the agencies to the effect that they should contact the hosting provider since the registrar does "not have the ability to oversee what data are being transmitted through its site". If the hosting provider stops providing its services, the criminals can simply move to a new hosting provider. Suspending the domain itself has value for the LE agencies for several reasons, not least of which some providers unmask the private Whois information when the domain is suspended.

Agencies encounter p/p domains used for malicious or criminal activity in ranges that go from small batches (i.e., associated with scams where fraudsters target hundreds or thousands of investors or phishing victims and generate millions in losses, however only a few domains are created) to large numbers where thousands of users are victimized in several countries. Making the privacy/proxy services accountable with a provision similar to 3.18 of the 2013 RAA would add another layer of protection to help contain and mitigate the harm caused to consumers on a global scale. It's a consumer protection issue, however any such new obligation to make p/p providers accountable with regards to abuse and reports of abuse, should not, in any way whatsoever, dilute contractually or in practice the registrars' obligations as they are currently provided by 3.18.

If an agency presents to a registrar or p/p provider evidence that there is criminal or malicious activity that is harming users or has the potential to harm users (such as spamming, spreading malware or distributing child abuse material), the registrar or p/p provider should suspend that domain and unmask the Whois. The agencies are not requesting subscriber information. The agencies are reporting abuse of the DNS that implies violations of the registration agreement between the registrars and the registrants, and that also imply violations of the agreement between the p/p providers and their customers (including all cases of criminal and malicious activity as well as those cases in which the LE agencies' own brands are used by criminals in association with criminal or malicious activity).

The burden should not be higher on the agencies than it was on the registrant to register the domain (e.g., obtaining a court order to have a domain suspended).  Since the victims are located in several different countries, it is *very* difficult to obtain any kind of legal process to effect takedown. Both registrars and p/p providers must have adequate provisions in their agreements with their customers that allow them to take action - on a contractual basis - and suspend domain names when there is malicious or criminal activity.

Additionally, for those cases in which registrars and p/p providers can verify the evidence provided by the LE agencies that there is indeed criminal or malicious activity involving domain names that they sponsor, there should be no territorial restrictions for LE agencies to submit reports to them, regardless of whether they are in the same or in a different country as the registrar or p/p provider. In these cases, registrars and p/p providers should simply enforce their own agreements with their registrants/customers and suspend the domain names accordingly and unmask the Whois information.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140610/3bcd3d7d/attachment-0001.html>

More information about the Gnso-ppsai-pdp-wg mailing list