30 Oct
2019

Registry and registrar DNS abuse framework: a positive step that falls short

As covered on CircleID, a group of domain name registries and registers have developed a framework to fight abuse in the Domain Name System (DNS) – participants including GoDaddy, Donuts, Amazon Registry Services, Afilias and Nominet UK. In this guest analysis, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, and Griffin Barnett, associate at the Winterfeldt IP Group, welcome the development but argue that its narrow definition of DNS abuse needs to be revisited.

Guest analysis

A group of leading domain name registry operators and registrars recently published a ‘Framework to Address Abuse’ in the Domain Name System (DNS). Although the framework is a positive step in the right direction, it still falls short in some key areas with respect to consumer protection and addressing online abuse and cybercrime.

The framework identifies the following categories of activity as constituting ‘DNS Abuse’:

  • Malware.
  • Botnets.
  • Phishing.
  • Pharming.
  • Spam (but only when it serves as a delivery mechanism for the other forms of DNS Abuse).

It notes that registries and registrars are required under their respective agreements with ICANN to maintain and publish abuse contacts in order to receive reports of abuse and take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse. The respective agreements do not define ‘abuse’ in this context, but they do specify that abuse includes “Illegal Activity” which the agreements define as “conduct involving use of a [domain name] that is prohibited by applicable law and/or exploitation of registrar's domain name resolution or registration services in furtherance of conduct involving the use of a [domain name] sponsored by registrar that is prohibited by applicable law.”

This language alone indicates that the voluntary framework definition for DNS Abuse is much narrower than what the ICANN contracts define as abuse.

In addition, the framework does identify certain website content activity that it suggests should be addressed by registries and registrars (if other options have been exhausted), namely child sexual abuse materials (CSAM), illegal distribution of opioids online, human trafficking, and specific and credible incitements to violence. Nonetheless, the framework fails to include a number of key activities that are illegal under the laws of most jurisdictions and which harm internet users on par with the types of abuse (DNS and website content) identified in the framework.

Most notably, it leaves out any mention of trademark infringement or cybersquatting, which can take place at the DNS level with very limited examination of website content tied to a domain name. These activities are illegal under United States law and the laws of many other jurisdictions. Well-founded reports of such activity should be actionable as abuse by registries and registrars – especially in cases where there is no website content, and the trademark owner has provided reasonable assertions and supporting evidence to show that there could be no good faith authorised use of the domain name bearing the trademark owner’s mark.  

Similarly, the framework fails to mention counterfeiting, piracy or other forms of copyright infringement. Although these activities generally take place at the ‘website content’ level, they are often associated with other forms of abuse, such as distribution of malware, phishing, and other malicious conduct. Even without those other abuse vectors, these activities are also illegal under the laws of most jurisdictions and therefore should be actionable forms of abuse within the meaning of the Registrar Accreditation Agreement and Registry Agreement. It is not unreasonable to request that registries and registrars action well-founded abuse reports relating to counterfeiting, piracy or copyright infringement in connection with a domain under their management – particularly where other efforts to raise such concerns to the web host and/or registrant are not successful.

Where the entirety of a website is being used to conduct these activities, and the domain and website are not being put to any other potentially legitimate use, the registry or registrar response to disable the entire domain would not be an overly broad remedy. Furthermore, registries and registrars have the option to place domains on ‘serverHold’ status, which disables the resolution of a domain name without fully terminating the registration, and the status can be undone if it is ultimately found that the domain use changes such that it is no longer abusive. 

Examinations of domain name use, including website content, are integral to determining whether a domain name is involved in abuse, given that domain names are intended to be used and do not exist in a vacuum. If registries and registrars are able to make determinations as to website content constituting CSAM, illegal distribution of opioids online, human trafficking, and specific and credible incitements to violence, there is no reason why they could not make similar determinations as to counterfeiting, trademark infringement, piracy or copyright infringement when presented with a valid and well-supported report.

Furthermore, most registry and registrar terms and conditions (ie, the Registry-Registrar Agreement and individual registrars’ domain name registration agreements) specifically prohibit trademark and copyright infringement or any infringement of third-party rights, so it is unclear why registries and registrars would not act to enforce their own terms and conditions regarding registration and use of domain names under their management.

Accordingly, separating DNS abuse from website content abuse is nothing more than a technical distinction that is otherwise meaningless when one considers the practical nature of reviewing and addressing online abuses. The other forms of DNS Abuse identified in the framework all typically utilise another resource associated with a domain name, such as a website or email address, to perpetrate the abusive activity.

Accordingly, registries and registrars must be willing to engage in more active and holistic abuse investigation and response, including considerations of the website content, email, or other online resource usage that leverages a reported domain name in order to truly live up to the purported goal of maintaining a clean DNS and online ecosystem.

Brian J Winterfeldt is principal and Griffin Barnett an associate at the Winterfeldt IP Group

Trevor Little

Author | Editor

[email protected]

Trevor Little