Nominet have published an issues paper asking whether there are circumstances in which it might be appropriate to rapidly suspend a DNS domain involved in criminal activity, and the processes that would be needed to ensure such action did not create too great a risk of unfairness. I’m writing this in an attempt to sort out my own ideas, so this is very much “thinking out loud” and the conclusions are liable to change whenever I’m presented with new evidence or a better argument. For now, I’m thinking very much from first principles to work out if and when it might be appropriate to invoke an expedited domain suspension process rather than using the processes that already exist.
The issue appears to have arisen because a number of different criminal activities are now using DNS to dynamically move cybercrime around – whether phishing for bank credentials or controlling botnets – making it very difficult to identify the computers involved to gather evidence or prevent the crimes. In these cases, DNS domains may be the only fixed points where the activity can be disrupted.
However removing a domain that is currently in use is clearly a serious action, since it may have significant and unpredictable consequences. The processes that already exist in the law and some Registry agreements therefore include a number of safeguards to ensure, so far as possible, that suspension is justified and does not have disproportionate side-effects. The only reason for creating a new, expedited, process to supplement those would therefore seem to be if the existing processes are too slow and the harm likely to occur when following them justifies the increased risk of side-effects.
Conclusion 1: an expedited process should only be used if serious harm is likely to occur during the time taken to operate the applicable existing process.
A common threshold for whether “serious harm” might occur from an activity is whether that activity is classed as a crime.
Conclusion 2: an expedited process should only be used when a domain is involved in the commission of a crime (in fact I’m tempted to set the threshold at “serious crime”).
In most cases the quickest way to deal with a problem on a domain will be for the registrar to contact the domain owner. This also seems inherently fairer than taking a domain away without warning. Of course this will not work if the domain owner is part of the criminal enterprise, so
Conclusion 3: an expedited process should only be used when there is evidence that the domain was registered for the criminal purpose (i.e. not where a legitimately-registered domain has subsequently been taken over for criminal use).
[UPDATE: I’ve explored this “criminal purpose registration” test a bit more in a subsequent post]
If any of those three conditions are not met, suspension should only be done using one of the existing processes, allowing a more detailed examination of the threat posed by the current use, the consequencs of removing the domain, and any alternative actions that may be possible.
As to how the expedited process should work, it seems reasonable to aim for it to have the same long-term result as the non-expedited process, both in terms of the outcome for the domain and in terms of what information flows where. The expedited process may change the order in which information is passed and actions taken, but it shouldn’t result in anything occuring in secret that would otherwise be open. In particular:
Conclusion 4: the registrant who owns the domain, and anyone else affected by the suspension, should receive the same information and have the same opportunities to have their case heard as they would have in the non-expedited process. If it turns out that the non-expedited process would have resulted in the domain not being suspended, the domain must be restored as soon and as completely as possible.
Finally, any process is likely to be attacked by those who would like to achieve its outcome. Why bother going to the effort of a denial of service attack against a domain if you can deceive a registrar into suspending it instead? The police and ISP industry have already addressed this problem for other expedited processes, so the same safeguards should be applied in this case, in particular
Conclusion 5: notices invoking expedited suspension must be sent between known points of contact who are able to identify each other, both of whom have been trained in the proper operation of the process.
That seems to be where my first principles approach leads me – any comments, evidence I haven’t thought of, or other arguments?
