Questions about my last posting on Nominet’s DNS domain suspension discussions, have got me thinking a bit more about my idea of “domains registered for a criminal purpose”. My suggestion is that these should be the only domains that a top-level registry can remove on its own, rather than asking for the decision to be taken by an independent authority. I’m worried that if a domain was registered for a genuine purpose and has later become involved in a crime (for example because the server has been compromised) then removing the domain to stop the crime will also damage – perhaps seriously if it is the website of an on-line business – the innocent person or organisation using it for the original, genuine, purpose. The registry doesn’t seem to me the right organisation to assess those risks. This seems very different from removing a domain that has no purpose other than to assist in the commission of a crime, where there should be no risk of harming innocent individuals. Furthermore, if the domain appears to have been registered with a criminal purpose it seems unlikely that contacting the registrant will be effective in stopping the crime! So there may even be an opportunity to speed up the removal process.
This requires a different test from those applied in some registries’ rules, which allow domains to be removed if the domain name itself breaks the law. For example Nominet’s Dispute Resolution Service may remove a domain name that contains someone else’s trademark. While a domain that emulated the name of a bank and was being used for phishing might well satisfy my “criminal purpose” test, I would also include the domains consisting of random sequences of characters that are used by some malware (the best known is probably Conficker) to establish their command and control channels. Here the domain name itself may be legally unobjectionable (if puzzling!), but the fact that it is coded into the malware suggests that it was only generated for that criminal purpose. Another example might be a domain that did consist of words, was involved in criminal activity, and had been paid for with a stolen credit card: the first two conditions could indicate either malicious or genuine registration, but the means of payment suggests that this is not an innocent domain that is now being misused.
[UPDATE: I’ve just discovered another simple algorithm for distinguishing “malicious registrations” in the latest report from the Anti-Phishing Working Group – if the criminal activity is reported very soon after the domain is registered. They also confirm my suspicion that the “trademark” test isn’t sufficient to pick up these registrations, less than a third of their malicious registrations include a string related to the target bank that would be likely to fall foul of the “illegal domain” rule]
This might suggest that I am thinking along slightly different lines to SWITCH’s malware clean up activities for websites in their .ch and .li domains, since they are specifically looking for compromised servers (i.e. the ones I am trying to exclude by my “criminal purpose registration” test). However I think the two approaches are consistent, as SWITCH do attempt first to contact the registrant and give them a grace period before stopping resolution of the domain. Also, their suspension of resolution is temporary: the domain will start working again after five days, with no change in “ownership”, unless a longer duration is authorised by an independent authority. Perhaps a “criminal purpose registration” test would allow those domains to be removed even more promptly?
What do you think?