As we approach our third year of living with ICANN’s Temporary Specification, civil and criminal investigators still can’t find suspected perpetrators’ contact data, nor can they depend upon enlisting the help of registries and registrars to abate abuse consistently and quickly. The result? Unsuspecting internet users remain at risk and there is no end to this dilemma in sight.
Nearly three and a half years ago, with the impending implementation of GDPR (The European Union’s General Data Protection Regulation), ICANN (the International Corporation for Assigned Names and Numbers) allowed for the Domain Naming System’s accredited registrars and registries to redact domain name registrant contact data. As a result, it is difficult to impossible to attribute and mitigate bad actors’ actions and activities related to domains and websites.
Not only is the data not publicly available for individuals, but data has also been redacted for entities that are not entitled to protections under GDPR, such as businesses. Requests for data for legitimate purposes are routinely ignored by registrars and registries, and egregious examples of DNS abuse are often not mitigated swiftly. All the while, internet users are at risk of running afoul of bad actors who seek to separate them from their money and personal data.
With a simple decree, registrant data went from being widely available to being nearly wholly unavailable due to the hasty implementation of ICANN’s Temporary Specification. Regardless of whether the registrant is a natural person whose rights are protected under GDPR or a business (a legal person) whose rights are not covered, the data disappeared. As of January 2021, Interisle Consulting Group reported that only 13.5% of domains identified a registrant in their Whois record due to redaction and privacy and proxy services.
Interisle went on to conclude that “only around 11.5% of domains may belong to natural persons who are subject to GDPR.” However, Interisle pointed out that registry and registrars have redacted the contact data from “57.3% of all domains.” This redacted data was formerly used by law enforcement, security companies, and brandholders to investigate illegal activity in order to protect internet users and consumers.
Those agencies, investigators, companies, and security teams that need to request registrant contact information to investigate and stop bad actors face a plethora of protocols to request the information. They confront a patchwork of modes, methods, forms, email addresses, and documentation required by each registrar. With literally thousands of registrars, it is almost impossible to keep up with registrar request processes.
And when agencies, investigators, and brandholders can navigate the required process, the results are pathetic. In our experience, only 5-7% of requests for registrant contact data for legitimate reasons are honored, even after supplying the required documentation. Adding insult to injury, some registrars are charging a fee for processing and releasing registrant data -- even when the requested domains are abusive.
Those entrusted with developing a permanent process and rules for releasing registrant contact data, the members of ICANN’s expedited policy development process (EPDP), have been hampered by infighting. Consumer protection-oriented members of the EPDP have not been able to gain consensus among contracted parties (ICANN registrars and registries) on a consistent, clear, fair, and fast way to release information due to legitimate requests. All the while, bad actors can conceal their identity and take advantage of unwitting consumers.
Many registrars and registries have joined forces to create and sign a DNS Abuse Framework to fight abuse. While seemingly laudable, the framework is flawed by omissions and vagueness. While the DNS Abuse Framework seeks to abate DNS abuse, it applies to a very limited set of abuses including malware, phishing, botnets, pharming, and spam.
These are important categories of DNS abuse that must be stopped but the DNS Abuse Framework excludes other, equally damaging, frauds and deceptions. And despite the very narrow definition of abuse, the Framework is only marginally effective at abating the worst forms of abuse since DNS abuse reported to DNS signatories and non-signatories is abated at nearly the same rate. In other words, signing the Framework seems to have little effect on stopping abuse. We have seen that approximately two-thirds of abuse reports are mitigated within three days; however, one-third of DNS abuse lives long enough to cause significant harm to internet users.
ICANN’s Temporary Specification is approaching its third birthday. Rather than adding to the safety of the internet, it is a hindrance to civil and criminal investigators and a shield for bad actors.
It is time for this madness to end.