<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to lack of due process
- To: "registryservice@xxxxxxxxx" <registryservice@xxxxxxxxx>
- Subject: Re: Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to lack of due process
- From: George Kirikos <gkirikos@xxxxxxxxx>
- Date: Tue, 11 Oct 2011 05:43:38 -0700 (PDT)
One further point - this is also a very poor tool, in that it can cause immense
collateral damage. If there's some malware on a subdomain, for example on
http://blog.example.com/ to make one up, (i.e. perhaps one has WordPress
installed, and it gets hacked), instead of contacting the host to fix the issue
on the single subdomain, VeriSign would shut the entire domain name off. This
would affect www.example.com, and all other services (e.g. email).
For sites with many subdomains (e.g. LiveJournal, WordPress) or services, you
can see where the collateral damage from this "blunt" tool can wreak havoc. A
more targeted tool that escalates the response would be a far better approach.
Sincerely,
George Kirikos
http://www.leap.com/
----- Original Message -----
From: George Kirikos <gkirikos@xxxxxxxxx>
To: "registryservice@xxxxxxxxx" <registryservice@xxxxxxxxx>
Cc:
Sent: Tuesday, October 11, 2011 12:15 AM
Subject: Re: Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to
lack of due process
Just to followup, consider how poorly and broadly the language has been drafted
defining "malware".
--- begin definition ------
"Malware" means any programming (code, scripts, active content, or other
computer instruction or set of computer instructions) designed, or is intended,
to (a) block access to, prevent the use or accessibility of, or alter, destroy
or inhibit the use of, a computer, computer program, computer operations,
computer services or computer network, by authorized users; (b) adversely
affect, interrupt or disable the operation, security, or integrity of a
computer, computer program, computer operations, computer services or computer
network; (c) falsely purport to perform a useful function but which actually
perform a destructive or harmful function or perform no useful function but
consume significant computer, telecommunications or memory resources; (d) gain
unauthorized access to or use of a computer, computer program, computer
operations, computer services or computer network; (e) alter, damage,
destroy, monitor, collect or transmit information within a
computer, computer program, computer operations, computer services or computer
network without the authorization of the owner of the information; (f) usurp
the normal operation of a computer, computer program, computer operations,
computer services or computer network; or (g) other abusive behavior. Malware
includes, without limitation, various forms of crimeware, dialers, disabling
devices, dishonest adware, hijackware, scareware, slag code (logic bombs),
rootkits, spyware, Trojan horses, viruses, web bugs, and worms."
----- end definition ------
Notice the words "other abusive behavior" in item "g" -- this means that the
definition is open-ended, leaving the classification of "abuse" entirely at
VeriSign's discretion. Furthermore, some of the itemized "abuse" is iffy, for
example web bugs (final sentence) are used by MANY legitimate websites, but
VeriSign defines them as malware:
http://en.wikipedia.org/wiki/Web_bug
Super-Persistent "cookies" (perhaps via flash) are also used by many sites, as
are regular cookies. Do those "monitor" or "collect" information? (item "e")
Certainly, so under VeriSign's definition, they could be considered "malware".
While VeriSign's motivation is to reduce crime, it does so at the expense of
due process. This is a Pandora's Box that shouldn't be opened without at least
a broad public consultation with domain name registrants, so that the
implications of it can be carefully examined.
Sincerely,
George Kirikos
http://www.leap.com/
----- Original Message -----
From: George Kirikos <gkirikos@xxxxxxxxx>
To: "registryservice@xxxxxxxxx" <registryservice@xxxxxxxxx>
Cc:
Sent: Monday, October 10, 2011 10:24 PM
Subject: Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to lack
of due process
Hello,
VeriSign has submitted an application to ICANN for an Anti-Abuse policy for
com/net domain names:
http://www.icann.org/en/registries/rsep/#2011008
We oppose that application, as it does not provide any due process to domain
name registrants. VeriSign would become the judge, jury and executioner, able
to suspend or delete domain names that are allegedly "abusive".
VeriSign even recognizes that legitimate domain names will be affected. To
attempt to mitigate these "false positives", VeriSign proposes that
legitimate registrants would only be able to protest *after* VeriSign has
already taken action. Such action would have already damaged the innocent
registrants and their users.
This is counter to the domain name registrants' rights to due process. Instead,
VeriSign should be compelled to prove the alleged abuse in an appropriate legal
forum (e.g. a court), where the registrants can face their accuser, before
being allowed to suspend or delete a domain name.
If ICANN is going to permit this policy to go forward without due process
changes, VeriSign should be required to carry liability insurance in the amount
of $100 million for each act of suspension/deletion. This would allow
registrants to recover financially in the event that VeriSign is found guilty
of suspending/deleting a domain name that was not in fact "abusive."
Sincerely,
George Kirikos
http://www.leap.com/
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|