easyDNS Comments on Anti-Abuse Domain Use Policy
- To: registryservice@xxxxxxxxx
- Subject: easyDNS Comments on Anti-Abuse Domain Use Policy
- From: Mark Jeftovic <markjr@xxxxxxxxxxx>
- Date: Tue, 11 Oct 2011 11:20:03 -0400
Please find our comments on Versign's proposed Anti-Abuse policy below:
easyDNS Technologies Inc. thinks the goal of having a mechanism to
takedown domains that destabilize the internet (via malware or some
other technical issue) in the absence of a non-responsive
registrar-of-record a laudable one, with the following caveats:
- the Registrar-of-Record should be the first avenue of approach on all
takedown matters. Verisign should step in with an unilateral takedown
only in lieu of a response from the Registrar, or if the Registrar of
record has opted-into the malware scanning program and explicitly
enabled Verisign to execute takedowns.
- the definition of "malware" is currently overly broad, deeming many
harmless practices as malware (cookies with longer lifespans, web bugs
malware is open to Verisign's interpretation.
But the most alarming aspect of the proposed policy are the presence of
additional provisions which make it possible for any domain to be taken
down in the absence of due process.
The provision (known as section b) in the proposal is worded as follows:
" (b) to comply with any applicable court orders, laws, government rules
or requirements, requests of law enforcement or other governmental or
quasi-governmental agency, or any dispute resolution process; "
A court order is the result of due process and has by definition been
subject to some form of judicial review. A "requirement" or a "request"
is entirely subjective opinion and devoid of due process under the law.
Further, quasi-governmental agencies have no need to be imbued with
additional powers of arbitrary domain takedowns.
All takedown requests coming from governmental or law enforcement
agencies should require due process under the law and obtain some form
of court order.
Of course, with the com and net being unsponsored generic TLDs, the
issue of jurisdiction is important. Are we to assume then, that the
requests and the requirements are those of the United States government
What of domains registered to registrants via regsitrars in which one or
both are outside the legal jurisdiction of the United States? Can other
governments then request Verisign to takedown a domain? (Can the
government of Canada then request that a domain registered to a US-based
registrant be taken down? How about China? Or Iran?)
This issue becomes so convoluted that maybe there should be a wider
debate around if the registries themselves should even be allowed to be
operated by a private entity subject to governing law of one country
that could then unfairly force its own law upon all others. Perhaps
maybe we need to think about having .com and .net be run by an
international organization such as the ITU? Or some other UN agency?
Does that sound reasonable?
If that route is unpalatable, then perhaps the easiest path is to
- strike section b from the proposal
- more accurately define what "malware" means
- remove section (c) (which is a backdoor mechanism to takedown a
domain simply by threatening legal action against Verisign)
- provide a realtime rollback and challenge mechanism that registrars
can invoke to address improper takedowns
Mark Jeftovic <markjr@xxxxxxxxxxx> / Jabber: markjr@xxxxxxxxxxx
Founder / President, easyDNS Technologies Inc.
Company Website: http://www.easyDNS.com
Better Living Through Private World Domination: http://PrivateWorld.com