Domain Name Abuse and Corporate Domain Management

By Glenn Hayward, Chief Executive Officer, Com Laude Group

For several years, the issue of “abuse” has been the topic of discussion within the ICANN community. Each group is keen to throw their two cents in on what DNS abuse is, who is responsible for combatting DNS abuse, and what actions should be taken. This post sets out Com Laude’s positions on some of the key issues in the DNS abuse discussion.

How many domain name registrations are there?

Verisign’s Domain Name Industry Brief reports that at the end of Q2 2019:

  • There were 354.7 million domain name registrations;
  • 156.1 million domain names were .COM and .NET;
  • 158.7 million domain names were ccTLDs.

What is DNS abuse?

A good place to start is the base ICANN Registry Agreement (RA) for new gTLDs (and legacy TLDs which have adopted the base RA). Specification 11 section 3(a) of the RA requires the registry operator, via the registrar, to prohibit eventual Registered Name Holders from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”. Meanwhile, Specification 11 section 3(b), requires registry operators to periodically check whether domains within their TLD are being used to perpetrate “security threats”, defined non-exhaustively as “pharming, phishing, malware, and botnets” – and so perceived to be a narrower class of activities than those prohibited under section 3(a).

Com Laude’s new gTLD registry clients, including dotBrands, are subject to these provisions in the operation of their TLDs. Com Laude, as a registrar, is subject to these obligations which flow down from the gTLD registries via their Registry-Registrar Agreements (RRAs). Further, under section 3.18 of the Registrar Accreditation Agreement (RAA), by which registrars are accredited by ICANN, Com Laude has an obligation to maintain an abuse point of contact and respond appropriately to all complaints of abuse. The RAA does not provide a definition of what constitutes “abuse”.

Technical abuse vs Content abuse

Technical abuse refers to the types of abuse that rely on the DNS to distribute security threats, such as malware, botnets, phishing, pharming and spam, where that spam is used as the means to deliver the other types of technical abuse. Content abuse would include intellectual property infringement, hate speech, terrorist activity and child sexual abuse material.

Law enforcement, commercial interests, and other groups within ICANN are less inclined to adopt the clear-cut distinction between technical and content abuse. We have all seen scenarios where the distinction is blurred – with domains incorporating well known trademarks being the hook that deceives and catches the public in a phishing fraud; and sites offering counterfeit goods or pirate content also delivering malware to the visitor. Hence, many consider that technical and content abuse fall into the same category, and that registries and registrars, and ICANN, should do more to combat both, if not merely under the contracts then by means of voluntary best practices and trusted notifier programs.

Many civil society representatives are wary that action on content may be used to censor free speech. They consider that voluntary arrangements and notifier programs are “shadow regulation”, developed without the safeguards of formal policy development and lack transparency and due process in their implementation.

A brief history of how the distinction between technical and content abuse developed can be found here.

How many domain name registrations are subject to the base Registry Agreement definition of DNS abuse?

There are three broad categories of arrangements for registries operating top level domains:

  • ICANN 2017 Base Registry Agreement;
  • .COM and .NET Agreements;
  • National oversight for the operation of ccTLDs.

Unlike the Base Registry Agreement, the .COM and .NET agreements do not set out obligations for the registries to act against abuse. As ccTLDs are managed subject to national oversight, the standards and obligations for acting against abuse vary. For example, the Danish Internet Forum (.DK) is well known for introducing verification measures to combat abusive registrations. Nominet (.UK) also has a stringent take-down policy for abusive domain names and works with the Internet Watch Foundation on tackling child sexual abuse material and abuse online. Other ccTLDs have different standards and levels of tolerance for abusive registrations.

This means that currently, nearly 90% of all domain name registrations fall outside of the ICANN Registry Agreement definition of abuse and associated contractual obligations.

Is acting at the DNS level always appropriate?

The short answer is “no”. This is for a couple of reasons. First, the DNS, or “domain name system”, is a technical protocol which translates numerical IP addresses into human friendly domain names. Suspending, deleting or locking a domain name does not impact on the content hosted at the location being accessed by an IP address.

Second, suspending or deleting a domain name deletes everything supported by the domain name. This could include non-abusive email accounts or webpages. The following are examples of complaints and sites where deleting the domain name would be ineffective:

  • Deleting in response to a complaint about a tweet (or even a whole Twitter account) containing profane language;
  • Deleting in response to a complaint about a listing for a counterfeit good;
  • Deleting because someone received spam from a email address.

Some may remember when (URL shortener used by Twitter) was taken down a few years ago. The website was reported as being used for spam, rather than the site the URL went to. The report resulted in being taken down. This resulted in all tweets not being able to have a short URL and exceeding the 185-character limit. This meant a loss of functionality for most users and the fix took nearly 3 days to resolve.

Can acting at the DNS level sometimes be appropriate?

The short answer is “yes”. For technical abuse, we believe that acting at the registry or registrar level is appropriate. We also believe that registries and registrars should have the right, but not the obligation, to act against other forms of abuse. Registries and registrars have the option to include certain behaviors as violations of their policies. Such behaviors could include, but are not limited to, the distribution of illegal pharmaceuticals, child exploitation, imminent and credible threats of physical harm. Trusted notifiers have a potential role to play in assisting registries and registrars identify instances of content abuse where action at the DNS level is appropriate.

What does Com Laude treat as DNS abuse?

Com Laude treats both technical abuse as well as several content abuses as violations of our terms and conditions with our registrants. Our agreements with our clients pass down the prohibitions against abusive activity, including malware distribution, abusively operating botnets, phishing, piracy, copyright or trademark infringement, counterfeiting and other fraudulent practices. We do also recognize the distinction between content and technical forms of abuse and note that as a corporate registrar, we will not always be the best placed ourselves to take appropriate action.

How does Com Laude respond to abuse complaints?

Com Laude has a team which monitors an inbox ( daily for any complaints of abuse. However, as a corporate registrar, Com Laude has very few abuse complaints and no abusive registrations. The most typical abuse complaints we get are from customers of our registrants that may have an issue with the domain name registrant’s products, services, or communications. These clearly are not “abuse” complaints. Our role is enabling communication between a complainant, and the most appropriate party to address the perceived abuse. To be clear, there is no “one size fits all” approach. The type and nature of alleged abuse in question will determine who the most appropriate party is to address it.

Is more regulation and/or stricter contractual obligations the entire solution?

No. Regulation is not always the best option and can struggle to keep pace with technological change. Regulation ends up usually being overly broad and treats every player in the ecosystem the same. There are a range of business models for registries and registrars, especially since the 2012 New gTLD Program. This means an effective approach for mitigating DNS abuse by one registrar or registry may not be effective for another – so that a more targeted, voluntary approach may be a better option. Having said this, we think it is important that the contractual obligations on the legacy gTLD registries in relation to abuse are strengthened – ideally so they are the same standard as gTLD registries.

At the UK IGF last week, several panelists highlighted that the behaviors themselves are problematic: the online output is merely a symptom of these behaviors. There were also suggestions from the UK government that take-down legislation is not the only approach to dealing with abusive and illegal activity online. Expecting regulation or contractual obligations alone to be a fix-all solution is not realistic.

What is our position on the DNS abuse debate?

We are a corporate registrar and our clients do not have abusive registrations. Our concerns about DNS abuse are on behalf of our clients. Moving forward, we would like to see ICANN Compliance properly enforcing the Registrar Accreditation Agreement by acting against registrars that enable and perpetuate abusive registrations.

Meanwhile, we fully support those contracted parties who have chosen pro-actively to go beyond the contractual minimum. This month a group of registries and registrars have recently announced their voluntary Framework to Address Abuse which identifies certain forms of content abuse, considered so egregious that these parties would act, even without a court order, if presented with specific and credible notice, namely: (1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence. We would encourage all registries and registrars to consider voluntarily adopting measures like this to responsibly address abuse.

For the latest update on this news please see here.