State of the Net 2012: It's SOPA, But Not Just SOPA

Posted on January 19, 2012 - 12:14 by imeister

It was my privilege to spend Tuesday in Washington, DC for the Congressional Internet Caucus Advisory Committee's State of the Net Conference 2012, which definitely reflected the degree to which PROTECT-IP and SOPA loom large over the American Internet policy landscape, and to which many policy-shapers from across the political spectrum have woken up to how critical sound Net policy really is. There was a lot to love: the debates were full-throated, civil, and constructive; both panelists and attendees were clearly engaged and happy to be there; and if Paul Brigner of the MPAA is to be believed, the superlaser on the SOPA Death Star, pointed squarely at the integrity of the global DNS, is going offline as soon as the bill hits the Senate floor.

There was also a surprising and very welcome amount of attention paid to section 230 of the Communications Decency Act. StopBadware has spilled some ink in the past over the degree to which the CDA at once protects Net infrastructure intermediaries in a valuable way, but, as drafted, does much to discourage self-policing when dealing with malware reports. In particular, Brian Cute (late of ICANN and now head honcho of Public Interest Registry, the stewards of .org) and John Morris (late of the StopBadware board and now at NTIA, the legal stewards of the root zone) spoke eloquently of the urgent need for infrastructure stakeholders to take good netizenship seriously, notwithstanding the current statutory status quo. For StopBadware, there was a lot to love.

My one big wish coming out of the conference, though, is that policymakers display somewhat more willingness to reframe the debates around SOPA, DNSSEC, CDA 230 (and various other wonky acronyms) in terms of service abuse. The problem that undergirds "rogue sites" (a term I have never heard used more times than in the opening plenary), whether they be fake pharmaceuticals, malware distribution, or "dedication to copyright infringement" (whatever that really means) is one of accountability. I believe, unreservedly, that when domain names or hardware under US jurisdiction is used to abuse the laws of the United States, the legal personality responsible for that abuse, or part of the problem, should be held to account in an Article III court. We need the real deal, with every due process protection imaginable, and with hefty, easily collectible default penalties if they ignore the court. In my view, holding intermediaries like domain name registrars, web hosting providers, and other infrastructure operators responsible for obfuscating or evading this bedrock principle of Western law is an important element of achieving this state of affairs. SOPA’s liberal construction of U.S. jurisdiction is, in this very limited sense, the right idea. It’s also important to maintain an accurate and universal directory of domain name owners and IP address lessees, with protections for owner anonymity but the ability to pierce its veil for good cause shown. (No more paper airplanes, please! We believe in anonymity too!)

So why doesn't SOPA, or whatever alternative DC policymakers are considering, address the issue of domain name accountability head on? Why has Congress not laid out a statutory structure to govern disputes over Internet “land” when disputes over real property are some of the best understood legal frameworks anywhere? The solution could be deceptively simple. (As I'll explain in a subsequent post, we've had the tools to fix this since the heyday of Anglo-Norman law.) Not that government intervention is necessarily required - yet.

This is where my question to Dr. Crocker, the chairman of ICANN, about WHOIS comes into play (as tweeted here). ICANN has the (bureaucratic and necessarily glacially-paced) tools to fix the accountability problem, as their own WHOIS Review Team has elegantly pointed out. But WHOIS records continue to list fake addresses or junk data, many registrars can't be bothered to do anything about it (since they're effectively on the take), and ICANN itself seems insufficiently motivated to use the tools at its disposal to force the issue. I hope to attend ICANN's next public meeting in Toronto in October to observe and, if so permitted, to make the case for real WHOIS reform.

All told, however, it is an unambiguously positive development that the US government has made cybersecurity a legislative and executive priority, and StopBadware very much looks forward to working with everyone at the policy table to secure a safer Internet in 2012.

China restricts registration of .cn names

The China Internet Network Information Center (CNNIC) announced new rules a few days ago that are intended to "enhance the authenticity, accuracy, and integrality [sic] of the domain name registration information."
These rules require applicants for .cn domain names to submit copies of their business license and personal ID for review by the registrar within five days of registering the name. There are two big questions that aren't clear from the announcement:
First, does the requirement to submit a business license apply only to registrations on behalf of businesses, or does this mean that individuals are no longer allowed to register .cn domain names? The latter would be a substantial restriction on the Internet privileges of individuals in the country.
Second, what happens between the time an online registration occurs and the end of the five day period? Is the domain active during this time, or does the domain not become active until after the paperwork is reviewed? The exact language is "From the day of the submission of online application, if CNNIC does not receive the formal paper based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted." This implies that someone can sign up for a domain name with fake information, use it for five days, and then have the name revoked. I suppose that's better than being able to use a fake domain indefinitely (sort of - it may make tracking down the perpetrator more difficult), but we've seen with domain tasting that this can be abused for creating ephemeral phishing and malware sites.
Underlying all of this, of course, is a long-running battle between privacy advocates who argue that being able to anonymously register a domain name extends the free speech opportunities, especially for dissidents in repressive regimes, and the security and law enforcement communities, which fret about the lack of accountability if the operator of a domain name cannot be tracked down. I'm not sure whether ICANN's requirement for registrars to disable domains with false registrant information applies to country-level TLDs, but the CNNIC policy for .cn domains would certainly be consistent with that requirement, if more heavy-handed than we've seen from most registrars.
[Update 12/18: Berkman Center Fellow Donnie (Hao Dong) posted this piece explaining even more aggressive measures being taken by the Chinese government to crack down on malicious use of domain registrations. This will almost certainly reduce the number of misused Chinese domain names, but as indicated above, we may see some additional consequences.

ICANN improves system for reporting false whois data

ICANN, which among other things oversees Internet domain registration, improved its system for reporting false whois data.
ICANN requires accredited registrars—the companies that actually handle the registration of domain names—to obtain and publish accurate whois information for each registered domain and to investigate reports of false whois information. ICANN has sometimes been criticized for not enforcing this provision significantly and/or for not providing adequate tools to help security researchers submit information about false whois data to the registrars.
This new system attempts to address both criticisms. Not only is there a new reporting tool, but ICANN says, "Processes have been put in place to assess registrar compliance with RAA Whois inaccuracy investigation requirements."
As false whois data is often associated with domains used in phishing, malware, and spamming, I hope that the new tool and processes will prove valuable in fighting back against badware.
(Hat tip: Sandi at the Spyware Sucks blog.)