One of the most interesting aspects of yesterday's announcement of another botnet takedown engineered by Microsoft was the naming of the owners of the .cz.cc domain in their lawsuit.
...this case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains â€“making it easy for domain owners to look the other way.
Through this case, we hope to demonstrate that if domain owners donâ€™t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.
Microsoft should be applauded for its effort, as well as for raising awareness of intermediary service providers' roles in perpetuating badware. I don't understand, though, their heavy handed focus on customer identification. True domain registrars, at least those accredited by ICANN, are already required to collect and publish valid contact information for domain registrants, yet this hasn't seemed to help a lot in preventing malicious registrations or tracking down the criminals. There are lots of reasons for that, such as privacy proxies that shield the identities of the registrants, weak enforcement by ICANN, use of stolen credentials, and the difficulty of verifying the validity of customer information.
I also wonder about dotFREE, the operator of the .cz.cc subdomain service. After the entire .cz.cc domain was pulled from Google Search results due to the high malware and low quality rates of cz.cc subdomains, dotFREE claimed to be implementing a number of reasonable security precautions, from hiring more abuse staff to suspending accounts that appeared on popular badware blacklists. All talk, no action? Could be. Too little, too late? Maybe. But what if they were doing all these things and making a good faith effort to prevent continued abuse of their domain? Was the fact that they didn't verify and publish contact information for their customers enough to make them liable for the malicious use of their subdomains? Perhaps the fact that they were marketing their service like a registrar, but not behaving like an accredited registrar, is enough to do them in?
It will be up to the courts to decide on whether dotFREE is liable under U.S. law. I'd push back against Microsoft, though, and say the industry discussion shouldn't be about "public and accountable subdomain registration practices," but rather about identifying more broadly the philosophical and perhaps legal expectations for how such providers should contribute to the safety of the Internet.