POSTED ON JUNE 10, 2021
Beginning on 14 June, 2021, representatives from government, the private sector, civil society, academia and the technical community will gather remotely for one week at the 71st International Policy Forum of the Internet Corporation for Assigned Names and Numbers (ICANN).
ICANN is the international non-profit organisation that brings together stakeholders to create policies for coordinating the domain name system (DNS).
The ongoing COVID-19 pandemic has been a major contextual factor of global internet governance discussions over the past year, and it appears that discussions in ICANN are no exception. Threats to the integrity and security of the DNS have become a regular topic of debate within the ICANN community. In recent months, these discussions have increasingly focused on the idea of ‘DNS abuse’ and, more specifically, COVID-19-related DNS abuse.
In response to these growing discussions, domain name registry operators — entities that are accredited by ICANN to administer domain names such as .com, .org, or .uk — have increasingly made efforts to combat DNS abuse. While it may appear at first that these efforts contribute positively to the security of the internet at a time when more people than ever are relying on it to stay connected, the implications of the DNS abuse framework are deeply concerning for human rights, particularly freedom of expression.
What is DNS abuse and why does it matter?
DNS abuse is a vague concept that lacks a globally-accepted definition. The term is primarily rooted in the standard registry agreement made between ICANN and registry operators, which sets out a series of ‘public interest commitments’ to which operators are required to adhere. Specifically, Specification 11 (3)(b) creates an obligation on operators to proactively conduct technical analyses to assess whether domain names are being used to perpetrate security threats. However, the definition of what constitutes such a threat under Specification 11 is not written to be definitive or exhaustive.
This lack of clarity has caused long-standing confusion among registry operators, which are unsure of how to ensure compliance with their agreements. In 2019, major operators sought to define what DNS abuse means by establishing the Framework to Address Abuse, which sets out five broad technical categories insofar as they intersect with the DNS: malware, botnets, phishing, pharming, and spam when it serves as a delivery mechanism for one of the other forms. However, ICANN’s Guide to Registrar Abuse Reporting Practices goes beyond this definition to include issues, such as trademark infringement, that are related to the content of the websites registered under these domain names.
This lack of consensus, particularly regarding the responsibilities to monitor and block content, creates pressure on registry operators to over-censor to remain in compliance with their agreements and therefore threatens the removal of content that is lawfully protected under international human rights standards. This over-censorship is compounded by the fact that registry operators are limited in what they can do: if they wish to block a particular activity or content, their only course of action is to take down the entire domain name. If, for example, even one sentence on the ARTICLE 19 website was perceived to constitute some definition of DNS abuse, Public Interest Registry would be obligated to take down article19.org entirely under the current framework.
In addition to the definitional vagueness of ‘DNS abuse’, the mechanisms that have governed registries’ responses to DNS abuse thus far have only served to exacerbate the threats to freedom of expression.
Specification 11 requires proactive monitoring, rather than responding only after activity or material that violates the specification has been flagged. Even if possible, the constant monitoring of all registrants’ domain-related activities or the content of all registered websites amounts to a staggering system of surveillance that may not only produce a chilling effect among registrants, but may also become co-opted by governments interested in limiting the dissemination of information or stifling oppositional or unpopular speech — especially given the considerable control that governments already have over country-code top-level domains like .uk, .us, or .tv.
This provision poses a more fundamental problem, however. In order to block ‘abusive’ activity before it occurs, many registry operators have opted to take down domain names that are likely to do so. But how is this likelihood determined? No matter how well such a preemptive system is constructed, there is no way to guarantee that all flagged potential threats would become real violations if left unaddressed. As such, preemptive measures will always constitute a fundamental threat to freedom of expression.
These types of systems are already in place. The .eu registry operator has implemented use of the Abuse Prevention and Early Warning System (APEWS), a machine learning system that evaluates patterns of domain name registrations and predicts whether a domain name may potentially be used in an ‘abusive’ manner. The .uk registry operator implements the Domain Watch initiative, a blend of manual and automated checking processes to identify, at the point of registration, which new domains are likely to be used for phishing. As of March 2020, the registry proactively suspended over 180 domains, pending ‘evidence of good intentions’. The use of machine learning and automated processes to conduct monitoring, flagging, and takedowns is concerning, especially if DNS abuse prevention extends to content-related matters. Fair use and other grounds for protecting expression are dependent on the particular context in which the content exists. Algorithms are poor evaluators of this context. Without robust human review, these systems risk shutting down artists, protesters, and others that may be referring to certain products or companies as part of legally protected expression — before they have even had the chance to speak.
Lack of transparency and due process
Even as registries increasingly rely on these and similar systems, there are no transparency or accountability mechanisms in place. As outlined by the Registrars Stakeholder Group at ICANN, the actions of registries pertaining to DNS abuse are unilateral, subjective, and, for the most part, contractually permitted through the terms of service agreement they enter into with registrants. Registries are not required to notify or provide justification to registrants when their domain names have been suspended because of alleged or ‘potential’ DNS abuse. Moreover, there are no meaningful appeals mechanisms to challenge these decisions.
The October 2019 Framework to Address Abuse proposes the use of trusted notifiers or Domain Reputation Service Provider(s) to report instances of DNS abuse to registries as a mechanism for introducing greater community accountability. As we’ve noted in the past in the context of social media platforms, the use of ‘trusted flaggers’ is questionable, as they are often not independent and may not have sufficient expertise to assess the lawfulness of content or takedown decisions. Trusted flagger schemes are not an appropriate substitution for a clear and robust system of procedural safeguards to oversee registry decisions that have such significant implications for human rights.
The way forward
As the ICANN community gathers at the ICANN 71 Policy Forum, the ICANN community must consider the following recommendations in its forthcoming discussions of DNS abuse:
- Clearly outline the definition and limit the scope of DNS abuse to be limited to malware, botnets, phishing, pharming, and spam and exclude actions that would make DNS operators the unilateral umpires of what is lawful and unlawful content. This revision process should involve the ICANN multistakeholder community, which should come to consensus on a clear definition of the term, to be consistently applied, including a clear and exhaustive scope and an indication of remedies and actions that registries may take.
- Adopt measures to limit the legal liability of registry operators as intermediaries and possible penalties accruing therefrom. These include amending Specification 11 of the registry agreement to implement a notice and takedown framework, provide for clear independent judicial oversight, and a clear mechanism of rights protection of users. There also needs to be clarity and limitation on the scope of content not protected under international human rights law, including child sexual abuse materials, human trafficking, opiods sale and distribution, and incitement to violence.
- Implement minimum due process guarantees for internet users when tackling DNS abuse. These actions include notifying users when enacting domain suspensions or takedowns and providing meaningful opportunities for appeal. Registries should commit to full transparency through transparency reporting on actions taken in response to DNS abuse and a clear and consistent redress framework.
- Avoid the use of trusted notifiers to monitor and flag content in efforts to combat DNS abuse. The premise of trusted notifiers as independent arbiters for determining what is apt and whose access should be limited is subjective. It is critical to ensure that the internet remains a space where all people everywhere can freely express themselves and actively engage in public life without fear of discrimination or having their websites suspended without due process.