Hi
As discussed on our call
the other night, some of the key developments from a global public interest
standpoint go beyond GNSO & ICANN policies but we might still consider
whether there's grounds for useful NC engagement…
& BTW Monika quotes Wendy in the
below...
With protests against
draft US legislation like the Stop Online Piracy Act (SOPA) and the Protect IP
Act ongoing and the European Parliament voting on 17 November for a
resolution to request that the United States should be “refraining from
unilateral measures to revoke IP addresses or domain names,” politicians are
talking a lot about technology for the internet domain name system. But at
the same time, engineers are getting more political and are
intensively discussing technology providing the tools for blocking – by
governments and private parties.
For the community that
cares for the functioning of the domain name system (DNS), it came as a shock
when Paul Vixie, founder of the Internet Software Consortium (ISC), said
that the BIND software would allow the filtering out of sites with a bad
“reputation” – like listed malware sites – and also the “rewriting” of DNS
answers – manipulating what people get to see when asking for domain
names.
Vixie is a guru of the
DNS and one of the authors of the letter by well-known experts against DNS
blocking in the Protect IP Act. But he is perhaps best-known for being the
father of BIND, which has for a decade been the open source tool that makes
the DNS work.
More Filter-Friendly DNS
Software
Jim Reid, one of the
chairs of the DNS working group at the Réseaux IP Europeéns, said during a
recent debate about principles that he was “rather saddened” by ISC’s
decision to allow the rewriting. “We’re giving the bad guys tools,” Reid
warned.
The rewriting – which
sends back a “lie” upon a request to the DNS from someone looking for a website
– “also sends a rather nasty message saying it’s okay to do this kind of
thing.“ What is worse from the engineers’ standpoint with the rewriting is
that it breaks new measures to secure the DNS, because the “lies” are detected
and dropped without users knowing what happened.
The “lying” is currently happening for domains seized by the US
government agency ICE (US Immigration and Customs Enforcement), some of
them legal in their country of origin, like the Spanish RojaDirecta.com, (a case discussed
intensively by the experts). When typing RojaDirecta.com, users do not get to that
site, but to a warning/blocking site by the ICE.
It is this kind of case that has stirred up debate in the European
Parliament, pushed by the European Digital Right initiative (EDRi). “By
this you render a site and the data inaccessible without having any court order
in the site owner’s country,” said Joe McNamee, who fought for the
declaration now officially included in the Parliament’s resolution on the
upcoming European Union-US Summit of 28 November 2011.
The text of the Parliament resolution is
here [1].
Under the topic “Freedom
and Security,” the declaration stresses the need “to protect the integrity of
the global internet and freedom of communication by refraining from
unilateral measures to revoke IP addresses or
domain names.”
SOPA, McNamee warned,
would be so broad that “it could be interpreted in a way that would mean that no
online resource in the global internet would be outside US
jurisdiction.”
Of those who provide
users with domain names – with the so-called DNS registrars closer to the user
and the user’s jurisdictions – it is the registry companies who manage the
central database for zones like .com (for example) who are an easy target
when it comes to take-downs. They keep the record of who every .com domain name
is delegated to and inform those looking for a site where to go. So they
can from a top spot in the DNS hierarchy point to a
“wrong” location.
What makes things
difficult is that many large registries, like VeriSign (registry for .com and
.net) which changed the rojadirecta.com record, are located in the
United States and while offering services globally in name, they in fact
are bound by US law.
Registries – Target for
Take-Downs
VeriSign recently tried
to get a new registry policy acknowledged by the Internet Corporation for
Assigned Names and Numbers (ICANN), the DNS technical oversight body, which
would have allowed the dot com and .dot net registry (VeriSign) “to comply
with any applicable court orders, laws, government rules or requirements,
requests of law enforcement or other governmental or quasi-governmental
agency, or any dispute resolution process.” After a first wave of protests,
the company backed off and withdrew the test for the time
being.
Matt Pounsett from
Afilias, the registry for .info and some other TLDs, explained the dilemma.
While the registries certainly like people to see the correct DNS-answers
that they send, “there are cases where even we participate in things like
that, particularly domain take-down.“ Many take-downs were made when it was
found out “that a particular domain is being used in a way that violates
acceptable use.”
Registry operators and a
software providers like ISC underline that the fight against malware mainly
drives their interventions. BIND’s filtering function will help the manager
of a local domain to protect his network. Customers are pushing, for
example, for options like rewriting, said Joao Damas, a developer at
ISC.
The rewriting not only allows ICE to lead people to their website
instead of Rojadirecta’s, it also allows commercial companies to attract
traffic to their search engine with recommendations and paid ads. Some big
telecommunications providers, for example, lure users to their search site
every time they mistype a domain name or simply look for something that
does not exist.
“If we do not do offer
functionalities like the rewriting in our BIND software, we will drive them away
from BIND,” said Damas. BIND’s new “reputation policy zone” function allows
people to have names checked against lists of alleged bad actors, known
spammers or malware-distributers, and in case of a match do not display the
respective sites.
More Private
Filtering
But what about the
governance of increased private manipulation and also filtering that is enabled
by better tools, asked Peter Koch, a DNS expert at Denic, the registry for
the .de. country code TLD of Germany. “When we talk about a near real-time
facility that would enable certain groups to influence resolvers to block or
rewrite resolution data,” Koch warned, collateral damage and even liability
issues could arise. The more sceptical engineers also warn that
such interventions could make the deployment of secure DNS on the last mile
to the user very difficult. As they, including Vixie, have worked for a
decade to implement this kind of security, they oppose it from an architectural
standpoint.
Civil liberty advocates
like McNamee or Wendy Seltzer, co-founder of the project Chilling Effects, point
to the difficulties for victims of the varieties of filtering possibilities
to push back. Why can a DMCA (US Digital Millennium Copyright Act [2])
request from a private party lead to Google even filtering a part of the
rojadirecta website included in the Spanish version and housed under .es,
the country code TLD of Spain – as actually happened?
“Today the biggest problem is there’s too many things happening not
based on legislation,” said Patrik Fältström, chair of the Security and
Stability Advisory Committee of the ICANN. Fältström belongs to the engineers
hoping that fixing the political code might be the first necessary step to
solve the problems. Only then would the next step be addressed, Fältström
said, in addressing conflicting national legislations. A mega-size example is
coming with regard to this problem: the introduction of new TLDs as
approved by ICANN.
Could ICANN approve a
domain name that is illegal in one jurisdiction? asked Fältström. Several
jurisdictions have announced they would otherwise block complete TLDs, with
new top level domains like .gay being only one example not being welcome
everywhere in the world. Or should controversial new address zones be blocked at
the outset by ICANN?
If the registries are
close to the core, the root zone that lists existing TLDs (like .com, .net, .ch)
and future ones could be seen as one core spot of the global
internet.
With the new contract
for the managing of this root function, the Internet Assigned Numbers Authority
(IANA) contract, the US administration seems to have put itself in a
difficult spot. The contract has been performed by the ICANN so far, and
the US National Telecommunications and Information Administration oversees the
work. The difficult spot for NTIA is that they will for every new TLD check
if ICANN’s procedure for approving a new TLD has been supportive of the
“global public interest”. What will the US do about potential knocks at their
door from those who do not like to have a .gay or a .sex? It will be a
difficult filtering function, close to the core.
Related Articles:
• IP Enforcement
Permeates ICANN, US Internet Policy [3]
• US Gets Threatening
Over ICANN’s New Internet Domain Plan [4]
• ICANN Board Approval
Opens Internet To Many New Domains [5]