Verisign Seeks to Shutter 'Malicious' Sites Upon Request

WASHINGTON, D.C.—In an attempt to align itself with new rules promulgated by ICANN as part of the rollout of new gTLDs, Verisign, the registry that operates .com, .net and .name domains, has sent a letter to ICANN’s Registry Request Service asking it to approve a proposed Anti-Abuse Domain Use Policy.

“All parts of the internet community are feeling the pressure to be more proactive in dealing with malicious activity,” explained Verisign. “ICANN has recognized this and the new gTLD Applicant Guidebook requires new gTLDs to adopt a clear definition of rapid takedown or suspension systems that will be implemented.”

One of the centerpieces of the policy would be a service offered to registrars that would scan websites once a quarter in search of malware. However, the proposal also contains a provision that would permit the registry to shut down, transfer or lock websites accused of illegal activity at the behest of law enforcement, without having to obtain a court order first.

According to the written request, the malware service “will be optional, allowing registrars to opt out of the service for .com, .net, and .name domain names under their management.”

If a registrar elects to allow Verisign to scan for malware, it will be required to obtain the acknowldegment and consent of every Registered Name Holder (i.e. website owner) to allow the scans to take place “for the purposes of … detecting malware or as necessary protecting the integrity, security or stability of the registry.” Only the registrant and the registrar will be notified of any data collected by way of a scan “other than as permitted by applicable law, including applicable privacy and data protection laws, or pursuant to a court order.”

The letter continues, “It is our intention to use this capability to identify malware on the internet and present the results to the registrars for action.”

As hideous as malware is, for many civil libertarians the prospect of a quasi-governmental institution like Verisign—or ICANN, for that matter—being granted the right to inspect someone’s domain at will is akin to being allowed the right to enter and inspect a retail business at will, perhaps looking for malware at present but in the future expanding that search to include, say, illegal immigrants. It simply reeks of Big Brotherism.

But that concern swiftly becomes an outright alarm when the insititution seeks the authority to act at the simple request of law enforcement, bypassing the protections that come with the oversight and aproval of a court. When the institution further seeks the authority to act on behalf of any “governmental or quasi-governmental agency,” the alarm becomes a palpable fear. Without specific guidelines, such an authority would mean that the registry has the ability to shut down, lock or transfer any domain as long as there is some law somewhere in the world that finds the content or activity provided by that site illegal. That’s Global Brother.

As contained in the letter, the anti-abuse policy proposed by Verisign reads:

The new anti-abuse policy would be implemented though a change to the .com, .net and .name Registry Registrar Agreements and would allow the denial, cancellation or transfer of any registration or transaction or the placement of any domain name on registry lock, hold or similar status as necessary:

(a) to protect the integrity, security and stability of the DNS;

(b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process;

(c) to avoid any liability, civil or criminal, on the part of Verisign, as well as its affiliates, subsidiaries, officers, directors, and employees;

(d) per the terms of the registration agreement,

(e) to respond to or protect against any form of malware (defined to include, without limitation, malicious code or software that might affect the operation of the Internet),

(f) to comply with specifications adopted by any industry group generally recognized as authoritative with respect to the Internet (e.g., RFCs),

(g) to correct mistakes made by Verisign or any Registrar in connection with a domain name registration, or

(h) for the non-payment of fees to Verisign. Verisign also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

According to Rebecca Jeschke, media relations director and digital rights analyst for Electronic Frontier Foundation, it’s a bad idea. "We've already seen how problematic domain seizures are through the ICE (Immigration and Customs Enforcement) shutdowns," she told Ars Technica. "It's similar to things the U.S. government is trying to get through congress with the Protect IP Act, though there's a little more oversight in Protect IP. The key is if you're going to do something as drastic as taking a whole site offline, you at least need some meaningful court review."

Needless to say, for adult website operators, the prospect of having their domains’ fate rest on a policy that gives Verisign the de facto power of life and death over them without any barrier protection is something the industry has feared since its inception, and with good reason. The U.S. government has sought such control time and again, with only the Constitution standing in the way of its success. To the extent that ICANN, though it is based in California and is incorporated in the state, is for all intents and purposes a coalition of international stakeholders, domain owners cannot assume that it will use the U.S. Constitution as its determining authority.

As was noted by the Register, “It's not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.”

Indeed. But then, that messy prospect is already to an extent in play with respect to .xxx domains, which may well find themselves the recipients of take-down demands or worse by countries hostile to adult content. Whether the .xxx registry, ICM, complies with such demands remains to be seen, but what can be said is that adult webmasters have historically counted on the relatively safe (or safer) harbor found in .com and .net to be able to proceed developing their online businesses with a sense of security. If that is taken away, it will surely present a problem for adult webmasters worldwide, even if they make every effort to provide legal, consensual content to of-age consumers who readily want their content or services.

Assuming Verisign is not interested in losing the untold thousands of adult domain owners who desperately want to keep their .com domains—and one has to make that assumption—it would behoove the company to make clear the specific paradigm it is proposing with respect to a threshold for shuttering sites, and provide some assurance that the baseline will not be provided by, say, Saudi Arabia or Uganda.

That would be a start at least.

ICANN's board of directors will reportedly be required to approve the policy change, and the idea may also be put before the public for comment.