dna healthy practices outline (clean)
TRANSCRIPT
DNAHEALTHYDOMAINSINITIATIVE
REGISTRY/REGISTRARHEALTHYPRACTICESI.IntroductionandContextIntroduction
ThisdocumentispartoftheDomainNameAssociation’s(DNA)HealthyDomainsInitiative(HDI),whichhasthefollowingobjectives:
● Establishanetworkofindustrypartnersthatcommunicateandcollaboratewithoneanothertosupportahealthydomainnameecosystem.
● Identifyand/ordevelopindustry-acceptedhealthypracticesandspecificprogramsthatprovidetangiblewaysofpromotingstandardsforhealthydomains.
● Demonstratetothecommunityourdesiretoimplementbestpracticesandotherwisefulfillourstewardshipobligations
PurposeofthisHealthyPracticesDocumentThepurposeofthisdocumentistopresentasetofprioritizedhealthypracticesandprogramsforthedomainnamecommunitythatwouldresultin:
● Presentationofamorevibrantnamespacetoend-users● Identificationofadditionalvoluntarystepstoaddressabuseandillegalactivity
Thedocumentismeanttobecollaborativeamongallinterestedparties.Itisanticipatedthatthissetofdraftprinciplesandoperationalprogramswillcontinuallyevolve.
Thisdocumentisnotmeanttocreatenewrequirementsforregistriesandregistrars;itisarepresentationofexistingandproposedpracticesthat,voluntarilyadopted,canfurtherthehealthydevelopmentofthedomainnamesystem.
Context:EvolutionofHealthyDomainsInitiative
TheHealthyDomainsInitiativeisaprojectundertheDNA’sumbrella.TheDNAassumedmanagementoftheconceptin2015andestablishedacommitteedevotedtoHDI.
Astheconcepttookshape,theHDIcommitteeentertainedideasforregistryandregistraroperationsthat,ifimplemented,wouldhelptoaddressvariouschallengesinthedomainnamesystem.Suchideaswerepresentedanddiscussedbymultiplepartiesinthegreatercommunityattheinitiative’sfirstHDIsummit,heldinSeattleinFebruary2016.TheSeattlemeetingfurtherbuiltouttheseambitiousideas.
DuringtheICANNmeetinginMarrakechinMarch2016,partiesinterestedinHDImettofurtherreviewanddiscusstheseideas.ItwasagreedinthatmeetingthatthenextbestoutputfortheHDIeffortwastoputforthasetofoperationalprinciplestowhichcontractedpartiescouldreasonablyadhere.HDIleadersthusfocusedonsuchadocumentasthefirstdeliverableintheHDIeffort.
Next,togetasenseofwhatalreadywasinplaceinthemarket,andtomeasureprioritiesforpotentialpractices,theDNAconductedasurveyofmembers—theresultsofthesurveyidentifiedareaswherecontractedpartiesalreadyhadputstrongoperationalpracticesintoplace,andwheretherewasroomforadditionalexpansion.Theresultsofthatsurveyarebelowinthispaper,embodiedasaprioritizedlistofaspirationalpractices.
AfterconferringontheseproposalsduringtheICANNmeetinginHelsinkiinJune2016,theHDIcommitteeidentifiedseveralthatshouldbeprioritized,developedandimplemented.Theseare:
1. Addressingonlinesecurityabuse(e.g.,malware,phishing,pharming)2. Enhancingchildabusemitigationsystems3. Complainthandlingfromillegalor“rogue”onlinepharmacies4. Voluntarythirdpartyhandlingofcopyrightinfringement
Eachoftheseareasisnowheadedby1-2HDIcommitteevolunteers,whowilldirectsubteamsindevelopingimplementationplansforeach.
Baseline:IndustryRespondentsDetailCurrentHealthyPractices
TheDNAsurveyeditsmembershiponwhat,ifany,healthypracticesalreadyareemployedbycontractedparties,andfurther,regardingtheappealofproposednewpractices.
Animpressive78%ofrespondentssaidthattheircompaniesalreadyemployedhealthypracticesoutsidethescopeoftheircontractswithICANN.
89%ofrespondentssaidtheyintendtoexpandthislisttoincludeadditionalpractices.Theconclusionofthesurvey,agreedtobymostinvolvedinHDI,isthatthereexistsanopportunitytoexpandpracticeideas,andcontractedpartiesarereceptivetodoingso.
II.HealthyPracticePriorityAreas
A. Addressingonlinesecurityabuse(e.g.,malware,phishing,pharming)Forafullreviewofproposedhealthypracticesaddressingthisarea,pleaseseethesub-team’sdetaileddocumentinAppendixA.OverviewTheobjectiveofthiseffortistofurtherreducesecurityabuseintheDNS.TacticsandgoalsThiseffortwillconsolidaterecommendedpracticesforregistriesandregistrarsrespondingtosecurityabusesidentifiedintheirTLDsdescribedinpastworkbygroupsinthesecurityspace.Inidentifyingrecommendedpractices,weconsultedpastpracticesrecommendationsdevelopedbytheSecurityandStabilityAdvisoryCommittee(SSAC);Anti-PhishingWorkingGroup(APWG);StopBadware;theMessaging,Malware,andMobileAnti-AbuseWorkingGroup(M3AAWG)astheyappliedtotheregistryandregistrarcontext.Ourgoalsinthisareaarethreefold:
● Tooutlinesomeofthechallengesandconsiderationsaffectinghowregistriesandregistrarsrespondtoidentifiedsecuritythreats;
● Toidentifyofpracticesforregistriesandregistrarstoimproveresponsestosecuritythreatsthroughindividualpractice,collectiveaction,andinformationsharing;and
● Toidentifyameansforregistriesandregistrarstostrengthentheirrelationshipswithkeygroupsinthesecurityspacetoimproveandevolvesecurity-relatedabusehandling.
Relevantprinciples
Principle1: Focusactionondomainsthatareprimarilymalicious. Principle2: Considertheimpactofmitigationmechanisms,particularlyonthirdparties,
andwhetheranotherproviderisabletomitigatetheabusethroughnarrower,lessdisruptivemeans.
RecommendedpracticesThissub-grouphasidentifiedatotalof20practicesforregistrarsandregistriestoemployasmeansforcombatingDNSabuse.Thespecificrecommendationsareconsolidatedaroundfourcoreareaswhereregistriesandregistrarscanexercisestrongsecuritypractices:
● Measurestoimprovecredentialmanagementontheirplatformsandminimizetherisksassociatedwithcompromiseddomains;
● Measurestodetectandmitigatepossibleabuseatthepointofregistration;● Measurestoidentifyandmitigatepotentialabuseonanongoingbasis;and● Measuresforreceivingandhandlingabusereports.
Wedonotintendtoproposeaone-size-fits-allmodelforsecurityabusehandling.Theidealpackageofsecurityimprovementsmaydependonregistrar’scustomerbaseandbusinessmodel.SpecificconsiderationsandrecommendationsforeachofthesefourareasareidentifiedinAppendixA.
B. EnhancingchildabusemitigationsystemsForafullreviewofproposedhealthypracticesaddressingthisarea,pleaseseethesub-team’sdetaileddocumentinAppendixB.OverviewTheobjectiveofthispracticeistofurtherexpandexisting—butnotyetuniversal—methodsforaddressingimagesandcontentrelatedtochildabuse,aswellasprovidingeducationandresourcesforregistriesandregistrarstocombatchildabuse.TacticsandgoalsTheprimaryrecommendedpracticesherearetwofold:
● Establishasystemforimageryhandlingo Participatingregistryoperatorsandregistrarsrequireintheirregistry
–registraragreements/registrantagreementatermthatprohibitschildabusecontentandpermitstheregistryoperator/registrartosuspendordeletedomainnamesthatviolatethisterm.
o Eachalsomayestablishaninternalpolicy/protocoladvisingstafftoforwardtheURL/domainname/websiteinquestiontotheorganization’sLegalorComplianceDepartment.
o Thenextstepisanexpeditiousreportofthesituationtoachildprotectionhotline.
● Establishatrustednotifiersystem
o “Trustednotifier”isapartythatispre-vetted(e.g.,NCMEC,IWF,INHOPE)andrecognizedbythecontractedpartyascapableofprovidingtherelevantandcompleteevidenceneededtotakeactionagainsttheregistrant.
o Provideformsofagreementsbetweenregistries/registrarsandtheseorganizations.
AspirationalpracticesDependingontheservicesprovided,contractedpartiesmayalsowishtoconsideradoptionofservicesandtechnologiesavailablethroughoutsidechildprotectionexpertorganizations.Theseinclude:● NCMEC’sURLInitiativeandPhotoDNAandHashValueSharingprograms● IWF’sImageHashTagList
C. Complainthandlingfor“rogue”onlinepharmacies
Forafullreviewofproposedhealthypracticesaddressingthisroguepharma,pleaseseethesub-team’sdetaileddocumentinAppendixC,aswellasNABP’sdiagramproposalforaqualifiedcomplainthandlingsystem.OverviewTheobjectiveofthispracticeistofurtheraddress“rogue,”orillegalonlinepharmacies.TacticsandgoalsTheproposedmethodsforthissectionofHDI’shealthypracticesproposalinvolvesbothinternalandexternalstepsthatregistriesandregistrarsmayvoluntarilyemploytoidentifyandsafelyremovethesethreatstopublichealth:
● Internalpracticesbycontractedparties:o Partnerwithandsupporttheworkoforganizationsdedicatedto
combatingtheproblem(NABP,CSIP,ASOP).o Notifyrelevantorganizationswhentheregistry/registrarbecomes
awareofpotentialillegalpharmacies.o Takeactiononconfirmedillegalpharmacysitesinaccordancewith
internalprocesses.
● Establishatrustednotifierandthird-partyvalidationsystemo “Trustednotifier”isapartythatispre-vettedandrecognizedbythe
contractedpartyascapableofprovidingtherelevantandcompleteevidenceneededtotakeactionagainsttheregistrant.
o “Validator”isapartythatthecontractedpartydeemscapableofdeterminingthatanonlinedrugsellerisproperlylicensed,reputableandsafe.
o Provideformsofagreementsbetweenregistries/registrarsandtheseorganizations.
TheDNA’sroleistopromotetheuseofsoundinternalpracticesandrelevantpartnershipstohelpmitigatetheproblemofillegalinternetpharmacies.
D. Voluntarythirdpartyhandlingofcopyrightinfringementcases(PIRproposal)Forafullreviewoftheproposedprocesstobeemployedvoluntarilyinaddressingcopyrightinfringement,pleaseseethesub-team’sdetaileddocumentinAppendixD.OverviewTheobjectiveofthispracticeistoprovideavoluntarymechanismtohelpmitigatecopyrightinfringementintheDNS,byamethodsimilartothoseemployedbytrademarkownerstoprotecttheirinterests.TacticsandgoalsTheproposaladvancedhereistoconstructavoluntaryframeworkforcopyrightinfringementdisputes,socopyrightholderscoulduseamoreefficientandcost-effectivesystemforclearcasesofcopyrightabuseotherthangoingtocourtandregistriesandregistrarsarenotforcedtoactas“judges”and“jurors”oncopyrightcomplaints.
• FrameworkisRegistryspecific—eachregistrydecideswhethertoparticipate.Participatingregistries:
o adoptpolicyrequiringregistrantstosubmittoADRproceeding.;ando agreetotakeallstepsnecessarytoimplementPanel’sdecision,i.e.
cancellationofregistrationortransfertoComplainant● Doesnotprecludelitigation.● Remedieslimitedto:
o Cancellationofdomainname,oro Transferofregistrationtocomplainanto Nomonetarydamages
● Legalconstructmustbesoundo Accuratelyreflectapplicablelawo Toextentcopyrightlawsmateriallyvaryamongjurisdictions,consider
creatingmorethanonecustomframeworko Ensuredueprocessforrespondentso Complainantpayspanelfeeso Registries/registrarscannotbenamedasparties
III.NextStepsInordertomakemeasurableprogresstowardtheaboveprioritizedpracticesandthereforevalidateandclaimongoingsuccesswiththeprogram,theDNAmustnowmoveintoimplementationmode.Thisincludesthefollowingsteps:
1. MeetmonthlyasanHDIcommitteetocontinueprogresstowardimplementationofprioritizedpractices.
2. SetinterimprogressreporttofullDNAorganizationbetweenHyderabadandCopenhagen3. PrepareshortPRcampaigntoalertindustrytoDNAefforts.
AppendixA:SecurityThreatMitigationProposal
PurposeThepurposeofthisdocumentistoconsolidaterecommendedpracticesforregistriesandregistrarsrespondingtosecurityabusesidentifiedintheirTLDsdescribedinpastworkbygroupsinthesecurityspace.Inidentifyingrecommendedpractices,weconsultedpastbestpracticesrecommendationsdevelopedbytheSecurityandStabilityAdvisoryCommittee(SSAC);Anti-PhishingWorkingGroup(APWG);StopBadware;andtheMessaging,Malware,andMobileAnti-AbuseWorkingGroupastheyappliedtotheregistryandregistrarcontext.Ourgoalsinthisareaarethreefold:
● Tooutlinesomeofthechallengesandconsiderationsaffectinghowregistriesandregistrarsrespondtoidentifiedsecuritythreats;
● Toidentifyofpracticesforregistriesandregistrarstoimproveresponsestosecuritythreatsthroughindividualpractice,collectiveaction,andinformationsharing;and
● Toidentifyameansforregistriesandregistrarstostrengthentheirrelationshipswithkeygroupsinthesecurityspacetoimproveandevolvesecurity-relatedabusehandling.
ConsiderationsSeveralconsiderationscomplicateregistriesandregistrars’effortstoeffectivelydealwithonlinesecurityabuse.Abusecomplaintsmayinvokedistributedactorsandcomplexchainsofresponsibility.Variousactorsincludingregistries,registrars,resellers,hostingproviders,eachhavedistinctresponsibilitieswithrespecttoadomainnameorwebsiteanddifferentinformationandtoolstoassistinmitigatingaparticularabuse.Thelackofuniformreportingandresponsepracticesacrosstheseprovidersmaythwartthecommunicationandcollaborationnecessarytoeffectivelyaddressaparticularabuse.Further,giventhisdistributionofserviceprovidersassociatedwithasingledomainnameorwebsite,aparticularprovidermaylackacontractualrelationshipand/orhistoryofcommunicationwiththeregistrantorsiteowner,limitingtheirabilitytoworkdirectlywiththeregistrantorsiteownertomitigatetheabuse.Additionallegalconsiderationsalsoinformregistriesandregistrars’abilitytorespondtoabuse,theseconsiderationscanrangefromconcernsaroundwhetheraparticularactioncouldnegativelyimpactfreespeechorraiseprivacyconcerns,tojurisdictionalissues,wheremultipleserviceprovidersinvolvedaresubjecttodifferentlegalframeworkswithdifferentrequirementsandlimitationsaffectinghowtheytakeactiononanidentifiedabuse.Lastly,accountabilityconsiderationsalsofactorsignificantlyintoregistriesandregistrars’practicesforhandlingidentifiedsecurityabuse.Mostnotably,thequestionofwhethertheregistrantisdirectlyresponsiblefortheabuseinquestionshouldinfluencewhatactionsaregistryorregistrartakeswhenapotentialsecurityabuseisidentified.Domainnamesthatappeartobecompromisedmayrequireadifferentsetofresponses,giventhatregistrantsonthewholearegenerallyuneducatedaboutsecuritythreatswithoutsupportfromtheirproviders.Theseconsiderationshavebeentakentoaccountintheprinciplesandrecommendationsoutlinedbelow.However,theymayaccountforadditionaldifferencesinhowparticularregistriesorregistrarsaddressabusecomplaints,orinhowparticularcomplaintsaredealtwithonacase-by-casebasis.
PrinciplesPrinciple1:Focusactionondomainsthatareprimarilymalicious. Registriesandregistrarsshouldfocusondomainnamesthatareprimarilymalicious.Domainsthatarecompromisedorwhereotherpartsofthedomainservealegitimatepurposeshouldgenerallybereferredtotheirhostingproviders,whichpossesstoolstoaddressabuseinamoretargetedfashionbytakingactionagainstspecificabusivecontentversustakingactionatthedomainlevel. Principle2:Considertheimpactofmitigationmechanisms,particularlyonthirdparties,andwhetheranotherproviderisabletomitigatetheabusethroughnarrower,lessdisruptivemeans. Considerationsthataregistryorregistrarcouldweighwhenassessingwhethertheyareappropriatelysituatedtomitigatetheidentifiedabuseinclude:
● Whethertherelevantinfrastructureisunderitsdirectcontrol;● Thenumberofdownstreamprovidersthatwouldbeaffected;● Applicationsorlegitimatecontentthatcouldbeaffectedbymitigatingtheabusedirectly;● Whethermechanismsexisttotemporarilymitigatetheabuse,andanypotential
consequencesoftemporarymitigation;● Whetherdownstreamprovidershavebeencontactedalreadyandwhethertheyhavebeen
responsivewhencontacted;and● Whethertheproviderinquestionpossessesadirectcontractualrelationshipwiththe
registrant.Registriesandregistrarsmayconsiderwhethertherearedownstreamproviderswithcloserrelationshipstotheregistrantandthecontentinquestion(e.g.contractualrelationshipsormoretargetedtoolstotargettheabuse).Ifso,itmaybemoreappropriatetoreferthecomplainttoadownstreamprovider.Ifdownstreamprovidershavealreadybeenengaged,anyactionstakensofarshouldbetakenintoaccountindetermininganyfutureresponse.
RecommendedPracticesThefollowingrecommendationsofferwaysforregistriesandregistrarstoimprovetheirsecurityofferings.Wedonotexpectthatregistriesorregistrarswillimplementallofthemechanismsdescribedbelow;rather,thattherecommendedpracticeswillprovideaframeworktoreviewcurrentpracticesagainstandidentifypotentialimprovements.Webreakoutrecommendedpracticesintofourcategoriesbaseduponthephaseoftheregistrationorabuseresponseinwhichtheyoccur:
● Measurestoimprovecredentialmanagementandminimizetheriskassociatedwithcompromiseddomains;
● Measurestodetectandmitigatepossibleabusesatthepointofregistration;● Measurestoidentifyandmitigatepotentialabuseonanongoingbasis;and● Measuresforreceivingandhandlingabusereports.
Implementationofeachofthefollowingmechanismscanoccurinamannerthattakesintoaccounttheconsiderationsoutlinedabove.
Additionally,theidealpackageofsecurityimprovementsmaybeaffectedbyaregistrar’scustomerbaseandbusinessmodel.Bywayofexample,acorporateregistrarthatmanageshigh-valueandhighly-traffickeddomainnamesmaybenefitfromimplementingheightenedopt-insecurityfeaturestoenableregistrantstotakeadditionalstepstoprotecttheirdomainsfrombeingcompromised.Ontheotherextreme,registrarsorregistriesthatsellhighvolumesoflow-costdomainsmayseemoreimpactfrommechanismsthatpreventabuseatthepointofregistrationorthatautomate,expedite,orscaleabuseresponseprocedures.MeasurestoimprovecredentialmanagementandminimizetheriskassociatedwithcompromiseddomainsAsoutlinedabove,oneofthemostcriticalconsiderationsindetermininghowtorespondtoaparticularsecuritythreatiswhetherornotthedomainnameismaliciousorcompromised.Cybercriminalsbenefitfromtakingcontroloflegitimatewebsitesversusregisteringmaliciousdomains,astheyaremorelikelytoretaintraffic,invokeconsumertrust,andarelesslikelytobeblockedbysecuritysoftwareorflaggedbyreputationserviceproviders(CompromisedWebsites,AUserPerspective).AccordingtoregularstudiescarriedoutbytheAPWG,thevastmajorityofdomainnamesthatareflaggedforphishingaretheresultofdomaincompromiseversusmaliciousregistrationsbyphishers(APWG,GlobalPhishingSurvey).1Compromisedwebsitescanalsobelinkedtootherformsofabuse,suchthedistributionofmalware,includingthrough“domainshadowing”whereabusivethird-leveldomainsaresetupunderalegitimatesecondleveldomainname,potentiallybypassinginternalmonitoring(SAC074,SSACAdvisoryonRegistrantProtection).Thismakestheimplementationofmechanismstopreventcredentialcompromiseattheregistrant,registrar,andregistrylevelausefulproactivesteptopreventingmanysecurityabuses.PreviousworkbytheSSAChasofferedanumberofproactivemeasuresthatregistrarscanimplementtoallowregistrantstominimizetherisksthattheirdomainswillbecompromised,whichhavebeensummarizedbelow:2
1AccordingtothethreemostrecentGlobalPhishingSurveyscarriedoutbytheAPWGforthedomainnamesthatwereregisteredmaliciouslyaccountedforonly28.6percentofmaliciousregistrations.Therestarearesultofcompromiseddomains.(APWG,GlobalPhishingSurvey:TrendsandDomainNameUsein2H2014and1H2015)2ThefullrecommendationsbytheSSAConthismattercanbefoundinSAC040andSAC074.
● Recommendation1:Registrarsmaymakeregistrantaccountssecurethroughcredentialdesign,suchasheightenedrequirementsforpasswordlengthandcomplexity,encouragingorrequiringregistrantstorotatepasswords,andpreventingpasswordreuse.
● Recommendation2:Registrarsmayoffertoregistrantsadditional,opt-infeaturestomaketheiraccountsmoresecure.Examplesincludeenablingtwo-factorauthentication,offeringtieredlevelsofaccessfordifferentaccountroles,deliveringnotificationofaccountchangestomultiplecontacts,introducingsecurityquestionsorotherchallengesystems,usingIPwhitelisting,orcreatingper-domainaccesscontrols.
● Recommendation3:Registrarsmayvalidatechangerequeststoadomainnamethroughsecondarymeansandnotuseanemailaddressassociatedwiththedomaininquestiontovalidatewhichmayitselfbecompromised.
Additionally,theadvisoriesproposemechanismsthatregistriesorregistrarscanimplementtominimizetheriskofcompromiseofregistryorregistrarauthoritativesystems.
● Recommendation4:Registriesandregistrarscanstructureinternalprocessestoensurethatcredentialsarenotstoredinplaceswherethemightbecompromised(e.g.internalbuglogs,wikis,ortickets).
● Recommendation5:Registriesandregistrarscanmaintaingoodpracticesforthestorageandtransmissionofcredentialsincludingtransmissionofcredentialsoversecurechannels,storingprotectedversionsofcredentials,storingbackupsoffline,anddestroyingrecordsofcredentialswheretheyarenolongerneeded.
● Recommendation6:Registriesandregistrarsmayimplementclearpracticestoensurethatcredentialsarerevokedandrotatedwhenpersonnelwithaccesstotheinformationdeparttheorganization.
● Recommendation7:Ifabreachoccurs,registriesandregistrarscannotifyregistrantsinawaythatcanbeeasilyrecognizedandverified.
MeasurestodetectpossibleabusesatthepointofregistrationorinboundtransferRegistriesandregistrarscanalsoimplementmechanismstoidentifyandaddresspossiblesecurityabusesatthepointofregistration.Thesemechanismsareparticularlyusefulforregistriesorregistrarsthatofferfreeorextremelylow-costdomains,whichhavehistoricallyattractedabuse,andasadeterrentforabusetypesthatrequiretheregistrationoflargevolumesofdomains.
● Recommendation8:Registrarscanpreventagainstautomatedregistrationsbyscreeningforandlimitingorinvestigatinghighregistrationvolumescomingfromasingleaccount,orbyimplementingaCAPTCHAtohelpensurethatdomainsarebeingregisteredbyahuman.
● Recommendation9:Registrarsscreenregistrationsforfrequentlyabusedterms;requireadditionalidentityverificationinformationfromregistrantsofthesedomainnames.Flagdomainsforfurtherrevieworrequireadditionalinformationorvalidationfromtheregistrantpriortoregistration.
● Recommendation10:RegistrarsvalidatepaymentinformationbasedonPaymentCardIndustry(PCI)SecurityStandards.
MeasurestoidentifyandmitigatepotentialabuseonanongoingbasisInadditiontorespondingtosecurityabusesthatareidentifiedandreportedtoaregistryorregistrarbythirdparties,registriesandregistrarscanimproveabusehandlingbyproactivelyidentifyingpotentialabusesandtakingfurthermitigationactionbasedonthetypeandseverityoftheabuse.Registriesandregistrarscanimprovesecuritybybuildinganabuseprogramthatidentifies,investigatesandactionsabuseintheirnamespacesproactively,throughpartnershipwithreputationserviceprovidersorthird-party“blocklist”,ratherthansolelytakingactioninresponsetoabusecomplaints.RegistriesarealreadyrequiredpertheirRegistryAgreementsto“periodicallyconductatechnicalanalysistoassesswhetherdomainsintheTLDarebeingusedtoperpetratesecuritythreats,suchaspharming,phishing,malware,andbotnets.”However,manyregistriesremainuncertainortentativeinrespondingtosecurityabuseidentifiedthroughthesemeans,giventhattheyarefarremovedinthechainofresponsibilitydiscussedearlierandlackacontractualrelationshipwiththeregistrant.Registriescanimprovetheeffectivenessofthesetechnicalanalysesbydefiningclearpracticesforhowtoprocessandtakeactiononabusesidentifiedthroughtechnicalanalysis.Registriesandregistrarsthatuseareputationserviceproviderorthirdpartyblocklistshouldunderstandthatprovider’sframeworkforclassifyingabusetypes(e.g.phishing,malware,orsocialengineeringads);anyindicatorsprovidedfordeterminingwhetheradomainnameislikelytobemaliciousorcompromised;andwhereanabusehasbeenidentified(e.g.whetheritisatthedomainlevelorconfinedtoaparticularsubdomainorsubdirectory).Eachregistryorregistrarcandefineaninternalframeworkforhowtotakeactiononidentifiedabusesthattakesintoaccountthesefactionsandtheclassificationschemausedbytheirreputationserviceprovider.
● Recommendation11:RegistriesandRegistrarsmayworkwithreputationserviceproviderstoproactivelyidentifydomainsithathavebeenidentifiedasabusive,classify/investigatethem,andtakeactionasappropriate.
Unlikenewdomainregistrations,whichareunlikelytohaveapriorabusehistory,domainsbeingtransferredintoanewregistrarmayalreadyappearonathirdpartyblocklist.Registrarscouldpreventabusewithintheirdomainsundermanagementbyscreeninginboundtransfersthathavebeenflaggedbytheirreputationserviceproviderorbythirdpartyblocklists,andbarringthesetransfersunlessanduntiltheregistrantworkswiththerespectiveprovider(s)tohavethedomaindelisted.
● Recommendation12:Registrarsmayscreendomainnamesbeingtransferredinforappearanceonmalware/phishingblocklistsandrequirethatdomainnamesarede-listedbeforetheycanbetransferredin.
Thelimitationsondirectinterventionbytheregistrywhenabuseisidentifiedthroughitsrequiredtechnicalanalysisalsocreatesanopportunityforregistrarstoimprovesecurityresponsepracticeseitherthroughimplementationofaconsistentframeworkforrespondingtoreportsthatarepasseddownfromtheregistry,orevenbyengagingsimilarserviceprovidersdirectly.Overalleffortstomitigatesecuritythreatswouldbenefitfromsomecoordinationandsharedexpectationregarding
howinformationwouldberelayedfromregistriestoregistrars(orotherthirdpartyproviders)foraction,aswellasstrongcommunicationbetweenregistriesandregistrarsandotherengagedparties.Thisbeginswiththeprovisionofmeaningfulabusereports.
● Recommendation13:Whereidentifieddomainnamesarebeingreferredtoathirdpartyforaction,registriesandregistrarsshouldincludeallavailableinformationabouttheidentifiedabuse.
Relevantinformationcanincludeatminimum:
● TheURLbeingreported;● Thedateandtimethattheabusewasreported;● TheIPaddresswhenlastreported;● Othertargetsthattheabuseisbeingreportedto;and● Contactinformationnecessaryforfollowup.
Thefollowinginformationisoptionalbutcanbeprovidedtotheextentthatitisavailable:
● Conditionsnecessarytoreproducetheidentifiedabuse;● Thescopeofabusivebehavior(e.g.whetheritappliestoaparticularpage,subdomain,or
acrossthedomain);● Howtheabusewasidentified;● Anyspecificmaliciouscodeorexecutablesthatwereidentified;● AnyrelatedURLs;and● Anyactionstakentodateinresponsetotheabusecomplaint.3
Additionally,aregistryorregistrarshouldbeclearaboutwhat,ifany,actionitexpectsthethirdpartytotakewithregardtotheabuse;atimeframeforthethepartytotaketheactionand/orprovidearesponse;andanyescalationproceduresthatmaybefollowedifnoactionistakenornoresponseisreceived.Measuresforreceiving,handling,andtakingactioninresponsetoabusereportsLastly,abusecanalsobeidentifiedbyaregistryorregistrarduetothereceiptofathirdpartyabusereport.Asafirststep,registriesandregistrarscandefineclearprocessflowsforhowthesereportswillbereceivedandprocessed,andwhatstandardsandprocedureswillbefollowedtodeterminetheappropriatecourseofaction.Allreportscouldundergoinitialevaluationonatimelybasisthatestablishes(1)whetherthereportedabuseiscredibleorcanbeconfirmed;(2)whetherthedomainnamebeingreportedisprimarilymalicious;and(3)andwhetherthereportedabuseiswithinthescopeofcontroloftheregistryorregistrar,orwhetheritshouldbereferredtoathirdparty.
3StopBadware’sReportingPracticesforBadwareURLsprovidesasampleabusenotificationthatcontainstherecommendedelements.
● Recommendation14:Registriesandregistrarsidentifyclearprocesses,criteria,and
allocationofresponsibilitiesforthetakedownofclear-cutphishingsites,andescalationprocessesforreviewingotherreports.
Theinvestigationshouldnotfocussolelyonthedomain(s)referencedinthereport.Widerinvestigationcanbeusedtoidentifyand,potentially,takeactiononadditionaldomainnamesthatarealsoabusive.Thismaybetheresultofawideraccountcompromiseoramalicioususer.
● Recommendation15:Whenanabusereportisreceivedandverifiedasabusive/malicious,registrarsmayreviewotherdomainnamesinthesameuseraccountorusingthesamecreditcardinformation.
Justastheprovisionofcompletereportsbetweenproviderscanhelpimproveoverallsecurityresponses,theprovisionofincompletereportsbythirdpartiescangetinthewayofeffectivehandlingbythepartyreceivingtheabusereport.Often,registriesandregistrarsreceivereportsthatcontaininsufficientinformationtobeactionable,orthatdonotdescribepriororparallelactionsbeingtakenwithrespecttotheparticularabuse.Incompletereportsmayrequireregistriesandregistrantstoengageinbackandforthwiththereporterbeforetheabusecanbeclassifiedandflaggedforactioninaccordancewithitsinternalprocesses.Registriesandregistrarscanhelpexpeditethisprocessbyprovidinginformationandtoolsforreporterstoprovidemeaningfulandactionablereportsonthefirstattempt.Thiscouldincludehelpcenterorreferencearticlesaboutwhatinformationaregistryorregistrarexpectstoreceiveinanabusereport,orwebformsthatidentifymandatoryandrecommendedfieldsfacilitatingthesubmissionprocess.Relativeconsistencyintermsofwhatinformationisexpectedacrossregistriesandregistrarswillalsohelpandencouragethirdpartiestoprovideactionablereportsregardlessofprovider.
● Recommendation16:Registriesandregistrarscanprovidetoolsandinformationtohelpinternetusersprovidemeaningfulabusereports.
Registriesandregistrarsshouldalsomaintainaclearchannelofcommunicationwiththereporter.Thiscanbeusedtoprovideandreceiveadditionalinformationthatmayassistinmitigatingtheabuse.Additionally,itwillincreasereporters’confidencethattheirreportsarebeinggivendueconsideration,evenininstanceswheretheproviderisunabletoundertakedirectaction.
● Recommendation17:Registriesandregistrarsnotifyacomplainantassoonastheirreporterisreceivedandprovideamechanismforthemtoprovidefurtherinformationorcommunicationrelatedtothecomplaint.
● Recommendation18:Registriesandregistrarsprovideadditionalnotificationwhenthereportercaseisclosed,includingadescriptionofanyactiontaken.
Ifaregistryorregistrarbelievesthatanabusecomplaintiscrediblebutnotwithinitsscopeofactionitmayprovideadditionalassistancetotheregistrantbypassingonthereporttoadownstreamprovider(e.g.registrytoregistrar,registrartohostingproviderorreseller)directlyorprovidingguidancetotheregistrantabouthowtoidentifyandcontactthedownstreamprovider.
● Recommendation19:Ifaregistryorregistrarbelievesthatathirdpartyisbettersituatedtomitigateareportedabuse,assistthereporterbyidentifyingtheappropriateprovidertoreceivethereportorbypassingonthereportdirectly.
Whereadomainnameappearstobeabusivearegistryorregistrarcanadditionallyprovideassistancebynotifyingtheproviderandencouragehimorhertomitigatetheabusedirectly.Totheextentpractical,theregistryorregistrarcanprovideadditionalinformationorresourcestoassisttheregistrantinmitigatingtheabuse.
● Recommendation20:Whenadomainnameappearstobecompromised,aregistrarmaynotifytheregistrantandprovideanopportunitytorectifytheabuse.Registriesmay,instead,notifytheregistrarandrequestthattheyortheirresellerpassonthenoticetotheregsitrant.
AppendixB:ChildAbuseContentMitigationProposalDifferentcountriesdefinechildabuseimagesandchildpornographydifferently(e.g.,somedeemcomputer-generatedimages/animetobeillegalwhereasothersdonot).Oneglobaldefinitionof“childabuseimages”istheUnitedNationsConventionontheRightsoftheChildwhichdefinesthetermasanyphotograph,film,video,picture,orcomputerorcomputer-generatedimageorpicture,whethermadeorproducedbyelectronic,mechanical,orothermeans,depictingchildsexualabuse.Formoreinformationaboutvariousgloballawsrelatedtochildprotection,see:http://www.icmec.org/wp-content/uploads/2016/02/Child-Pornography-Model-Law-8th-Ed-Final-linked.pdfandhttp://fosigrid.orgRecommendedpracticesforRegistriesandRegistrars:
● Recommendation1:EachRegistryOperator/Registrarmaypublish,ontheirrespectivewebsites,a“zerotolerance”statementorpolicyagainstchildabusecontentandincludespecificprovisionsintheirregistrationtermsandconditionsprohibitingchildabusecontent.EachRegistryOperator/Registrymayincludetherighttosuspendordeletedomainnamesthatviolatethistermintheiragreement. SampleClause:
Registrant’ssitesshallnotdisplayanychildabuseimages.Registrant’ssitesshallnotengageinpracticesthataredesignedtosuggestthepresenceofchildabuseimages,including,withoutlimitation,theuseofmeta-tagsforthatpurpose.RegistryOperator/RegistrarwillreferanysitesthatarereportedtotheRegistryOperator/RegistrartobeinviolationofthispolicytochildsafetyhotlinesliketheNationalCenterforMissingandExploitedChildren(NCMEC),theInternetWatchFoundation(IWF),ortheInternationalAssociationofInternetHotlines(INHOPE).
● Recommendation2:EachRegistryOperator/Registrarincludecontactinformationfor
an“AbuseContact”sothatuserscanreportsuspectedillegalwebsites.
● Recommendation3:EachRegistryOperator/Registrarestablishaninternalpolicy/protocoladvisingstafftoforwardinternalandexternalreportsofchildabuseimagestotheorganization’sLegalorComplianceDepartment.
○ ItisstronglysuggestedthatmembersoftheorganizationDONOTaccesstheURL/domainname/websiteinquestion.
○ ItisstronglysuggestedthatmembersoftheorganizationDONOTFORWARDANYIMAGES/VIDEOSORSCREENSHOTSCONTAININGIMAGESORVIDEOS–BUTSIMPLYPROVIDETHEURL/DOMAINNAME/WEBSITE.
● Recommendation4:WhenRegistryOperators/Registrarsbecomeawareofsuspectedchildabuseimages,theyexpeditiouslyreporttheURL/domainname/websitedirectlytoachildreportinghotlineandprovidesufficientcontactinformationtothechildreportinghotlinetofacilitatelawenforcementfollowupregardingthereportsubmitted.
o Ifthereportingorganization(orthewebsite)isbasedintheUnitedStates,filea
CyberTipreportwithTheNationalCenterforMissingandExploitedChildren(NCMEC)athttps://report.cybertip.org/index.htm
o Ifthereportingorganization(orthewebsite)isbasedintheUnitedKingdom,fileareportwiththeInternetWatchFoundation(IWF)at:https://www.iwf.org.uk/report
o Ifthereporitngorganization(orthewebsite)isbasedinacountrythatisnottheUnitedStatesortheUnitedKingdom,checktheInternationalAssociationofInternetHotlines(INHOPE)reportingpagetoseeiftheyworkwiththerespectivecountryandreportitaccordingly,seehttp://inhope.org/gns/report-here.aspx
o Ifthereportingorganization(orthewebsite)isnotlistedinanyofthelinksidentifiedabove,submitthereporttoanyofthehotlinesyoupreferbecausethevarioushotlinesoftenworkcollaborativelysothereisgenerallynoneedtoreporttomultiplehotlines;areporttoonehotlinesuffices.
● Recommendation4:WhenRegistryOperators/Registrarsbecomeawareofsuspectedchildabuseimages,theorganizationmaydocumenttheURLsreportedandretainacopyofthoseURLsfortheirinternalfiles,intheeventthereportinghotlineand/orlawenforcementfollowsupwiththereportingorganizationdirectlyand/orforenforcementofany“repeatoffender”policiestheorganizationmayhave.(ItisstronglyrecommendedthatRegistryOperator/Registrardoesnotretainorshareanyscreenshots,imagesorvideos.)
● Recommendation5:Uponcontactfromareportinghotlineand/orlawenforcement,the
RegistryOperator/Registrarmaywishtosuspendthedomainname,deletethedomainname,etc.–pursuanttotheorganization’spoliciesandprotocols.
AspirationalPracticesforOrganizationsthatprovideUpload,Storage,Search,Hosting,Filtering,orSocialMediaServices:
IfaRegistryOperator/Registraralsoprovidesupload,storage,search,hosting,filteringorsocialmediaservices,and/oranElectronicService,4theorganizationmaywishtoconsideradoptingsomeorallofthefollowingadditionalservicesofferedbyUSandUKchildreportinghotlines:
● NCMEC:http://www.missingkids.org/Exploitation/Industry
○ URLInitiative:NCMECmaintainsalistofURLsforactiveWebpagescontainingapparentchildpornography.ByjoiningtheURLInitiative,ElectronicServiceProvidersareprovidedaccesstoNCMEC'sURLlistwhichisupdateddaily.
○ PhotoDNA:ThisisanimagematchingtechnologycreatesauniquesignatureforadigitalimagecalledaPhotoDNAsignature.Thissignaturecanbecomparedwiththesignaturesofotherimagestofindcopiesofthatimage.NCMECandonlineserviceprovidersusePhotoDNAtohelpfind,reportandcurtailtheonlinecirculationofsomeoftheworstknownimagesofchildpornography.
○ NCMECHashValueSharing:ThroughtheHashValueSharingInitiative,U.S.basedElectronicServiceProviderscanpartnerwithNCMECtoreceivealistofMD5hashvalueswhichrepresentthe"worstoftheworst"imagesofapparentchildpornography.
4FortheUnitedStateslegaldefinitionofElectronicServiceProvider,see:https://www.law.cornell.edu/uscode/text/18/2510
● IWF:BestPracticeGuide:https://www.iwf.org.uk/resources/best-practice-guide
ImageHashTagList:TheImageHashTagListletspartiesmatchknownimagesinordertoremovethemorpreventthemappearingonservices.TheImageHashesarecategorizedtosuitinternationaluse.ContactHashList@iwf.org.ukforinformation.
AppendixC:RoguePharmacyAbuseReportProposal
Registry/RegistrarPracticesforCombatingIllegalInternetPharmacies5
Registriesandregistrarsare involvedintheprovisioningandsaleofdomainnames. Fromtimetotime, illegalonlinepharmaciesregisterdomainnamesandthendevelopwebsitesonthesedomainnamestotryandcreateadistributionchannel forpharmaceuticals inviolationof federalandstatelaws. If given the proper notice information regarding these illegal activities, registrars andregistriescantakeeffectiveactiontotakedownthesewebsitesandsuspendthedomainnamesfromuse.
RecommendedpracticesforRegistriesandRegistrars:
● Recommendation1RegistrarsandregistriesmayacknowledgetheongoingproblemofillegalonlinepharmaciesandpubliclysupporttheworkoforganizationssuchasCSIPandtheAllianceforSafeOnlinePharmacies(ASOP)andcompaniesinvolvedincombattingtheuseofdomainnamesfortheillegaldistributionofdrugsandmedicinesbyillegalonlinepharmacies.
● Recommendation2Whenregistriesandregistrarsbecomeawareofasuspectedillegalpharmacytheymayreferthedomaintoathirdpartyproviderthatverifiesthelegitimacyofthesewebsites.
● Recommendation3Afterreceivingadequatelegalconfirmation(pursuanttoeachorganization’sownassessmentofadequatelegalconfirmation)thatadomainnamehostsawebsitethatisusedtomarketanddistributedrugsandmedicinesinviolationofapplicablelaws,registrarsandregistriesmaytakepromptaction.Registriesandregistrarsmaytakeactiononconfirmed,illegalpharmaciesuptoandincludingsuspensionordeletionoftheaffecteddomain(s)inaccordancewiththeirinternalprocedures.
● Recommendation4Registrarsandregistriesalsoincludeontheirwebsite,contactinformationforan“AbuseContact”sothatuserscanreportsuspectedillegalwebsitesforfurtherinvestigationbyaonlinepharmacyverificationprovider.
5ReprintedwithpermissionfromtheCenterforSafeInternetPharmacies’“PrinciplesofParticipation.”Copyright2016.AllRightsReserved.
AppendixD:VoluntaryThirdPartyHandlingofCopyrightInfringementCases
PurposeThepurposeofadoptionandimplementationofaCopyrightAlternativeDisputeResolutionPolicy(“CopyrightADRP”)istoprovidealegallyeffectiveandefficientmechanismmitigatingpervasiveinstancesofcopyrightinfringementintheDNS,whileensuringthatRegistrants’dueprocessrightsareobserved.ThisdocumentprovidesrecommendationstoRegistryOperatorsastohowtostructureandimplementaCopyrightADRPshouldtheyelecttodoso.
PrinciplesRegistryOperatorsarenotjuristsorexpertsinCopyrightlawandarenotinapositiontoadmitandevaluateevidence.Accordingly,underanyCopyrightADRP,RegistryOperatorscanworkwithskilledandexperiencedthird-partyneutrals(an“ADRProvider”)toarbitrateanymatterbroughtunderaCopyrightADRP.ArbitrationoffersalesscostlyandmoreexpeditiousmeansofaddressingallegedpervasiveinfringingcontentascomparedtomostjudicialsystemsandensuresthatRegistrantsreceivenoticeofcomplaintsanddueprocessrights.TheADRProvidershouldbeabletoprovideexpertandexperiencedneutralsthatarecapableofdeterminingthemeritsofanyclaimbroughtunderaCopyrightADRP.InadoptingtheCopyrightADRP,theRegistryOperatoragreestoabidebydecisionsrenderedbytheADRProvider,subjecttoanyappealthateitherthecomplainantorrespondentmayfileinacourtofcompetentjurisdiction.SincetheRegistryOperatorcannotcontrol,affectorremoveindividualpiecesofcontentonawebsite,theRulesofanyCopyrightADRP(the“Rules”)shouldbecraftedtoonlyprovideremediestoaddressdomainswheretheallegedinfringementispervasiveorwheretheprimarypurposeofthedomainisthedisseminationofallegedinfringingmaterial.AnydisputebroughtunderaCopyrightADRPisnecessarilyadisputebetweenthecopyrightholder(the“Complainant”)andtheregistrant(the“Respondent”).RegistryOperatorsshouldneverbepermittedtobeanamedpartyunderanyCopyrightADRP.Similarly,RegistrarsmustnotbenamedasapartyunderaCopyrightADRP,butshouldhavetherighttovoluntarilyintervene,attheirdiscretion.
RecommendationsThefollowingarerecommendationsforRegistryOperatorsthatchoosetoadoptandimplementaCopyrightADRP:
• Recommendation1:TheRegistryOperatorcanworkwithanexperiencedADRProvider.TherearemanyrecognizedandreputableADRProvidersthatworkwithexpertthird-partyneutralsincopyrightdisputes.TheADRProvidershouldbeabletoofferanumberofqualifiedpotentialarbiters.
• Recommendation2:TheComplainantshouldbearthecostandfeeoffilingtheCopyrightADRP(includinganyADRProviderfee)ofinstitutingtheCopyrightADRPdispute.Thisdoesnotincludethecostoflegalfees.IfeithertheComplainantorRespondentchoosetoengagewithcounsel,theyshouldbeartheirowncosts.
• Recommendation3:TheRulesfortheCopyrightADRPshouldrespectthedueprocessrightsoftheRespondent/registrantandclearlyexplaintheprocessandproceduresoftheADRP.Thisshouldinclude:
o Theprocessforfilingacomplaint.
o AcleartimelinesettingforthhowlongaRespondent/RegistranthastofilearesponsetotheComplaint.Similarly,thereshouldbeacleartimelineastohowlongtheADRProviderhastoissuehis/herruling.
TheRulesshouldalsosetforththeprocessforthestatusofthedomain(s)whiletheappealispendinge.g.,duringappealthedomainwillbeplacedundertransferlockattheRegistry).
o TheRulesshouldclarifythattheADRPisnon-exclusive.BoththeComplainantand
theRespondent/RegistrantcanbringanactionrelatedtotheallegedinfringementinacourtofcompetentjurisdictionatanytimebeforethematterhasbeenfullybriefedandsubmittedtotheArbiter.
o TheRulesshouldsetforththeprocessintheeventaRespondent/Registrantfailsto
respondtotheComplaint,or“Defaults.”IntheeventofaDefaulttheADRProvidershouldrulebasedontheallegationsintheComplaint.ThisdoesnotmeanthattheComplainantautomaticallyprevails.TheComplaintandanysupportingmaterialsmustsetforthaprimafacieclaimofpervasivecopyrightinfringement.
o TheRulesshouldsetforththecontrollinglawfortheADRP(typicallythe
jurisdictionwheretheRegistryOperatorislocated).
• Recommendation4:NeitherRegistryOperatorsnorRegistrarsshouldbepermittedtonamedinanyCopyrightADRPComplaint.Registrars,however,shouldbeprovidednoticeoftheComplaintandhavetherighttointerveneattheirdiscretion.
• Recommendation5:TheCopyrightADRPshouldhavelimitedremediesavailable.Nomonetarydamagesorreliefbeyondsuspending,lockingortransferringthedomainnameshouldbeavailable.
• Recommendation6:TheRulesoftheCopyrightADRPshouldrequirethattheComplainantagreetoindemnify,defendandholdtheRegistryOperatorandtheADRProviderharmlessfromanyclaimarisingfromoperationoftheCopyrightADRPoranydecision(andrelatedaction)thereunder.
• Recommendation7:TheRegistryOperatorshouldensurethatitsTermsofUseandor/AcceptableUsePolicyareupdatedtoincludeinclusionoftheCopyrightADRPinordertobindRegistrantsintotheprocess.