Today The Public Interest Registry (“PIR”), the company which runs the .Org registry, announced a Domain “Anti-Abuse Policy”, effective 5 February 2009.
In announcing this policy PIR is taking a strong stand against what is defines as Domain Abuse and it gives itself the right to cancel, any .org, domain registration which is considered to be abusive.
From the announcement:
“”””Abusive use(s) of .ORG domain names should not be tolerated. The nature of such abuses creates security and stability issues for the registry, registrars and registrants, as well as for users of the Internet in general.
The PIR defines abusive use of a domain as the wrong or excessive use of power, position or ability, and includes, without limitation, the following:
· Illegal or fraudulent actions;
· Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums. An example, for purposes of illustration, would be the use of email in denial-of-service attacks;
· Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;
· Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning;
· Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the owner’s informed consent.
Examples include, without limitation, computer viruses, worms, keyloggers, and trojan horses;
· Fast flux hosting: Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves. Fast flux hosting may be used only with prior permission of PIR;
· Botnet command and control: Services run on a domain name that are used to control a collection of compromised computers or “zombies,” or to direct denial-of-service attacks (DDoS attacks);
· Distribution of child pornography; and
· Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individual’s system (often known as “hacking”). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).
PIR reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of PIR, as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by PIR or any Registrar in connection with a domain name registration.
PIR also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.”””
Let’s Hope this policy curbs abuses, but that the registry does not use this to cancel any “innocent” domains.
It always worries us, at least a little, when someone sets themselves up to be the complainant, judge and jury.
We are all against Spam, Phishing, Child Porn and the rest, yet one entity having the power to find a domain, determine it violates its policy and take the domain down, without any intervention or right to appeal, is a scary proposition.
We have not gone a day, in the last couple of years, without having one of our domains, or one of our e-mail addresses, used by spammers as a fake header, return e-mail address, removal link address or like purpose.
We are certainly not the only ones who are victimized by this practice.
Scary.
That’s the problem exactly, that innocent domain registrants can be victimized without due process, for example if someone malevolently sends out spam using your domain as a link, hacks your website, etc. There are so many bugs/security issues with various blogs (e.g. WordPress) and other widely distributed software that it’s impossible for innocent registrants to stay within the policy 100% of the time, due to forces beyond their control. Recently Wikipedia was on the UK blacklist for “child pornography” for having a racy album cover image, for example.
PIR better be prepared for huge litigation if/when they cancel an innocent domain without due process.
This is why we opposed the similar .info abuse policy, although few other people even participated in the public comments.
George
This is worse than the .info situation as it was done as an edict, no comment period was opened nor were any opinions requested.
“to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process”
Overly broad, I think, to say the least. So if Kentucky is told it cannot seize domains it deems in violation of its statutes, it can request that they be deactivated under policies such as this. I wonder if this will be implemented by all registries.
Jon
Very Broad
And you are right could be used by the registry to cancel the registration of gambling domains based on the Kentucky Seizure order.
Or the next order that comes from somewhere for something.
I received the notification 2 hours ago from PIR and I immediately thought – “This might be a good time to sell my valuable .org’s”.
All it will takes is one person, company or organization to start complaining about a particular domain and PIR might delete the domain. I’m sure there is a way to create false data..
Guilty til proven innocent.
However, if the domain is deleted. Then, someone else will end up with it.
Could the process be abused as to force a valuable domain deleted so the person could buy it from a Pool or Snapnames auction?
Richard
I don’t think the .Org registry benefits if a .org is dropped and auctioned off. Just the drop service and the registrar of a domain.
Having said that, we have had hundreds of our domains and all our e-mail addresses used by Spammers as fake headers, fake removal links, fake sender e-mail addresses, etc., so its easy to see how a innocent domain holder could be swept into a mess with these rules in place.
“”””PIR reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion”””
It’s the in its discretion, language which is especially troubling.
Moreover what if they so determine?
Do you have a right to appeal and if so to whom?
I’m glad I don’t own many .org domains. That is a scary rule to put in place. Good news is that list is things most people would agree with should be monitored and controlled. In my opinion, especially in the .org environment out of all extensions. However, it is scary that the wrong person with the wrong intention could get a domain / business put on hold because of these rules.
Dang, this sucks….. Not really surprised by this though — They are doing this to protect everybody in the long run and is good news but this stuff definitely can be tricky… You know .org’s are used for quiet a lot of “illegal” and “abusive” stuff if you keep up with blacklists and spammers activities/trends.
Not so long ago they ran a bunch of promotions where .org new registrations were avail for $1.99 per year to dozens of developing countries… Lots of em in africa, asia, etc.
We’ll see how this plays out.. Not sure what to make of it yet though. When they do start suspending and deleting domains… Then we’ll know 🙂
Best,
Mike
http://www.wannadevelop.com
This appears to be a public relations reflex action to demonstrate that the .org registry is now proactive in eliminate phishing threats. .ORG was found to be the # 1 most abused global tld for phishing in the 2008 APWG survey. Here’s a link to the study:
http://www.apwg.org/reports/APWG_GlobalPhishingSurvey1H2008.pdf
The most exploited domains for phishing were respectively .hk (Hong Kong), .th (thailand), and .bz (Belize).
Note here that .BIZ and .INFO (two of my favorites) had very good ratings with their respective registries being cited as having already implemented improvements and safeguards.
Mr. Menius
No doubt they did this with “good intentions” to curb abuses.
However we do have to be concerned that an innocent domain could wind up with its registration deleted without any due process or right of appeal
George Orwell would be proud. PIR has decided by edict what is in the “Public’s Interest” and what is best for the public’s interest.
Like George K said, the litigation risk potential is now tremendous.
@MHB – “we do have to be concerned that an innocent domain could wind up with its registration deleted”
Definitely agree. We’ve seen repeatedly that registries will put their interest far above that of the customers that keep them in business.
Any website with dynamic content has a good chance of getting exploited at some point, given vulnerabilities in scripts, etc. Heck, even static sites can get hacked. Any site with user-generated content would especially be at risk (e.g. people uploading inappropriate images, “illegal” text like threatening the US president’s life, etc.).
I’ve not even received this “notice” from PIR. Was it sent out by registrars, or…. ? My WHOIS is alway accurate, so they should have no problems reaching me.
George
The notice was send out last night by PIR to all domain registrars.
I would hope that there will be some push back by registrars this time, compared to what happened with .info. .info is a marginal registry, whereas .org has much greater importance.
If anyone is a Tucows reseller, I’ve posted on the Tucows forum too:
http://opensrs.com/forums/comments.php?DiscussionID=30
so you might want to add your voice there. As I said over there, due process is the only thing that protects the innocent from the mistakes and whims of the powerful, and in this case all the power is being held by the registry operator, to use at its sole discretion. Much stronger safeguards are needed to ensure that in trying to stop alleged “abuse”, the registries don’t in turn become the abusers.
Just as a heads-up, someone asked whether other registries can do this. The language that PIR (and Afilias) are taking advantage of doesn’t exist in the .com agreement, so for now it’s not an immediate issue. However, ICANN would not be in a position to deny VeriSign if they tried to get this power through a contract amendment, due to that equal treatment clause that I’ve been repeating over and over again in the tiered-pricing debate.
The GNSO was supposed to be doing a consensus policy discussion, one that would be balanced on this issue, and receive and public consultation by everyone. But, once again the registries decide to go it on their own in an ad hoc manner, ignoring public input that would create safeguards, in an arrogant manner. It’s that arrogance that should worry innocent registrants, when it comes time to consider how their “sole discretion” will be applied.
PIR has finally posted about the policy on their blog at:
http://blog.pir.org/?p=108
(I had scolded them on the CircleID site yesterday for not posting it)
It might be worth giving them some feedback.
Well there is always the court system right? An expenisve route to take, but I imagine that if PIR had to pay high enough damages for unjustly cancelling a .org they may think about setting up some sort of due process of their own to help circumvent the legal process.