There is little argument among internet policy stakeholders that criminals do bad things on the internet. But that’s where the unity ends. Bickering continues over which of those bad things should be acknowledged as Domain Name System (DNS) abuse and, thus, who should be responsible for mitigating them (or not). For our part, call it what you will – DNS abuse, content abuse, or fake news – illegal online drug sellers pose a threat to public health. We hold that internet intermediaries positioned to stop these illegal activities most expediently, generally registries and registrars, should be accountable for doing so.
What is DNS Abuse?
In fall 2021, we attended a virtual panel discussion of cybersecurity and DNS experts addressing the board of the Internet Corporation for Assigned Names and Numbers (ICANN). Several participants agreed that it is overly simplistic to limit the scope of DNS abuse to a handful of bad actions. Panelist Maciej Korozynski, associate professor of computer network security at Grenoble Institute of Technology, France, said DNS abuse cannot be so narrowly defined and that technical abuse and content abuse often overlap.
In 2020, a group of registries and registrars signed the “Framework to Address Abuse,” which defines DNS abuse as phishing, pharming, malware, botnets, and spam when it is used to deliver the other forms of abuse. All other offenses, including criminal activity that relies on the DNS, they consider to be outside the scope of DNS abuse.
Who Should Stop It? And How?
Parties disagree about which entities in the domain name service chain are responsible for mitigating abuses and under what circumstances. For instance, many of the virtual panelists agreed that registrars and registrants are not at fault for abusive website domains that have been compromised by a third party. Distinguishing between a maliciously registered domain and a compromised domain remains a challenge.
Before the European Union implemented the General Data Protection Regulation in May 2018, law enforcement, public safety advocates, and cybersecurity investigators relied on WHOIS information to identify who is behind a website being used for illegal activities. Since then, this information is all but off limits. Those interested in public safety argue that WHOIS information should be readily available to indicate who is behind a website, whereas those interested in protecting registrant privacy, such as most registries and registrars, believe it should remain redacted in most circumstances.
Panelist Stewart Garrick, special projects manager for the Shadowserver Foundation in England, noted that it is “utterly inconceivable” that, if an individual rents a car, there is a record, but if someone registers a domain name, there is none.
Panelist Christine Hoepers, general manager of Brazil’s Computer Emergency Response Team, criticized proactive abuse-mitigation tactics like taking down all domain names with the word “COVID” in them, which was done by some well-meaning registrars early in the COVID-19 pandemic; many of those domains turned out to be benign. Others lampooned reputation blocklists, such as SpamHaus, that list domain names reported to be abusive. Many complained that these lists blacklist domain names without sufficient evidence of wrongdoing and contain too many “false positives.”
Shadowserver’s Garrick commented on proposed legislation that addresses DNS abuse, such as the European Union’s Digital Services Act and the Network and Information Security Directive, noting that “governments have a habit of doing their own thing” and imposing regulations, irrespective of ICANN’s international multistakeholder model. Roman Huessy, founder of abuse.ch in Switzerland, added that self-regulation has failed in the last 20 years, and governments will step in: “I’m not a fan of regulations but they will come if the community doesn’t find a way to address abuse.”
More Work to Be Done
Action must be taken to suspend domain names being used for illegal activities, including those used for selling drugs illegally. So far, there is little evidence that registries and registrars are taking voluntary action to shut down domains perpetrating illegal actions they consider to be outside their remit, choosing instead to protect their customers’ “right” to use their domains as they see fit. From our perspective, public safety mandates appear to be needed.
NABP supports recent US efforts to hold third-party platforms accountable for illegal activity occurring on their websites. Until laws are enacted, consumers must remain vigilant. They can find a verified website or check if a website is not recommended by using our search tool.