Of canaries and coal mines: What happened at VeriSign?

Too many techies still don't understand the concept of due process, and opportunistic law enforcement agencies, who tend to view due process constraints as an inconvenience, are very happy to take advantage of that.

That's the lesson to draw from VeriSign's proposal and sudden withdrawal of a new “domain name anti-abuse policy” yesterday. The proposal, which seems to have been intended as a new service to registrars, would have allowed VeriSign to perform malware scans on all .com, .net, and .name domain names quarterly when registrars agreed to let them do it. But it appended to this potentially useful service a generic “domain name anti-abuse” policy that would also have allowed it to suspend domains for practically any reason, if asked to do so by law enforcement and possibly by copyright or trademark interests. The proposal to ICANN's Registry Services Evaluation Process (RSTEP) thus awkwardly combined a voluntary service, narrowly focused on technical detection and action against botnets, with a gigantic alteration of domain name due process. Some of the people involved in preparing this proposal literally did not

understand the distinction between those two facets of the proposal. Fortunately, the proposal, which seems to have bypassed internal checks within the company, kicked up a lot of fuss; wiser heads in the company noticed and yanked it.

For civil libertarians, this incident is an important signal. ICANN's administration of the global domain name system creates a new jurisdiction, and rights and due process protections often can be reinvented in the new context. There are a variety of interests who are poised to take advantage of that opportunity and they are very actively talking to and shaping the attitudes of the people with their fingers on the keyboard that control things operationally. For many people out there, “domain name anti-abuse” means open season for abuse of domain name registrants. This isn't over.

Comments are closed.