Consumer Electronics Daily was a Warren News publication.
'Trusted Notifiers'

Bipartisan Bill Seeks Aid to Fight Illegal Domain Names

Legislation is needed to ensure domain name registries and registrars are cooperating with federal agencies combating illegal online activity, Sen. Marco Rubio, R-Fla., told us last week before introducing a bipartisan bill with Sen. Amy Klobuchar, D-Minn. Their Domain Reform for Unlawful Drug Sellers Act (S-3399) would give the FDA the authority to “suspend websites run by criminal networks that traffic” illegal drugs.

The FTC, the FDA and other federal agencies have written Congress about a lack of access to accurate domain name registration information. House Communications Subcommittee ranking member Bob Latta, R-Ohio, cited the impact of the EU’s general data protection regulation. GDPR resulted in limited law enforcement access to the Whois database (see 2008270055).

Critics say registries, registrars and the organization that accredits them, the Internet Corp. for Assigned Names and Numbers (ICANN), lack the incentive to provide access to Whois data. ICANN is using GDPR to justify its lack of action, said Perkins Coie’s Fabricio Vayra. He said ICANN essentially functions as a trade association for organizations it accredits, and those organizations have financial incentive to limit cooperation on Whois data.

ICANN said in a statement it doesn’t have access to Whois data. The organization is enforcing a temporary specification that “requires reasonable access to this data, and we are evaluating a recommendation to build a System for Standardized Access/Disclosure to facilitate responding to requests from law enforcement and others with legitimate need for the data,” it said. There’s nothing in ICANN agreements with contracted parties that prevents them from cooperating with law enforcement, regardless of location, the organization said.

The new bill doesn’t address Whois issues, but it’s based on a voluntary FDA and NTIA pilot program in which registries locked illegal or abusive websites. Registries took action based on information from “trusted notifiers,” who identify the illegal activity. Some registrars and registries undertake voluntary efforts to combat illegal activity, but the “level of overall cooperation from the domain name industry falls seriously short,” said Coalition for Online Accountability Executive Director Dean Marks. “The unfortunate reality is that levels of online abuse, including those involving maliciously registered domain names, continue to rise dramatically.”

Voluntary programs are helpful, but the bigger issue is that ICANN needs to enforce contracts that promote an open, accessible and accurate Whois database, said Vayra. ICANN is the “ultimate contracted party,” said Iggy Ventures CEO Rick Lane. “It’s within ICANN’s power to compel the contracted parties to have an open, accessible and accurate Whois.” The organization won’t update the contracts because there’s a financial incentive to limit work, said Vayra.

Latta believes online domain name ownership should be accessible to the public for transparency and safety reasons, his office said in a statement Thursday: Whois information helps keep “people accountable for what they do and put online ... and we must be able to continue to utilize this critical information.” Major registries and registrars include Verisign, GoDaddy, Tucows and Namecheap. GoDaddy and Namecheap didn't comment.

Any suggestion Verisign has been “uncooperative” with federal agencies is “manifestly and demonstrably false,” a spokesperson emailed: “We work closely with Federal agencies daily to address a broad range of issues.” Verisign noted its participation in the NTIA pilot and said it’s working with law enforcement to apply a similar framework to address COVID-19 scams. The company also works with trusted notifiers to combat child sexual abuse material online, Verisign said. ICANN noted it wasn’t included in NTIA’s program because the agencies understood the program was outside ICANN’s “technical coordination role.” NTIA and the FDA didn’t comment last week.

Tucows regularly discloses Whois data to federal, state and local law enforcement when requested, as well as to private parties trying to enforce their rights, the company said in a statement. Tucows noted its dedicated portal, tieredaccess.com, and its regular work with the FBI, state agencies, state attorneys general, the Department of Homeland Security and National Center for Missing and Exploited Children.

The FTC routinely relied on Whois data before the GDPR took effect in May 2018, ex-FTC Chairman Joe Simons wrote Latta in 2020 (see 2008270055). After the GDPR took effect, ICANN developed policies that “significantly limit” the publicly available contact information relating to domain name registrants, Simons wrote.