The 74th meeting of the Asia Pacific Top Level Domain Association (APTLD 74) was held last month in Tashkent, Uzbekistan.
A number of country code Top-Level Domain (ccTLD) administrators and representatives of partner organizations, such as APNIC, assembled in the room to share knowledge about emerging policy issues in the region.
For us, as representatives of the .nz domain name space, it was an opportunity to share frameworks and approaches with our counterparts, and get feedback on what was working well.
One of the topics that captured the audience’s attention was law enforcement — in particular how members of the domain name sector could work with law enforcement agencies to ensure a safe and trusted domain name space across jurisdictions.
Support for law enforcement
It’s important that people are who they say they are online. But it isn’t the role of ccTLD name operators to police the whole Internet.
Law enforcement agencies have a part to play in the domain name space when domains are being used by wrongdoers to facilitate criminal behaviours such as fraud or theft over the Internet.
ccTLD operators can support law enforcement, making it more difficult for criminals to operate, while also ensuring due processes have been followed.
It’s important to recognize that cyber criminals can use various methods to attempt to bulk harvest personal whois data; for example, crawling and searching, brute force, malware and phishing. Registrar databases, containing whois records of a personal nature, can be — and often are — exposed to multiple threats.
ccTLDs and law enforcement can work together to try and minimize this behaviour.
The .nz approach
With the rise of Computer Emergency Response Teams (CERTs) in the Asia-Pacific region, registrars and registry operators must now consider whether to include their CERTs as trusted notifiers of cybersecurity issues.
In the .nz domain name space, by virtue of the Memorandum of Understanding the Domain Name Commission has with CERT NZ, the Commission has placed a high degree of trust in the CERT to share information related to the safety and security of the .nz domain name space.
Other second level trusted notifiers include the High Tech Crime Group within New Zealand Police. Notifiers with court orders or statutory powers all form the pool of requestors for disclosure of domain registration details. Their requests must be carefully examined to determine whether disclosures of domain name registration details are permissible under New Zealand’s Privacy Act.
Tips for those starting out
Before considering any requests for disclosure of a domain name holder’s information, it’s helpful to consider the following:
- What’s the nature of the request? Is it a formal or informal request for help?
- What due diligence and due process is the receiver of the request going to perform on the request? For example, is it a cross-border request which will require a local court order before you can act? Is there a local privacy law and does it allow an exception to disclosure to assist a law enforcement agency in the maintenance of the law?
- What transparency and procedural guarantees need to be in place to ensure everyone is comfortable with the arrangements? For example, when and what should domain name holders be told about the nature of the request, and that an outcome of any interactions between law enforcement and a ccTLD operator may be the cancellation of a domain name?
In the .nz domain space, we have also developed template processes and documents to assist with the various ways we interact with law enforcement agencies. For example, we have precedent for the cancellation of domain names due to breaches of .nz policies, including the failure of a registrant to undertake required remedial actions ensuring their registration details are complete, accurate and up to date. Additionally, .nz has template orders to assist parties in gaining appropriate and timely court orders to enable action.
Involving the community
Identification of domain name abuse and bad domains is also a team effort. It can’t rely on one particular player. The conversation must involve civil society, the private sector, the technical community, government and law enforcement all working together to ensure proportional responses with a high degree of accountability and transparency.
That’s why in the .nz space we are engaging with the New Zealand Government on its review of its Cyber Security Strategy and the Commerce Commission’s review into online shopping [PDF 577 KB].
To ensure .nz has the right checks and balances and is operating fairly, we are also holding a free one-day Domain Name Abuse Forum in Wellington on 27 November 2018. Forum attendees will work together to understand the issues, and discuss and identify how to best tackle these challenges, including:
- Whether, or how, the .nz domain name space should deal with content abuse, for example, fraudulent online shopping and scam websites.
- How to minimize data quality issues from the .nz domain name space, for example, fake or invalid registration details.
- How we can minimize and mitigate technical attacks on the .nz domain name space and protect this vital infrastructure.
Have you registered for New Zealand’s only dedicated forum for Domain Name Abuse? Talking about online, content and infrastructure issues. It’s FREE
Tuesday 27 November, James Cook Hotel, #Wellington
See you there 😉👉 https://t.co/VEhlbkMvKr #domainnames #tech pic.twitter.com/T5dMlhgUIl— Domain Name Commission (@nzdnc) September 28, 2018
We’re excited to bring these issues to the forefront of the community’s mind. We’re also aware that we cannot tackle these issues alone. It’s imperative that everyone in this space works together on a shared goal. With buy-in from everyone, there is no reason why we cannot succeed.
Brent Carey is New Zealand’s Domain Name Commissioner.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.