Home / Blogs

PIR’s Anti-Abuse Policy for .ORG Offers No Due Process for Innocent Domain Registrants

PIR, the registry operator for .org, has sent notices to registrars that it is implementing an anti-abuse policy that offers no due process for innocent domain registrants. See discussions here, here, here and here for background information.

While it’s good intentioned, there is great potential for innocent domain registrants to suffer harm, given the lack of appropriate safeguards, the lack of precision and open-ended definition of “abuse”, the sole discretion of the registry operator to delete domains, and the general lack of due process.

For example, Google was just ranked the third worst spam service provider. If a similar policy was in place for .com, would VeriSign have the sole discretion to delete Google.com?

Wikipedia.org was blacklisted in the UK recently (and temporarily) for allegations of hosting child pornography, due to a hosted image of an album cover.

There are numerous other “false positives” stories that we’ve discussed previously in the fast-flux working group.

PIR has proceeded unilaterally without the input of the public, and also without regard to the GNSO which is contemplating a PDP for abuse policies, one that would likely lead to a far more balanced policy that protects registrants while still permitting the worst abusers to be targeted. Graduated measures like suspension make more sense than domain deletions, for example. The age of the domain should be taken into account (the most abuse comes from freshly registered domains). With registry operators actively seeking tiered-pricing for domains, their first goal would be to get it for new registrations, as opposed to renewals. If they were allowed to get tiered-pricing for new registrations, there would be a financial incentive to delete the domains of innocent registrants, as it would be a backdoor way of increasing their income from the best already-registered domains.

This represents a failure of ICANN when registry operators proceed in an ad hoc manner, rather than looking out for the interests and safety of millions of legitimate registrants.

By George Kirikos, President, Leap of Faith Financial Services Inc.

Filed Under


Sorry - I disagree here Suresh Ramasubramanian  –  Jan 9, 2009 1:16 AM

A registrar or registry is quite free to set an acceptable use policy, and/or apply it on their service.  And strawmen about wikipedia aside, they are targeting something specific - malware, botnet c&c;etc.

Would you seriously equate wikipedia or google with a j.random domain setup with fake contact information and a stolen credit card, setup on a fastflux network and serving malware?

Suresh: I rely upon the words in George Kirikos  –  Jan 9, 2009 3:27 AM

Suresh: I rely upon the words in the actual policy, legal contracts that spell out one’s rights and responsibilities. I don’t rely upon the sole discretion of a registry operator who says “trust us.” The registry operators take great care in the contracts that they sign with ICANN, for example, to leave ICANN with no such “discretion” to decide various matters (especially such broadly defined terms), and give themselves ample opportunity to appeal things they disagree with. Registrants deserve the same safeguards and due process.

You obviously have experience with abuse policies given your anti-spam career. If they wanted to target something very specific like malware and botnets, they could have used very precise language, taken from best industry-standard definitions. However, they did not. They use words like “without limitation” and phrases like “wrong or excessive use of power, position or ability.” In the entire history of the universe, only Afilias (backend provider for .org and .info) and PIR use that latter phrase (search Google for it).

If a domain has fake WHOIS, there’s already a WHOIS accuracy policy that can be used to handle that scenario—the domain can be suspended. They don’t need further powers to handle that scenario. And if instead criminal behaviour is taking place on a domain with accurate WHOIS, why is PIR not reporting it to the police, instead of taking vigilante action? Who made PIR the internet’s policeman? If the police aren’t taking action, is it perhaps that the matter they are concerned with might not in fact be illegal? I’m all for holding criminals responsible, but there’s a right way to do things, and a wrong way to do things, and PIR has chosen the latter course. If every person in the world decided that their own judgement was superior to that of law enforcement, where would that lead us? It would lead to vigilante justice, and the breakdown of society. It would be the law of the jungle, and might makes right.

Santayana said that “those who cannot remember the past are condemned to repeat it.” said. History is littered with tragedies when excessive powers are granted to people who say “trust us” but then turn around and misuse those powers. This is the reason for balanced consensus policies with input from affected stakeholders—it’s a sign that we’ve learned from history.

Instead, their cavalier approach will certainly result in lawsuits (which cause instability to the registry) the moment they delete an innocent person’s domain who has the resources to fight back (or who finds a lawyer willing to take things on contingency). If they want to “protect the integrity and stability of the registry” the first domain they should delete is pir.org, for introducing such a dangerous proposal that damages their own integrity, creates uncertainty and thereby creates instability.

Let's just put it this way .. Suresh Ramasubramanian  –  Jan 9, 2009 3:43 AM

Policies dont matter as much as their actual enforcement does.  And the line between vigilantism and policy enforcement is a very fine one .. but people have walked it for a decade or more.

I’ve observed some very good results with Afilias’ policy of cracking down on .info domains that are spammed out .. and they have done a pretty good job of clearing up a TLD that was so full of spammer domains (possibly due to instant update of the domain once registered? costs?) that it was among the top #3 ccTLDs / gTLDs we were blocking.

Well it still is .. but the situation is far better now, shall we say (and most of the bad registrations are concentrated on a very few registrars)

PIR - or .org - dont really have a problem right now, but that’s the best time to have a policy that they can implement immediately when a problem does crop up. And a SOP to implement that policy.  Or you would run into the situation HKDNR faced earlier .. please read this article and my comments there. http://www.circleid.com/posts/anti_phishing_and_hong_kong/

Given responsible registrars, you wouldnt even need the registry to have to step in.. but that’s unfortunately not the case for several registrars.

For example, in the latest edition of this little weekly report that I generate - dated Jan 4.  Some of these registrars keep registering fastflux bot domains, and others register what spamhaus would refer to as “snowshoe spam” domains (randomized domain names spread across a /24 or larger range, so that any filter that looks at spam counts based on domain name would find this spam fly under their radar).

Consider these counts as a % of the total (or even average) domains registered on that ccTLD every week, if you will, for a more accurate reading of this data.

Domains blocked: 7193

Top 10 TLDs:
    2882 .com
    2837 .cn
    984 .info
    305 .net
    64 .org
    42 .biz
    30 .ru
    13 .uk
      6 .us
      5 .pl

      Xin Net Technology Corporation (R118-LROR)
      ??????????????  [chinese string for xinnet domains]
    1412 ????  [== aka ename.cn fyi]
      CSL Computer Service Langenbach GmbH d/b/a joker.com (R161-LRMS)
      OnlineNIC Inc. (R64-LROR)
      OnlineNIC, Inc. (R170-LRMS)

[etc etc - the whole report is much larger]

Suresh: You're preaching to the choir here. George Kirikos  –  Jan 9, 2009 4:14 AM

Suresh: You’re preaching to the choir here. I’m against spam and other abuse as much as you are, probably more. Even today someone sent a XSS/phishing email to me. I got the site shut down almost instantly reporting it to the webhost and registrar.

If the problem is bad registrars, put in better rules for registrars. If the problem is to hit a nail, use a hammer. Get the right tool for the job. PIR asks for a nuclear bomb, when a hammer will do.

Give me one single scenario when suspending a domain (i.e. removing it from the zone file) is less effective in dealing with abusers than deleting the domain name. There’s essentially no difference. Is it so hard to understand that mistakes will happen, and that the best way to avoid that is to make sure that there’s some built-in safeguard? If PIR believes it will make no mistakes, what harm would it suffer if those safeguards and appeal mechanisms are spelled out in writing? Where are its duties and responsibilities? Certainly the criminals (who don’t want to be found) will never be appealing their decisions—it will always be the innocent victims.

PIR doesn’t even require itself to make public a record of all domains (with reasons) that it applies the abuse policy. So, we have PIR’s own definition of abuse, it’s own sole discretion in applying it, and the application of it in secret. You don’t see anything wrong with that? You trust PIR that much? I prefer to trust laws and contracts. They provide checks and balances.

Would PIR sign a contract that says “ICANN has the right to terminate its contract with PIR if ICANN, in its sole discretion, finds that another registry operator could better serve the public interest?” When registries start signing contracts with that sentence, I’ll cease objecting to anything the registry operators do.

I cant comment on the specifics of PIRs policies .. not speaking for PIR but .. Suresh Ramasubramanian  –  Jan 9, 2009 4:33 AM

Call this a backstop against rogue or incompetent registrars.  Quite often it will be the registrar that applies ITS policies.  Where the registrar doesnt have a policy, or chooses not to implement its own policies .. guess what, it actually makes sense for the registry to have a backstop type policy handy.

Its not a nuclear bomb as much as it is a handy club to beat recalcitrant registrars with, and conversely, for proactive registrars, it gives them material to prove that their registry supports the policies they implemented.  Everybody preaches to the same choir, etc etc.

I will let PIR comment on the wording of their policy and various technicalities about its implementation. 

Broadly speaking, a registry must have such a policy in place.  I hope we agree on that, at least?

I do agree that a properly worded George Kirikos  –  Jan 9, 2009 5:00 AM

I do agree that a properly worded policy could and should be in place, just like we have the UDRP and other policies. If it would only apply to “bad” registrars (e.g. it would never be applied to GoDaddy, NSI, Tucows, etc.), and there was a way for the public to know who is good and who is bad, that would be a good start.

PIR speaks about the Kentucky case with its “very dangerous precedent—the application of local law to the domain name system and Internet web sites that are available globally’—how is their abuse policy any different (if not worse), when their definition of abuse includes “Illegal or fraudulent actions;” but doesn’t specify which jurisdiction? And instead of a court, they themselves are deciding unilaterally?

I can be a perfectionist at times, but I’m usually a pragmatist in the end and can settle for reasonable approximations to good policy. What they’ve produced though is just too sloppy, and that makes it unacceptable. This is where some public input would have produced much cleaner language and reasonable safeguards. Folks criticize the UDRP too, but it’s generally balanced, has appeals mechanisms to the courts, etc. Their document appears to have been slapped together with little thought on an ad hoc basis by an amateur (that’s might explain why it has such unique language which doesn’t exist in any other abuse policy in the universe).

Might approach PIR and then see what comments they have then Suresh Ramasubramanian  –  Jan 9, 2009 5:04 AM

Personally speaking I would wait for any comment from them before I respond to it, or comment further on this policy. 

Afilias has very similar wording as you say, and as far as I have seen they have not enforced this where there’s no call for them to enforce it (aka where the registrar is on the ball and enforces their own policies, responsibly).

Well, nothing's stopping PIR from participating in George Kirikos  –  Jan 9, 2009 5:20 AM

Well, nothing’s stopping PIR from participating in a discussion. The fact they just thrust it upon registrars without seeking any input from the public says it all. They didn’t even have the courage to post about it on their blog yet, where the public could comment. They would show responsibility and good stewardship if they deferred implementation until the language could be tweaked to create some simple and reasonable safeguards, until the GNSO gets around to delivering a full policy.

PIR was right to implement the non-refundable fee for deleted domains, to stop domain tasting. That’s exactly the economic solution that I proposed, and almost everyone knew was the obvious and best solution (save for the people doing the tasting), albeit it took forever for the GNSO to get around to it. But, this abuse policy is nowhere close to approximating what the “obvious” and final policy would be in the GNSO, as it’s so one-sided.

PIR's Anti-Abuse Policy Alexa Raad  –  Jan 9, 2009 4:35 PM

The new PIR policy on dealing with abusive domain names has absolutely nothing to do with the Kentucky case involving gambling domains. Kentucky is attempting to enforce its own state law on Internet domains that are global in operation. Under PIR’s agreement with ICANN to operate the registry for .ORG, PIR has always had a responsibility, spelled out in its agreement with registrars, to take down domains that are violating legal requirements or pose a threat to the security and stability of the registry. (See section 3.6.5 of the registry-registrar agreement at http://www.icann.org/en/tlds/agreements/org/appendix-08-08dec06.htm ). The new abusive domain policy clarifies the way PIR will live up to its responsibilities. It is directed at the domains used or misused for phishing, pharming, botnets, distributing malware and other recognized threats to the integrity of the Internet.

In its announcement of the policy, PIR has made it clear that it will continue to work with the registrars on these problems. As in the past, most registrars will respond promptly to known security threats. The new policy spells out the circumstances, probably rare, where immediate action is needed, and for some reason the registrar has not acted. In cases where the domain registrant is the innocent victim of a takeover, PIR will take care that any interruption of service is held to a minimum.

Alexa: With all due respect, the language George Kirikos  –  Jan 9, 2009 4:56 PM

Alexa: With all due respect, the language of the new policy is overly broad (see all the comments above, and on the linked forums). I’m familiar with 3.6.5, and thankfully that provision is not in the .com agreement, but was only enabled in the new biz/info/org agreements of 2006 (it wasn’t in the prior agreements, for example).

As I mentioned in the comments (still awaiting moderator approval) in the PIR blog article that was finally posted, the language in the blog describing the policy is great, and it would allay concerns if it was actually incorporated explicitly into the legal text of the policy. But, as currently written what you describe as the policy is very different from the actual words in the policy. Once the actual words in the policy match your description and people’s expectations of due process, etc., everyone (except the bad guys) will be happy. The criminals you’re targeting will continue to be able to be targeted, and the innocent people will have explicit protections.

Right, Joe. I was actually talking about George Kirikos  –  Jan 9, 2009 7:36 PM

Right, Joe. I was actually talking about this to someone earlier today about this topic. From an article in Forbes ““There’s no legal definition,” says Danny O’Brien, a spam law analyst for the Electronic Frontier Foundation. “Spam is in the eye of the beholder.” Further into the article “Yet Linford acknowledges that the murky definition of spam is a problem for his group. “We define spam as unsolicited bulk e-mail,” he says. “But there are many different definitions.” EFF has more comments about spam on on their website, for example “Drawing a line between spam and non-spam, or, more importantly, deciding who gets to draw that line, is a tricky problem that invariably implicates free speech.” If PIR has decided “they draw the line” on spam, that’s exactly like the Kentucky gambling case above. For all other activities, they’d have the sole discretion to “draw the line” just like Kentucky.

PIR doesn’t even give its definition of spam! Simple question for them, since they’ve not approved my comment on their blog yet—- are Google’s domains a source of “spam”? (see above for the article labeling them #3 in the world) Yes or no, and why?

Notice in that article “But Spamhaus, which is based in England, refuses to acknowledge U.S. jurisdiction in the case.” SpamHaus.org is registered at Gandi, a French registrar, and the registrant is in Switzerland according to the WHOIS. PIR is in Virginia, USA. According to PIR, the laws which jurisdiction(s) apply to the activities of SpamHaus, or any other .org registrant?

Good rules allow good people to know exactly how to govern their affairs to stay within the rules. There are lots of legitimate registrants who want to stay within the rules (i.e. well within them, nothing even close to being edgy), but can’t figure out how to stay within PIR’s set of “rules”. It’s not that the registrants are suddenly “bad people”, it’s just that we need more precise rules—- rules that are imprecise are just a set of bad rules.

Oh, so the EFF is back in action :) Suresh Ramasubramanian  –  Jan 9, 2009 7:43 PM

I did have a few words with Danny on politech / IP, and then posted this on circleid. Nothing has changed .. and you dont want to listen to the way EFF spins this.. or maybe you want to listen, and laugh.  Had words with Cindy Cohn, Brad Templeton and various others before that .. over a few years now.

EFF and Its Use of Propaganda: Could Karl Rove do better? Probably

I’m still undecided .. its a dead heat between Rove and the EFF.


Right, just noticed that the article dates back to 2007. Suresh Ramasubramanian  –  Jan 9, 2009 7:45 PM

After “dearaol.com” crashed and burned I dont think I’ve seen them tilting at this particular windmill.

Right, EFF would be concerned if a George Kirikos  –  Jan 9, 2009 8:02 PM

Right, EFF would be concerned if a political site (Democrat or Republican or probably anyone) got shut down if it sent out 10 billion bulk emails to people around the world. That’s not “spam” in their eyes. Others feel that if you send them a single email “Sorry to bother you, but I’d like to buy your website.” (and didn’t send it out to anyone else in bulk) that that is “spam.” The “spam” issue is just the tip of the iceberg in this poorly worded policy, though. The issue of jurisdiction is the big problem, i.e. which laws apply, and do you wait for court orders, or just use “your sole discretion” to shoot first, and ask questions later?

That’s why I’ve been a strong advocate of using the WHOIS accuracy requirements instead—let law enforcement and private parties handle the matters in the real world, in real courts, when illegal activity takes place on domains with accurate WHOIS. But, if the WHOIS is inaccurate, shut them down until they make it accurate (and the criminals will never make it accurate, as they don’t want to be found).

In the fast flux workgroup, I’ve advocated not enabling freshly registered domains to enter the zone file until their registrar performs registrant verification (e.g. sending a PIN code by physical mail to the registrant, as a way of verifying their address, as some government agencies, casinos, and other companies do). Some see this as too harsh, though (i.e. some consider me too anti-abuse!). So, I see it as ironic I’m having to argue for more precise rules here, grrrr, having to convince anti-abuse people to do their job better, when I’m more “extreme” than they are in wanting to get rid of abuse. [address verification, and not resolving the domain until that verification takes place, would be far, far, superior, by the way, as it is linked to finite real-world addresses and identity, rather than a limitless supply of throwaway GMail accounts, proxy servers and stolen credit cards]

All in favor of a multilayered approach Suresh Ramasubramanian  –  Jan 10, 2009 3:44 AM

BTW - Spam - a good working definition is unsolicited bulk email

Whois accuracy is one way to go (and if I had my druthers I’d abolish private registration, given more scam artist domain registrations abuse it than any legitimate use that this feature sees.. but that might not be too feasible, unfortunately)

Joe: Yes, and that's not the definition George Kirikos  –  Jan 12, 2009 8:32 PM

Joe: Yes, and that’s not the definition of the US government for the CAN-SPAM Act. Whether one agrees or disagrees with that law, if PIR’s definition of spam (which is not known, as they’ve not defined what spam is) deviates from that of the CAN-SPAM Act, then they are like Kentucky, namely setting themselves up above the US law. And, if they actually match the definition of the US law, which is different from definitions of other governments around the world, then once again, they are applying one set of rules to the entire world, like Kentucky. They’re damned if they do, and damned if they don’t.

That’s why a more appropriate solution to abuse is strong enforcement of WHOIS accuracy requirements. The bad guys simply do not want to be found. If the bad guys do put in true WHOIS, report them to law enforcement, and that takes them out of the game. Simply deleting their domain, without reporting them to law enforcement, keeps them in the game. WHOIS accuracy is proactive, whereas deleting bad domains after the fact is simply reactive.

CAN-SPAM act isnt the entire picture here Suresh Ramasubramanian  –  Jan 12, 2009 10:15 PM

Several state laws do apply in parts where can-spam hasnt superseded them. And nothing in can-spam stops ISPs from filtering spam. CAN-SPAM is simply about FTC prosecutions. So, you can effectively comply with (or skate around) the letter of the can-spam law, and still find AOL / yahoo etc blocking you.

And yes - you will find that test (unsolicited bulk email) in several rather more formally worded docs, worldwide, than a circleid post or a geek mailing list.

Oh, Joe .. depends on what you have your email on a webpage for. If its on a mailing list archive?  Or if a CPA has something like “contact me if you want me to file your returns”?  Does that mean people can spam these two with ads for gift cards, home refinancing or whatever? 

Anyway, that’s not the discussion we are having here. And I dont like domaining too much, personally speaking. So I dont know why you want to come after me with these specious arguments.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API