|
Co-authored by Russell Pangborn and Syed Abedi of Seed IP Law Group.
The ICANN 69 meeting has come to a close, with no progress on DNS abuse or implementation of the Privacy/Proxy Services Accreditation policy (PPSAI). While ICANN is uniquely positioned to do so, it refuses to do anything proactive about DNS abuse, with its executives overtly attempting to limit its role to data collection. Moreover, its refusal to implement community-driven initiatives such as the PPSAI points to a growing trend where ICANN is backing away from its public interest responsibilities, to the detriment of the Internet and its users. The ICANN Board should be very worried and demand action from its executives on these key topics.
Stalled implementation efforts simply continue to spawn DNS abuse—evidenced by rising UDRP disputes and obstructive registrar policies. Data obtained from WIPO reflects an increase in domain name related disputes and an increase in those disputes arising from registrants using privacy and proxy services. As noted by an FBI panelist in sessions on DNS abuse at ICANN 68 and 69, privacy/proxy services continue to be a problem for law enforcement and others investigating DNS abuse. The FBI data has similarly shown staggering use of proxy services by registrants in referred fraudulent domain cases. Legitimate disclosure requests continue to be unfulfilled by registrars and their affiliated proxy providers, as evidenced by shared data from online enforcement service providers and from statistics shared by a few registrars. These trends form a dangerous recipe for online enforcement agents, IP owners, and consumers at-large.
Since implementation of GDPR in May of 2018, UDRP filings have continued to increase, suggesting that IP owners are increasingly having to rely on this costly procedure to protect their IP rights and protect their customers from fraud and confusion. In looking at a snapshot from the year before GDPR implementation through the years after, UDRP filings have increased year-over-year:
Year | Total UDRP Actions in WIPO |
---|---|
2017 | 2708 |
2018 | 3051 |
2019 | 3342 |
These results show a 23% increase in UDRP filings from 2017 to 2019. Notably, there has also been a statistically significant jump in UDRP filings with the domain registrants masked by privacy and proxy services:1
Year | WIPO cases with privacy or proxy | Percentage of cases involving “privacy/proxy” |
---|---|---|
2017 | 652 | 24% |
2018 | 848 | 28% |
2019 | 1051 | 31%2 |
The significant increase in UDRP filings, including involving privacy/proxy service providers, is exacerbated by the persistent lack of compliance with reveal requests by certain proxy providers. A recent study demonstrates compliance from proxy providers continues to be abysmal. 91% of proxy requests went unfulfilled.3 A staggering 32% of proxy requests garnered no response at all. See tabulated results below.
WHOIS Request for Redacted Information 4228 Requests | Percent | PROXY - 1342 Requests | Percent |
---|---|---|---|
Fully Compliant (1037) | 25% | 127 | 9% |
No Response at all (1177) | 28% | 424 | 32% |
Rejected for Pay for Reveal or Other Reasons (530) | 13% | 105 | 8% |
Rejected for Legal Action (UDRP/Subpoena required) (1240) | 29% | 208 | 15% |
Dropped or Suspended (73) | 2% | 8 | 1% |
Auto Acknowledgement with no Follow-Up (260) | 6% | 92 | 7% |
Requires Additional Action (311) | 7% | 77 | 6% |
Average days for acknowledgement | 4 | 2 | |
Average days for compliant response | 7 | 7 |
In many instances, registrars or their affiliated proxy providers require IP owners to file UDRP actions or obtain a court-ordered subpoena in order to obtain registrant information.4 It is noteworthy that the PPSAI squarely addresses this issue, and makes clear that non-disclosure for lack of court-ordered subpoena or UDRP filing is prohibited.
The lack of compliance with reveal requests explains why IP owners are increasingly having to rely on more expensive UDRP actions, or even lawsuits, to protect consumers’ rights as well as their valuable IP.
Additionally, UDRP actions are becoming more time consuming due to registrar redaction of registrant information. The resulting delays can be debilitating in combatting harm from cybercrime, which can cause harm in a matter of minutes. In matters of public health and safety, delay is even more destructive. The National Association of Boards of Pharmacy (NABP) issued a scathing report on the widespread abuse taking place on the internet, where cybercriminals are exploiting COVID-19 to peddle unapproved drugs as COVID-19 treatment. Hundreds of newly created domains were flagged, many of which had ties to known cybercriminals. Notably, “many domain names, both active and inactive, are clustered on ‘safe haven’ registrars—a practice common among sophisticated internet pharmacy cybercriminals; and ... the domain name registration information for almost all identified websites is anonymized, making it difficult for enforcement agencies to investigate these criminals.” In fact, 90% of the domains were masked by privacy/proxy services, causing unnecessary delays in combatting such egregious abuse.
Consistent with this pattern of cybercriminals exploiting the pandemic to defraud people by abusing the DNS, the FBI investigated 1340 complaints related to the pandemic, all filed through its Internet Crime Complaint Center (www.ic3.com). An unbelievable 65% of the domains were hidden through privacy/proxy services and 17% were redacted due to GDPR.5 It was further noted by the FBI at an ICANN68 session on DNS abuse that unmasking underlying registrant data via a criminal subpoena can take three weeks or longer. A civil subpoena, undoubtedly, may take even longer. In that same ICANN 68 session, a representative of the Government Advisory Constituency (GAC) noted the following:
Rapid response is needed because phishing attacks inflict harm in a matter of hours.7 Having to rely on filing a UDRP action even to get a chance at access to cybercriminal information is untenable. But this is what recent data tells us is happening. For IP owners to rely on time-consuming and costly UDRP actions to prevent blatant abuse perpetrated by cybercriminals, including those enabled by the masking of registrant data through privacy/proxy services, is troubling because it suggests that other more reasonable measures may have failed.
As the above results reflect, from 2017 to 2019, the number of UDRP filings involving privacy and proxy services with WIPO has increased steadily, even after the launch of GDPR. All signs point to 2020 continuing the trend. With obstructive registrars and their affiliated proxy providers, it is disconcerting that ICANN’s PPSAI remains on indefinite hold. “Wait for EPDP Phase 2” no longer applies. Government agencies and law enforcement have consistently suggested that the consensus policy of PPSAI is necessary in combating fraud and abuse. Given that at least 25% of top level domains utilize privacy or proxy service providers (putting the total number at approximately 90 million)8, the lack of impetus on moving forward with PPSAI is inexplicable. The COVID-19 related DNS abuse surge should serve as a lesson that the world is unpredictable, and decisions pertaining to PPSAI can have serious and harmful consequences.
In its ICANN 69 communique, the GAC reaffirmed its commitment to work with the community and ICANN to advance the shared goal of mitigating DNS abuse, and noted that there is now momentum for concrete action to advance work in curbing DNS abuse. It is time to take advantage of this momentum, and look forward. It is time for ICANN to reconstitute the IRT to restart the work of implementing the PPSAI and to adopt stricter DNS abuse mitigation obligations under the ICANN contracts.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byDNIB.com
Excellent points.
The refusal of ICANN to take meaningful action to address DNS abuse & the PPSAI is an abdication of its function “to ensure the stable and secure operation” of the internet. To “ensure” is by definition to act. ICANN cannot continue to behave as only an interested observer in the security of the internet.