NordVPN Promotion

Home / Blogs

The Question Isn’t Whether the Harm Is Real - It’s Who Should Act

Karen Rose and Greg Aaron’s response to my recent article on their Interisle report on malicious domain registrations is valuable because it helps clarify where our respectful disagreement actually lies. Reading their response, I was struck less by our differences than by the amount of common ground we share. There is no disagreement that the harms they describe are real. Criminal exploitation of Internet infrastructure is real. Large-scale fraud operations are real. Phishing, malware, and other forms of online abuse cause enormous harm to individuals, businesses, and society. Nor is there any disagreement that the Internet community should continue looking for ways to reduce that harm.

Where I believe the discussion becomes more complicated is in the relationship between measuring harm and assigning responsibility. Rose and Aaron argue that ICANN’s definition of DNS Abuse is too narrow because it excludes categories of activity, such as scams and fraud that cause substantial harm to the public. That is not a new argument, nor is it one that the ICANN community has ignored. The scope of DNS Abuse, the responsibilities of contracted parties, and the appropriate boundaries of ICANN’s role have been debated extensively for years. Those discussions have produced contractual amendments, compliance mechanisms, measurement initiatives, enforcement activity, and ongoing policy work aimed at addressing harms both within and adjacent to the current definition.

Whether the definition should ultimately be expanded is a question that belongs within those policy discussions. Reasonable people can disagree on where the line should be drawn. What is important, however, is being clear about which conversation we are having. My original article was not an argument that these harms should be ignored. It was an argument that different policy questions require different measurement frameworks. A methodology designed to estimate the total scope of online harm is not the same methodology needed to evaluate the performance of registries and registrars operating under ICANN contracts.

What Measurement Reveals – and What It Doesn’t

One of the most interesting aspects of Rose and Aaron’s response is that it repeatedly returns to the scale of the problem. I do not dispute that scale. What I continue to question is whether measuring harm automatically identifies the most effective intervention point.

Consider where many of today’s largest fraud operations actually create victims. Social media platforms, messaging applications, online marketplaces, and other digital services are frequently used to facilitate scams, impersonation, and fraud at enormous scale. Yet much of that activity occurs behind a relatively small number of domain names. An operation that victimizes large numbers of users through a major platform may involve only a single domain from the perspective of a domain-counting methodology, while a phishing campaign built around thousands of disposable domains may appear far larger in a domain-centric dataset despite causing less overall harm.

Neither observation makes the harm less real. What it does illustrate is that every measurement framework has strengths, limitations, and blind spots. A methodology built around counting malicious domains is naturally effective at identifying activity involving malicious domains. It is far less effective at illuminating abuse ecosystems that concentrate activity behind a small number of domains while generating enormous amounts of victimization.

Consider two hypothetical abuse ecosystems. In one, criminals register hundreds of thousands of disposable domains. In the other, criminals reach millions of victims through accounts operating on a handful of dominant platforms. A domain-centric measurement framework will make the first ecosystem highly visible and the second comparatively invisible, despite the possibility that the latter causes far greater aggregate harm. The Internet’s largest abuse ecosystems are not necessarily the ones with the largest numbers of domains. Some of the largest concentrations of online fraud and victimization occur within highly centralized platforms that may be represented by only a handful of domains in a domain-centric measurement framework. That is not a criticism of the measurement. It is simply a reminder that every measurement framework illuminates some parts of a problem while obscuring others.

This matters because public policy follows measurement.

The way we choose to count a problem often determines where we focus accountability, resources, and regulatory attention. Measurement frameworks are not neutral. They elevate some actors, some interventions, and some policy solutions while rendering others less visible. A methodology built around domain registrations will naturally identify domain registration problems. It will also naturally direct policymakers toward domain registration solutions.

That does not make the methodology wrong. However, it does mean we should be careful about assuming that what is easiest to measure is necessarily where the greatest concentration of harm exists, or where intervention will produce the greatest benefit. If our primary unit of measurement were fraudulent transactions, victimization rates, scam revenue, malicious content distribution, or account-driven fraud, the resulting policy discussion might look very different.

The challenge is that discussions often move back and forth between these questions without clearly distinguishing them. A measurement framework designed to estimate the scope of online harm may be entirely appropriate for one purpose, while a framework designed to evaluate the effectiveness of ICANN-contracted parties may be appropriate for another. The widespread use of security feeds and blocklists demonstrates their operational value, but operational utility and policy suitability are not identical concepts. A dataset may be highly useful for identifying potentially risky activity while still being poorly suited to evaluating whether particular actors fulfilled particular responsibilities. Problems arise when measurements designed for one purpose are presented as evidence for policy conclusions aimed at the other.

As with any large-scale measurement effort, methodological choices inevitably shape the conclusions that can be drawn from the resulting data. Different datasets, definitions, and classification methods may produce different estimates of the scope of abuse. Even assuming broad agreement on the measurements themselves, though, the separate question remains: what do those measurements tell us about responsibility and intervention?

This distinction is particularly important when measurements are used to evaluate the performance of specific actors. A finding that 10% or even 20% of domains are associated with malicious activity may tell us something important about the scale of online harm. It does not automatically tell us anything at all about whether registries or registrars complied with their obligations, whether they received actionable reports, whether they responded appropriately when notified, whether intervention at the DNS layer would have been the most effective way to disrupt the activity in question, or whether the activity should be attributed to failures at the DNS layer in the first place.

The Debate We Should Actually Be Having

What Rose and Aaron’s response makes clear is that the real disagreement is not about whether abuse exists, nor even about whether more should be done. The disagreement is about where responsibility should reside and how broadly we should define the role of DNS operators in addressing online harm. Their argument is ultimately that existing policy frameworks are too narrow for the scale of the problem they observe. That is a legitimate position and one worthy of serious discussion.

What I think is missing from their response is recognition that the current DNS Abuse framework was created to establish accountability by defining which actors are responsible for which interventions and by creating enforceable obligations around those responsibilities. The contractual amendments adopted in 2024, the compliance mechanisms that followed, the measurement tools now being developed, and the ongoing policy work all depend on a shared understanding of what contracted parties are expected to do. One can certainly argue that the definition should be broadened, and many people are doing exactly that today. In fact, ongoing policy work continues to explore how additional harms can be addressed. But before deciding whether new obligations are needed, we should first understand which actors are best positioned to reduce harm and which interventions are most likely to be effective. In the meantime, registries and registrars should be evaluated against the obligations they actually have, not the obligations others would like them to have.

Understanding who is best positioned to reduce harm also requires confidence that we understand both the problem and the consequences of the proposed intervention. Simply because a domain name appears somewhere in an abuse chain does not necessarily mean that the DNS is the most effective place to intervene. The Internet ecosystem has never depended on a single layer to provide security. Effective responses to abuse have always involved cooperation among registries, registrars, hosting providers, cloud platforms, payment processors, social networks, messaging services, cybersecurity researchers, and law enforcement.

The goal should not be to identify a single layer of the Internet stack to hold responsible for every manifestation of online harm. The goal should be to understand which actors are best positioned to disrupt particular forms of abuse and how those actors can work together effectively. Registries and registrars have important responsibilities. So do hosting providers, platforms, payment processors, messaging services, and others. A measurement framework that focuses exclusively on one layer risks obscuring both the contributions already being made and the opportunities for intervention elsewhere. Different actors possess different visibility, different tools, and different responsibilities. The challenge is not simply identifying abuse, but rather identifying where action will have the greatest impact while minimizing collateral damage.

The task before us is not deciding whether harm matters: it is deciding who is responsible for addressing it, under what authority, and through what mechanisms. Those questions become harder—not easier—when we blur the distinction between the obligations that exist today and the obligations some would like to create tomorrow.

If the argument is that ICANN’s definition of DNS Abuse should be expanded, that debate should happen openly and directly. If the argument is that registries and registrars should be evaluated against the obligations they currently have, then our measurements should be capable of telling us whether those obligations were met.

If the argument is that online harm remains unacceptably high, I agree.

The question is not whether more should be done. The question is who is positioned to do it.

Measuring harm is important. But unless measurements help us identify where responsibility resides and where intervention is most likely to succeed, they cannot tell us who should act. Conflating measurements of harm with measurements of responsibility may generate larger numbers and more alarming headlines without bringing us much closer to understanding who should act, under what authority, and with what likelihood of success. That is the debate we should be having.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Christian Dawson, Executive Director, i2Coalition

Christian Dawson is Co-Founder of the Coalition on Digital Impact (CODI), an independent, global coalition created to empower global communities to access and navigate the Internet in their native languages. He is also the Co-Founder of the Internet Infrastructure Coalition (i2Coalition), where he works to make the Internet a better, safer place for the businesses that make up the Cloud.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

DNS Security

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

NordVPN Promotion