dotmagazine: Michele, together with a set of companies you have produced a paper on DNS abuse. Could you tell me something about it?
Michele Neylon: We're calling it the anti-abuse framework, or Framework to Address Abuse. There are about 50 signatories so far, including some of the biggest companies as both registrars and registries. In many respects, I suppose we're a bit of an anomaly, because we're a small registrar.
The framework is essentially saying that, as companies, we are willing to act on certain types of abuse without court orders. That if you report these to us, and we're able to verify the reports, we will take action. So here we're talking about things like the distribution of child sexual abuse material, the sale of illegal opioids, spreading malware, etc. These are things that, as companies in the infrastructure space, we can easily agree that we don't want to have. We don't want to be seen to be facilitating that kind of thing.
dot: I can understand being interested in this kind of content from a hosting perspective, but where do DNS providers come into it?
Neylon: There is a tendency to try and say that, as a registrar or as a registry or just providing DNS services, we are not involved in content. And I agree with and understand that argument. However, there is a line where it starts to become a little bit farcical. If you're made aware that something terrible is happening, and that a service or a product that your company is providing is helping to keep that accessible, then not taking action is a little bit ridiculous.
dot: Is not taking action also a reputational risk?
Neylon: Well, yeah, but it's not just reputation risk for us as companies. I think it's also to do with the overall trust in the Internet ecosystem. The broader message around a lot of this is that, in order for the Internet to function and grow, for the digital economy to flourish, we obviously need to have various things in place. Obviously, you need to have decent infrastructure, you need to have decent broadband connections, you need to be able to take payments. There's a lot of these different things that come together. But fundamentally, underlying all of this is trust.
To put this in context: I didn't get a license to operate as a hosting provider. I went off and I got a couple of servers, started selling space on servers, and I grew from there. And if you look at a lot of the companies, perhaps the majority of the companies that are making waves in digital: we're not licensed in any respect. And that's perfectly fine, because the entire thing with the digital economy is that it's about permission in many respects. But the only way that works is if there is trust. And if you have a situation where everybody who goes online gets this perception that the Internet is full of bad things, and that they're going to have a bad experience, and there's all sorts of negative messaging around it, that destroys it for everybody.
So there is a certain degree of responsibility for actors within the ecosystem to keep it clean. Now, that does not mean that we become the Internet police. That does not mean that we are going to become the arbiters of what should or should not be on the Internet. But there are certain things where, unless you've got a very strange business model, you can pretty much agree that it shouldn't be allowed. I mean, child sexual abuse material is a simple one. It's a low-hanging fruit.
This does not mean that I'm going to go out and start policing my entire network and trying to find bad stuff on there. That's not what this is about. But if somebody sends us in a report of malware distribution, or some other kind of content that we can agree is illegal in some shape or form, then we're going to have a look at it, and if we feel it is appropriate, then we're going to do something about it.
dot: Do you have a complaints procedure set up at Blacknight?
Neylon: Of course. All registries and registrars that are ICANN-accredited have obligations to have an abuse contact. And if you're a network operator, you should have an abuse contact as well. We're not a particularly large player, but we put that into part of our bigger help-desk system many years ago, so when something comes through, multiple people are able to access it. And then depending on what type of complaint it is, we can deal with it immediately (for the low hanging fruit), but in other cases, obviously, it's going to be a lot more complex. We get complaints all the time, and you do get a lot of strange complaints. But the thing is just being able to look at them and decide whether it's within our scope to do something, or maybe we just pass it on to our clients, or in some cases it's simply not something that is within our scope.
dot: Now, in the framework, there are a set of definitions of different types of abuse. Can you tell me something about this?
Neylon: The thing to understand here is that the framework is very narrow and very specific and deals with a number of particular types of abuse. Like the child abuse example, which I keep using, because it's such a clear example. It's the one that there's really no grey areas about whatsoever, and there's no philosophical debate. It's black and white, it's binary. My own company will take action on quite a few other types of abuse. But, for example, if a website is compromised – which happens a lot – and we don't host the website, it would be disproportionate for us to take that website offline completely.
So let's say we are acting as the registrar of record for eco-member.de, for example. As the registrar of records, but not hosting the website, the only action I could take is to remove the domain completely. I don't have a scalpel. I have no way of going in and saying these pages, these subdomains should or should not exist. I can't do that. And removing the domain completely would be disproportionate.
It's different if we are acting as the hosting provider – then it's sitting on our servers, we have access to the content, we have access to the files, and we can be much more refined in how to deal with it. If some things are sitting on a shared server, we can just take the web part offline. Their email, other services are not going to be impacted. Or we can even take just part of the website offline, or just make sure that's not accessible from the outside world. I mean, there's a lot of things that you can do.
But the thing is that a lot of this is coming from the bigger discussion around DNS abuse, because some people are saying that the industry isn't doing anything. And a lot of us are saying, well, actually, no, we are. There's plenty of things that we're doing. But you need to be reasonable in what you're asking us to do.
There are certain things I can't do. I mean, for example, even if I'm the hosting provider, I have no way to remove a word from a web page. I can remove the entire website, but there's no way for me to go in and remove every definite article on a page. But we get people asking us to do this. And a lot of the time it's because either they don't understand how the ecosystem works, so they're sending the request to the wrong place, or they're just lazy – and don’t make any real effort to contact the actual website operator. With something like defamation, for example, we get complaints, but the answer is: Go talk to our clients. They're in a position to do something about that. We are not. (Now sure, of course, if they were to present us with a court order demanding that we do it, fine.) But just assuming that because we're part of the chain we're able to do everything is not reasonable.
If you look at the framework paper, it draws on some of the work from the Internet Jurisdiction Project. One of the things there is trying to explain to people how things fits together. The domain name, for example, it's just a pointer to the content. It isn't the content itself. But a lot of people seem to think that the domain is the content, that they're one and the same. So if I remove eco-member.de, or .com or .whatever, all of the content you still have on that domain is still sitting there. It's still online, you just can't reach it through that domain.
So let's take Daily Stormer as a prime example. Daily Stormer keeps switching domain names, but the content is always the same. All they're doing is moving from one domain name to another. As the registries, registrars, DNS providers shut down those domains, they just switch. The content is always just there. It's just how you get to the content that changes.
dot: Coming back to the framework: I assume you're wanting more DNS providers to become signatories?
Neylon: Yeah. I mean, there are two parts to that. One thing is, obviously, you want more people to back these kind of baseline concepts. But the other thing is that there's no point in having, let's say, 500 companies sign on to this if 450 of them aren't actually going to do anything. You know, it needs to be meaningful. And again, if you look at the document, it's very narrow. It's dealing with very specific types of abuse. And if you talk to people in any of the companies signed on, you realize that in most cases they're willing to do a lot more. These are the minimum.
Essentially what you want is a situation where the digital economy can flourish and jobs can be created, and all of that. And I think these are all things that a lot of us believe in quite strongly.
But the only way that can work is if you're able to keep things relatively clean. I mean, you're never going to have a situation where the Internet is all unicorns and bunnies. That's just not reality.
You know, you could live in the nicest neighborhood in whichever city or town you're living in. But you don't want to live in a neighborhood where there's rats bouncing across your front yard every morning, the bins are spilling out into the street, there's burnt-out cars at every corner. You don't want to live in that neighborhood. And why would anybody want to do business in that neighborhood? If you let the Internet's ecosystem degrade in that respect, then you end up in a situation where you end up going backwards. And that's not what we want – we want to move forward.
Michele is co-founder and CEO of Blacknight. He is actively involved in Internet policy development, and is currently a member of ICANN’s GNSO Council as a representative of domain registrars. He is also involved with policy development for several domain registries, including .IE, .EU and .US. He previously served as chair of i2Coalition and is a member of the Names and Numbers Steering committee of eco. Michele received the Irish Internet Association Net Visionary Award in 2013 and was named one of Ireland’s 30 Technology Disruptors at The Spiders Awards in 2019.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.