A Well-Lit DNS

It is time for the governing ecosystem to take responsibility for some of the growing mess in the DNS

Tucows, like many other responsible registrars, does our job well and with little fanfare, helping to keep our layer of the Internet up, robust, and generally trouble-free. In fact, responsible registrars and registriesAn organization that’s in charge of the operation and administration of a particular top-level domain (TLD), like .com or .uk. Registries maintain a database of all domain names registered under the TLDs they operate. For example, if you register example.com, your registration record will live at Verisign, the registry for .com. do the job well enough that we and the part of the Internet we maintain—the domain name system (DNS)—are typically invisible to Internet users.

It’s precisely because of that invisibility that Tucows believes it’s especially important for us to be transparent.

This is even more imperative because responsible registrars and registries nevertheless ​​vary in their policies for maintaining a free, open, and healthy Internet. Users should know where and how we draw the lines and what actions and procedures we follow when they report a site to us for transgressing those lines.

But that is still not enough, since not all registrars and registries behave responsibly. A minority, either knowingly or through inadequate compliance resources and careless neglect, enable sites that exist only to steal your personal information, to trick you into downloading malicious software, to host and distribute extremely harmful content such as CSAM (child sexual abuse material), and to cause other types of harm. These bad actors are having an increasingly consequential effect on the DNS.

As the world relies ever more on the Internet, this problem is becoming ever more serious. But it is not a problem that responsible registrars can address on our own. We need to pull together the full DNS community—registrars and registries, governing bodies, web hosting services, and concerned users—to work together, each in their own way, and always iteratively, to keep the DNS layer of the Internet open, free, and safe.

Steps toward transparency

To live up to our dedication to transparency, Tucows has:

In fact, the page you’re reading is another step toward transparency Tucows has taken. In that spirit, here is an overview of how Tucows understands its authority to respond to complaints about abusive sites:

The law

If a court has jurisdiction over Tucows, we follow their properly adjudicated decisions.

For example, if a Canadian law enforcement agency presents adequate due process for us to disclose identifying information about the owner of a domain, we provide that information. (We usually tell the person whose data is about to be disclosed that we have such an order, so they can dispute that order if they choose to. In rare cases, we’re not allowed to tell that person beforehand—or sometimes ever—in which case, we sigh and obey the law.)

Contractual and voluntary agreements

Every registrar operates with the authorization conveyed to them by their contract with ICANN. That contract requires registrars to “investigate and respond appropriately to any reports of abuse.”

Some registrars, including Tucows, have also signed onto the DNS Abuse Framework, a document that commits signatories to act not just against DNS Abuse (which is: malware, botnets, phishing, pharming, and spam when it serves as a delivery mechanism for other forms) but also against content abuses that rise to a level that signatories to the Framework believe warrant action at the DNS level (including CSAM, imminent harm to human life, and opioid sales). Tucows isn’t just a signatory; we are proud to be one of the original drafters of the Framework.

The limits on enforcing content rules

We look carefully at the sites that are reported to us because it is our responsibility as a registrar to ensure that the services we provide contribute to a healthy Internet.

Tucows’ Terms of Service give us the authority to take down legal sites whose content we find intolerable. But we are loathe to take down sites other than those of the types specified in the DNS Abuse Framework, even when we find the content abhorrent, because, while Tucows is an expert at maintaining one particular technical layer of the Internet’s architecture, we are not experts in deciding what legal speech should be silenced.

Put differently, would the Internet be a better place if domain name registrars were put in charge of deciding what speech ought to be permitted on it?

To be fully transparent, Tucows as a company and as a community feels terribly torn by this issue. This is the issue we lose sleep over and we are not done discussing it.

Cleaning up the DNS space

Transparency is crucial but, in itself, it’s not enough to deal with rogue registrars that turn a blind eye to domains registered through them that facilitate phishing, malware, or otherwise violate the rules laid out in registrars’ governing agreements, including the voluntary DNS Abuse Framework. These are, simply put, bad actors in the community of registrars and registries, and they are too rarely held to account. You don’t have to have malicious intent to be a bad actor in the DNS; failing to provide adequate compliance resources for your domains under management—and then either ignoring problems or justifying your lack of oversight in the name of “Internet freedom”—will also qualify you for “bad actor” status. As a consequence, if an abusive site gets dropped by a responsible registrar, the domain name will usually be transferred to a less conscientious registrar. Or, if a responsible registry points the domain name to a non-existent IP address, the malefactors can point a new domain name to the content of their existing site, creating an endless game of whack-a-mole. This lack of consistent enforcement makes it hard to stem the tide of harmful sites. This is an interconnected system, only as strong as its weakest link.

Here’s what we at Tucows think is needed:

First, the problem needs to be acknowledged, scoped, and prioritized. DNS Abuse is addressed quite effectively by most registrars and registriesAn organization that’s in charge of the operation and administration of a particular top-level domain (TLD), like .com or .uk. Registries maintain a database of all domain names registered under the TLDs they operate. For example, if you register example.com, your registration record will live at Verisign, the registry for .com. (both singly and in collaboration with one another), the victims of the abuse, and broader industry associations, all within the letter and intent of the existing ICANN obligations. But a small number of registrars and registries are lax—or worse—in enforcing their obligations and thereby become preferred providers to malevolent agents worldwide. These irresponsible registrars and registries profit from the abuse they enable, benefit from not having to expend resources to live up to their obligations, and rarely suffer any consequences imposed by ICANN Contractual Compliance, the body charged with enforcing the contract with ICANN that requires that registrars and registries address abuse.

In terms of priorities, we at Tucows think that, at this point, strong and consistent action needs to be taken against registrars and registries that violate existing policies and guidelines.

We also would like to see ICANN officially accept the DNS Abuse Framework’s enumeration of the categories of harms that can warrant taking administrative action against sites. We would like to see ongoing discussion to refine and possibly expand that list.

Second, registrars and registries should commit to making their own values, processes, and standards public and transparent.

Third, registrars, registries, web hosting providers, ICANN, and the concerned public need to come together to share rules and methods for limiting the damage caused by DNS Abuse and to collaboratively take action.

Fourth, ICANN Contractual Compliance should recommit to enforcing the requirement that registrars and registries take action on DNS Abuse, sanctioning registrars and registries that refuse to address DNS Abuse in their namespace.

We at Tucows have taken a first step by becoming more transparent to a degree that we hope other responsible registrars and registries will follow and even exceed.

We hope soon to be active participants in a collaborative, iterative process by which registrars, registries, ICANN, and other stakeholders create an environment of transparent rules and methodologies for limiting the damage that abusive sites can cause.

It is past time to act.