DNAHEALTHYDOMAINSINITIATIVE

REGISTRY/REGISTRARHEALTHYPRACTICESI.IntroductionandContextIntroduction

ThisdocumentispartoftheDomainNameAssociation’s(DNA)HealthyDomainsInitiative(HDI),whichhasthefollowingobjectives:

● Establishanetworkofindustrypartnersthatcommunicateandcollaboratewithoneanothertosupportahealthydomainnameecosystem.

● Identifyand/ordevelopindustry-acceptedhealthypracticesandspecificprogramsthatprovidetangiblewaysofpromotingstandardsforhealthydomains.

● Demonstratetothecommunityourdesiretoimplementbestpracticesandotherwisefulfillourstewardshipobligations

PurposeofthisHealthyPracticesDocumentThepurposeofthisdocumentistopresentasetofprioritizedhealthypracticesandprogramsforthedomainnamecommunitythatwouldresultin:

● Presentationofamorevibrantnamespacetoend-users● Identificationofadditionalvoluntarystepstoaddressabuseandillegalactivity

Thedocumentismeanttobecollaborativeamongallinterestedparties.Itisanticipatedthatthissetofdraftprinciplesandoperationalprogramswillcontinuallyevolve.

Thisdocumentisnotmeanttocreatenewrequirementsforregistriesandregistrars;itisarepresentationofexistingandproposedpracticesthat,voluntarilyadopted,canfurtherthehealthydevelopmentofthedomainnamesystem.

Context:EvolutionofHealthyDomainsInitiative

TheHealthyDomainsInitiativeisaprojectundertheDNA’sumbrella.TheDNAassumedmanagementoftheconceptin2015andestablishedacommitteedevotedtoHDI.

Astheconcepttookshape,theHDIcommitteeentertainedideasforregistryandregistraroperationsthat,ifimplemented,wouldhelptoaddressvariouschallengesinthedomainnamesystem.Suchideaswerepresentedanddiscussedbymultiplepartiesinthegreatercommunityattheinitiative’sfirstHDIsummit,heldinSeattleinFebruary2016.TheSeattlemeetingfurtherbuiltouttheseambitiousideas.

DuringtheICANNmeetinginMarrakechinMarch2016,partiesinterestedinHDImettofurtherreviewanddiscusstheseideas.ItwasagreedinthatmeetingthatthenextbestoutputfortheHDIeffortwastoputforthasetofoperationalprinciplestowhichcontractedpartiescouldreasonablyadhere.HDIleadersthusfocusedonsuchadocumentasthefirstdeliverableintheHDIeffort.

Next,togetasenseofwhatalreadywasinplaceinthemarket,andtomeasureprioritiesforpotentialpractices,theDNAconductedasurveyofmembers—theresultsofthesurveyidentifiedareaswherecontractedpartiesalreadyhadputstrongoperationalpracticesintoplace,andwheretherewasroomforadditionalexpansion.Theresultsofthatsurveyarebelowinthispaper,embodiedasaprioritizedlistofaspirationalpractices.

AfterconferringontheseproposalsduringtheICANNmeetinginHelsinkiinJune2016,theHDIcommitteeidentifiedseveralthatshouldbeprioritized,developedandimplemented.Theseare:

1. Addressingonlinesecurityabuse(e.g.,malware,phishing,pharming)2. Enhancingchildabusemitigationsystems3. Complainthandlingfromillegalor“rogue”onlinepharmacies4. Voluntarythirdpartyhandlingofcopyrightinfringement

Eachoftheseareasisnowheadedby1-2HDIcommitteevolunteers,whowilldirectsubteamsindevelopingimplementationplansforeach.

Baseline:IndustryRespondentsDetailCurrentHealthyPractices

TheDNAsurveyeditsmembershiponwhat,ifany,healthypracticesalreadyareemployedbycontractedparties,andfurther,regardingtheappealofproposednewpractices.

Animpressive78%ofrespondentssaidthattheircompaniesalreadyemployedhealthypracticesoutsidethescopeoftheircontractswithICANN.

89%ofrespondentssaidtheyintendtoexpandthislisttoincludeadditionalpractices.Theconclusionofthesurvey,agreedtobymostinvolvedinHDI,isthatthereexistsanopportunitytoexpandpracticeideas,andcontractedpartiesarereceptivetodoingso.

II.HealthyPracticePriorityAreas

A. Addressingonlinesecurityabuse(e.g.,malware,phishing,pharming)Forafullreviewofproposedhealthypracticesaddressingthisarea,pleaseseethesub-team’sdetaileddocumentinAppendixA.OverviewTheobjectiveofthiseffortistofurtherreducesecurityabuseintheDNS.TacticsandgoalsThiseffortwillconsolidaterecommendedpracticesforregistriesandregistrarsrespondingtosecurityabusesidentifiedintheirTLDsdescribedinpastworkbygroupsinthesecurityspace.Inidentifyingrecommendedpractices,weconsultedpastpracticesrecommendationsdevelopedbytheSecurityandStabilityAdvisoryCommittee(SSAC);Anti-PhishingWorkingGroup(APWG);StopBadware;theMessaging,Malware,andMobileAnti-AbuseWorkingGroup(M3AAWG)astheyappliedtotheregistryandregistrarcontext.Ourgoalsinthisareaarethreefold:

● Tooutlinesomeofthechallengesandconsiderationsaffectinghowregistriesandregistrarsrespondtoidentifiedsecuritythreats;

● Toidentifyofpracticesforregistriesandregistrarstoimproveresponsestosecuritythreatsthroughindividualpractice,collectiveaction,andinformationsharing;and

● Toidentifyameansforregistriesandregistrarstostrengthentheirrelationshipswithkeygroupsinthesecurityspacetoimproveandevolvesecurity-relatedabusehandling.

Relevantprinciples

Principle1: Focusactionondomainsthatareprimarilymalicious. Principle2: Considertheimpactofmitigationmechanisms,particularlyonthirdparties,

andwhetheranotherproviderisabletomitigatetheabusethroughnarrower,lessdisruptivemeans.

RecommendedpracticesThissub-grouphasidentifiedatotalof20practicesforregistrarsandregistriestoemployasmeansforcombatingDNSabuse.Thespecificrecommendationsareconsolidatedaroundfourcoreareaswhereregistriesandregistrarscanexercisestrongsecuritypractices:

● Measurestoimprovecredentialmanagementontheirplatformsandminimizetherisksassociatedwithcompromiseddomains;

● Measurestodetectandmitigatepossibleabuseatthepointofregistration;● Measurestoidentifyandmitigatepotentialabuseonanongoingbasis;and● Measuresforreceivingandhandlingabusereports.

Wedonotintendtoproposeaone-size-fits-allmodelforsecurityabusehandling.Theidealpackageofsecurityimprovementsmaydependonregistrar’scustomerbaseandbusinessmodel.SpecificconsiderationsandrecommendationsforeachofthesefourareasareidentifiedinAppendixA.

B. EnhancingchildabusemitigationsystemsForafullreviewofproposedhealthypracticesaddressingthisarea,pleaseseethesub-team’sdetaileddocumentinAppendixB.OverviewTheobjectiveofthispracticeistofurtherexpandexisting—butnotyetuniversal—methodsforaddressingimagesandcontentrelatedtochildabuse,aswellasprovidingeducationandresourcesforregistriesandregistrarstocombatchildabuse.TacticsandgoalsTheprimaryrecommendedpracticesherearetwofold:

● Establishasystemforimageryhandlingo Participatingregistryoperatorsandregistrarsrequireintheirregistry

–registraragreements/registrantagreementatermthatprohibitschildabusecontentandpermitstheregistryoperator/registrartosuspendordeletedomainnamesthatviolatethisterm.

o Eachalsomayestablishaninternalpolicy/protocoladvisingstafftoforwardtheURL/domainname/websiteinquestiontotheorganization’sLegalorComplianceDepartment.

o Thenextstepisanexpeditiousreportofthesituationtoachildprotectionhotline.

● Establishatrustednotifiersystem

o “Trustednotifier”isapartythatispre-vetted(e.g.,NCMEC,IWF,INHOPE)andrecognizedbythecontractedpartyascapableofprovidingtherelevantandcompleteevidenceneededtotakeactionagainsttheregistrant.

o Provideformsofagreementsbetweenregistries/registrarsandtheseorganizations.

AspirationalpracticesDependingontheservicesprovided,contractedpartiesmayalsowishtoconsideradoptionofservicesandtechnologiesavailablethroughoutsidechildprotectionexpertorganizations.Theseinclude:● NCMEC’sURLInitiativeandPhotoDNAandHashValueSharingprograms● IWF’sImageHashTagList

C. Complainthandlingfor“rogue”onlinepharmacies

Forafullreviewofproposedhealthypracticesaddressingthisroguepharma,pleaseseethesub-team’sdetaileddocumentinAppendixC,aswellasNABP’sdiagramproposalforaqualifiedcomplainthandlingsystem.OverviewTheobjectiveofthispracticeistofurtheraddress“rogue,”orillegalonlinepharmacies.TacticsandgoalsTheproposedmethodsforthissectionofHDI’shealthypracticesproposalinvolvesbothinternalandexternalstepsthatregistriesandregistrarsmayvoluntarilyemploytoidentifyandsafelyremovethesethreatstopublichealth:

● Internalpracticesbycontractedparties:o Partnerwithandsupporttheworkoforganizationsdedicatedto

combatingtheproblem(NABP,CSIP,ASOP).o Notifyrelevantorganizationswhentheregistry/registrarbecomes

awareofpotentialillegalpharmacies.o Takeactiononconfirmedillegalpharmacysitesinaccordancewith

internalprocesses.

● Establishatrustednotifierandthird-partyvalidationsystemo “Trustednotifier”isapartythatispre-vettedandrecognizedbythe

contractedpartyascapableofprovidingtherelevantandcompleteevidenceneededtotakeactionagainsttheregistrant.

o “Validator”isapartythatthecontractedpartydeemscapableofdeterminingthatanonlinedrugsellerisproperlylicensed,reputableandsafe.

o Provideformsofagreementsbetweenregistries/registrarsandtheseorganizations.

TheDNA’sroleistopromotetheuseofsoundinternalpracticesandrelevantpartnershipstohelpmitigatetheproblemofillegalinternetpharmacies.

D. Voluntarythirdpartyhandlingofcopyrightinfringementcases(PIRproposal)Forafullreviewoftheproposedprocesstobeemployedvoluntarilyinaddressingcopyrightinfringement,pleaseseethesub-team’sdetaileddocumentinAppendixD.OverviewTheobjectiveofthispracticeistoprovideavoluntarymechanismtohelpmitigatecopyrightinfringementintheDNS,byamethodsimilartothoseemployedbytrademarkownerstoprotecttheirinterests.TacticsandgoalsTheproposaladvancedhereistoconstructavoluntaryframeworkforcopyrightinfringementdisputes,socopyrightholderscoulduseamoreefficientandcost-effectivesystemforclearcasesofcopyrightabuseotherthangoingtocourtandregistriesandregistrarsarenotforcedtoactas“judges”and“jurors”oncopyrightcomplaints.

• FrameworkisRegistryspecific—eachregistrydecideswhethertoparticipate.Participatingregistries:

o adoptpolicyrequiringregistrantstosubmittoADRproceeding.;ando agreetotakeallstepsnecessarytoimplementPanel’sdecision,i.e.

cancellationofregistrationortransfertoComplainant● Doesnotprecludelitigation.● Remedieslimitedto:

o Cancellationofdomainname,oro Transferofregistrationtocomplainanto Nomonetarydamages

● Legalconstructmustbesoundo Accuratelyreflectapplicablelawo Toextentcopyrightlawsmateriallyvaryamongjurisdictions,consider

creatingmorethanonecustomframeworko Ensuredueprocessforrespondentso Complainantpayspanelfeeso Registries/registrarscannotbenamedasparties

III.NextStepsInordertomakemeasurableprogresstowardtheaboveprioritizedpracticesandthereforevalidateandclaimongoingsuccesswiththeprogram,theDNAmustnowmoveintoimplementationmode.Thisincludesthefollowingsteps:

1. MeetmonthlyasanHDIcommitteetocontinueprogresstowardimplementationofprioritizedpractices.

2. SetinterimprogressreporttofullDNAorganizationbetweenHyderabadandCopenhagen3. PrepareshortPRcampaigntoalertindustrytoDNAefforts.

AppendixA:SecurityThreatMitigationProposal

PurposeThepurposeofthisdocumentistoconsolidaterecommendedpracticesforregistriesandregistrarsrespondingtosecurityabusesidentifiedintheirTLDsdescribedinpastworkbygroupsinthesecurityspace.Inidentifyingrecommendedpractices,weconsultedpastbestpracticesrecommendationsdevelopedbytheSecurityandStabilityAdvisoryCommittee(SSAC);Anti-PhishingWorkingGroup(APWG);StopBadware;andtheMessaging,Malware,andMobileAnti-AbuseWorkingGroupastheyappliedtotheregistryandregistrarcontext.Ourgoalsinthisareaarethreefold:

● Tooutlinesomeofthechallengesandconsiderationsaffectinghowregistriesandregistrarsrespondtoidentifiedsecuritythreats;

● Toidentifyofpracticesforregistriesandregistrarstoimproveresponsestosecuritythreatsthroughindividualpractice,collectiveaction,andinformationsharing;and

● Toidentifyameansforregistriesandregistrarstostrengthentheirrelationshipswithkeygroupsinthesecurityspacetoimproveandevolvesecurity-relatedabusehandling.

ConsiderationsSeveralconsiderationscomplicateregistriesandregistrars’effortstoeffectivelydealwithonlinesecurityabuse.Abusecomplaintsmayinvokedistributedactorsandcomplexchainsofresponsibility.Variousactorsincludingregistries,registrars,resellers,hostingproviders,eachhavedistinctresponsibilitieswithrespecttoadomainnameorwebsiteanddifferentinformationandtoolstoassistinmitigatingaparticularabuse.Thelackofuniformreportingandresponsepracticesacrosstheseprovidersmaythwartthecommunicationandcollaborationnecessarytoeffectivelyaddressaparticularabuse.Further,giventhisdistributionofserviceprovidersassociatedwithasingledomainnameorwebsite,aparticularprovidermaylackacontractualrelationshipand/orhistoryofcommunicationwiththeregistrantorsiteowner,limitingtheirabilitytoworkdirectlywiththeregistrantorsiteownertomitigatetheabuse.Additionallegalconsiderationsalsoinformregistriesandregistrars’abilitytorespondtoabuse,theseconsiderationscanrangefromconcernsaroundwhetheraparticularactioncouldnegativelyimpactfreespeechorraiseprivacyconcerns,tojurisdictionalissues,wheremultipleserviceprovidersinvolvedaresubjecttodifferentlegalframeworkswithdifferentrequirementsandlimitationsaffectinghowtheytakeactiononanidentifiedabuse.Lastly,accountabilityconsiderationsalsofactorsignificantlyintoregistriesandregistrars’practicesforhandlingidentifiedsecurityabuse.Mostnotably,thequestionofwhethertheregistrantisdirectlyresponsiblefortheabuseinquestionshouldinfluencewhatactionsaregistryorregistrartakeswhenapotentialsecurityabuseisidentified.Domainnamesthatappeartobecompromisedmayrequireadifferentsetofresponses,giventhatregistrantsonthewholearegenerallyuneducatedaboutsecuritythreatswithoutsupportfromtheirproviders.Theseconsiderationshavebeentakentoaccountintheprinciplesandrecommendationsoutlinedbelow.However,theymayaccountforadditionaldifferencesinhowparticularregistriesorregistrarsaddressabusecomplaints,orinhowparticularcomplaintsaredealtwithonacase-by-casebasis.

PrinciplesPrinciple1:Focusactionondomainsthatareprimarilymalicious. Registriesandregistrarsshouldfocusondomainnamesthatareprimarilymalicious.Domainsthatarecompromisedorwhereotherpartsofthedomainservealegitimatepurposeshouldgenerallybereferredtotheirhostingproviders,whichpossesstoolstoaddressabuseinamoretargetedfashionbytakingactionagainstspecificabusivecontentversustakingactionatthedomainlevel. Principle2:Considertheimpactofmitigationmechanisms,particularlyonthirdparties,andwhetheranotherproviderisabletomitigatetheabusethroughnarrower,lessdisruptivemeans. Considerationsthataregistryorregistrarcouldweighwhenassessingwhethertheyareappropriatelysituatedtomitigatetheidentifiedabuseinclude:

● Whethertherelevantinfrastructureisunderitsdirectcontrol;● Thenumberofdownstreamprovidersthatwouldbeaffected;● Applicationsorlegitimatecontentthatcouldbeaffectedbymitigatingtheabusedirectly;● Whethermechanismsexisttotemporarilymitigatetheabuse,andanypotential

consequencesoftemporarymitigation;● Whetherdownstreamprovidershavebeencontactedalreadyandwhethertheyhavebeen

responsivewhencontacted;and● Whethertheproviderinquestionpossessesadirectcontractualrelationshipwiththe

registrant.Registriesandregistrarsmayconsiderwhethertherearedownstreamproviderswithcloserrelationshipstotheregistrantandthecontentinquestion(e.g.contractualrelationshipsormoretargetedtoolstotargettheabuse).Ifso,itmaybemoreappropriatetoreferthecomplainttoadownstreamprovider.Ifdownstreamprovidershavealreadybeenengaged,anyactionstakensofarshouldbetakenintoaccountindetermininganyfutureresponse.

RecommendedPracticesThefollowingrecommendationsofferwaysforregistriesandregistrarstoimprovetheirsecurityofferings.Wedonotexpectthatregistriesorregistrarswillimplementallofthemechanismsdescribedbelow;rather,thattherecommendedpracticeswillprovideaframeworktoreviewcurrentpracticesagainstandidentifypotentialimprovements.Webreakoutrecommendedpracticesintofourcategoriesbaseduponthephaseoftheregistrationorabuseresponseinwhichtheyoccur:

● Measurestoimprovecredentialmanagementandminimizetheriskassociatedwithcompromiseddomains;

● Measurestodetectandmitigatepossibleabusesatthepointofregistration;● Measurestoidentifyandmitigatepotentialabuseonanongoingbasis;and● Measuresforreceivingandhandlingabusereports.

Implementationofeachofthefollowingmechanismscanoccurinamannerthattakesintoaccounttheconsiderationsoutlinedabove.

Additionally,theidealpackageofsecurityimprovementsmaybeaffectedbyaregistrar’scustomerbaseandbusinessmodel.Bywayofexample,acorporateregistrarthatmanageshigh-valueandhighly-traffickeddomainnamesmaybenefitfromimplementingheightenedopt-insecurityfeaturestoenableregistrantstotakeadditionalstepstoprotecttheirdomainsfrombeingcompromised.Ontheotherextreme,registrarsorregistriesthatsellhighvolumesoflow-costdomainsmayseemoreimpactfrommechanismsthatpreventabuseatthepointofregistrationorthatautomate,expedite,orscaleabuseresponseprocedures.MeasurestoimprovecredentialmanagementandminimizetheriskassociatedwithcompromiseddomainsAsoutlinedabove,oneofthemostcriticalconsiderationsindetermininghowtorespondtoaparticularsecuritythreatiswhetherornotthedomainnameismaliciousorcompromised.Cybercriminalsbenefitfromtakingcontroloflegitimatewebsitesversusregisteringmaliciousdomains,astheyaremorelikelytoretaintraffic,invokeconsumertrust,andarelesslikelytobeblockedbysecuritysoftwareorflaggedbyreputationserviceproviders(CompromisedWebsites,AUserPerspective).AccordingtoregularstudiescarriedoutbytheAPWG,thevastmajorityofdomainnamesthatareflaggedforphishingaretheresultofdomaincompromiseversusmaliciousregistrationsbyphishers(APWG,GlobalPhishingSurvey).1Compromisedwebsitescanalsobelinkedtootherformsofabuse,suchthedistributionofmalware,includingthrough“domainshadowing”whereabusivethird-leveldomainsaresetupunderalegitimatesecondleveldomainname,potentiallybypassinginternalmonitoring(SAC074,SSACAdvisoryonRegistrantProtection).Thismakestheimplementationofmechanismstopreventcredentialcompromiseattheregistrant,registrar,andregistrylevelausefulproactivesteptopreventingmanysecurityabuses.PreviousworkbytheSSAChasofferedanumberofproactivemeasuresthatregistrarscanimplementtoallowregistrantstominimizetherisksthattheirdomainswillbecompromised,whichhavebeensummarizedbelow:2

1AccordingtothethreemostrecentGlobalPhishingSurveyscarriedoutbytheAPWGforthedomainnamesthatwereregisteredmaliciouslyaccountedforonly28.6percentofmaliciousregistrations.Therestarearesultofcompromiseddomains.(APWG,GlobalPhishingSurvey:TrendsandDomainNameUsein2H2014and1H2015)2ThefullrecommendationsbytheSSAConthismattercanbefoundinSAC040andSAC074.

● Recommendation1:Registrarsmaymakeregistrantaccountssecurethroughcredentialdesign,suchasheightenedrequirementsforpasswordlengthandcomplexity,encouragingorrequiringregistrantstorotatepasswords,andpreventingpasswordreuse.

● Recommendation2:Registrarsmayoffertoregistrantsadditional,opt-infeaturestomaketheiraccountsmoresecure.Examplesincludeenablingtwo-factorauthentication,offeringtieredlevelsofaccessfordifferentaccountroles,deliveringnotificationofaccountchangestomultiplecontacts,introducingsecurityquestionsorotherchallengesystems,usingIPwhitelisting,orcreatingper-domainaccesscontrols.

● Recommendation3:Registrarsmayvalidatechangerequeststoadomainnamethroughsecondarymeansandnotuseanemailaddressassociatedwiththedomaininquestiontovalidatewhichmayitselfbecompromised.

Additionally,theadvisoriesproposemechanismsthatregistriesorregistrarscanimplementtominimizetheriskofcompromiseofregistryorregistrarauthoritativesystems.

● Recommendation4:Registriesandregistrarscanstructureinternalprocessestoensurethatcredentialsarenotstoredinplaceswherethemightbecompromised(e.g.internalbuglogs,wikis,ortickets).

● Recommendation5:Registriesandregistrarscanmaintaingoodpracticesforthestorageandtransmissionofcredentialsincludingtransmissionofcredentialsoversecurechannels,storingprotectedversionsofcredentials,storingbackupsoffline,anddestroyingrecordsofcredentialswheretheyarenolongerneeded.

● Recommendation6:Registriesandregistrarsmayimplementclearpracticestoensurethatcredentialsarerevokedandrotatedwhenpersonnelwithaccesstotheinformationdeparttheorganization.

● Recommendation7:Ifabreachoccurs,registriesandregistrarscannotifyregistrantsinawaythatcanbeeasilyrecognizedandverified.

MeasurestodetectpossibleabusesatthepointofregistrationorinboundtransferRegistriesandregistrarscanalsoimplementmechanismstoidentifyandaddresspossiblesecurityabusesatthepointofregistration.Thesemechanismsareparticularlyusefulforregistriesorregistrarsthatofferfreeorextremelylow-costdomains,whichhavehistoricallyattractedabuse,andasadeterrentforabusetypesthatrequiretheregistrationoflargevolumesofdomains.

● Recommendation8:Registrarscanpreventagainstautomatedregistrationsbyscreeningforandlimitingorinvestigatinghighregistrationvolumescomingfromasingleaccount,orbyimplementingaCAPTCHAtohelpensurethatdomainsarebeingregisteredbyahuman.

● Recommendation9:Registrarsscreenregistrationsforfrequentlyabusedterms;requireadditionalidentityverificationinformationfromregistrantsofthesedomainnames.Flagdomainsforfurtherrevieworrequireadditionalinformationorvalidationfromtheregistrantpriortoregistration.

● Recommendation10:RegistrarsvalidatepaymentinformationbasedonPaymentCardIndustry(PCI)SecurityStandards.

MeasurestoidentifyandmitigatepotentialabuseonanongoingbasisInadditiontorespondingtosecurityabusesthatareidentifiedandreportedtoaregistryorregistrarbythirdparties,registriesandregistrarscanimproveabusehandlingbyproactivelyidentifyingpotentialabusesandtakingfurthermitigationactionbasedonthetypeandseverityoftheabuse.Registriesandregistrarscanimprovesecuritybybuildinganabuseprogramthatidentifies,investigatesandactionsabuseintheirnamespacesproactively,throughpartnershipwithreputationserviceprovidersorthird-party“blocklist”,ratherthansolelytakingactioninresponsetoabusecomplaints.RegistriesarealreadyrequiredpertheirRegistryAgreementsto“periodicallyconductatechnicalanalysistoassesswhetherdomainsintheTLDarebeingusedtoperpetratesecuritythreats,suchaspharming,phishing,malware,andbotnets.”However,manyregistriesremainuncertainortentativeinrespondingtosecurityabuseidentifiedthroughthesemeans,giventhattheyarefarremovedinthechainofresponsibilitydiscussedearlierandlackacontractualrelationshipwiththeregistrant.Registriescanimprovetheeffectivenessofthesetechnicalanalysesbydefiningclearpracticesforhowtoprocessandtakeactiononabusesidentifiedthroughtechnicalanalysis.Registriesandregistrarsthatuseareputationserviceproviderorthirdpartyblocklistshouldunderstandthatprovider’sframeworkforclassifyingabusetypes(e.g.phishing,malware,orsocialengineeringads);anyindicatorsprovidedfordeterminingwhetheradomainnameislikelytobemaliciousorcompromised;andwhereanabusehasbeenidentified(e.g.whetheritisatthedomainlevelorconfinedtoaparticularsubdomainorsubdirectory).Eachregistryorregistrarcandefineaninternalframeworkforhowtotakeactiononidentifiedabusesthattakesintoaccountthesefactionsandtheclassificationschemausedbytheirreputationserviceprovider.

● Recommendation11:RegistriesandRegistrarsmayworkwithreputationserviceproviderstoproactivelyidentifydomainsithathavebeenidentifiedasabusive,classify/investigatethem,andtakeactionasappropriate.

Unlikenewdomainregistrations,whichareunlikelytohaveapriorabusehistory,domainsbeingtransferredintoanewregistrarmayalreadyappearonathirdpartyblocklist.Registrarscouldpreventabusewithintheirdomainsundermanagementbyscreeninginboundtransfersthathavebeenflaggedbytheirreputationserviceproviderorbythirdpartyblocklists,andbarringthesetransfersunlessanduntiltheregistrantworkswiththerespectiveprovider(s)tohavethedomaindelisted.

● Recommendation12:Registrarsmayscreendomainnamesbeingtransferredinforappearanceonmalware/phishingblocklistsandrequirethatdomainnamesarede-listedbeforetheycanbetransferredin.

Thelimitationsondirectinterventionbytheregistrywhenabuseisidentifiedthroughitsrequiredtechnicalanalysisalsocreatesanopportunityforregistrarstoimprovesecurityresponsepracticeseitherthroughimplementationofaconsistentframeworkforrespondingtoreportsthatarepasseddownfromtheregistry,orevenbyengagingsimilarserviceprovidersdirectly.Overalleffortstomitigatesecuritythreatswouldbenefitfromsomecoordinationandsharedexpectationregarding

howinformationwouldberelayedfromregistriestoregistrars(orotherthirdpartyproviders)foraction,aswellasstrongcommunicationbetweenregistriesandregistrarsandotherengagedparties.Thisbeginswiththeprovisionofmeaningfulabusereports.

● Recommendation13:Whereidentifieddomainnamesarebeingreferredtoathirdpartyforaction,registriesandregistrarsshouldincludeallavailableinformationabouttheidentifiedabuse.

Relevantinformationcanincludeatminimum:

● TheURLbeingreported;● Thedateandtimethattheabusewasreported;● TheIPaddresswhenlastreported;● Othertargetsthattheabuseisbeingreportedto;and● Contactinformationnecessaryforfollowup.

Thefollowinginformationisoptionalbutcanbeprovidedtotheextentthatitisavailable:

● Conditionsnecessarytoreproducetheidentifiedabuse;● Thescopeofabusivebehavior(e.g.whetheritappliestoaparticularpage,subdomain,or

acrossthedomain);● Howtheabusewasidentified;● Anyspecificmaliciouscodeorexecutablesthatwereidentified;● AnyrelatedURLs;and● Anyactionstakentodateinresponsetotheabusecomplaint.3

Additionally,aregistryorregistrarshouldbeclearaboutwhat,ifany,actionitexpectsthethirdpartytotakewithregardtotheabuse;atimeframeforthethepartytotaketheactionand/orprovidearesponse;andanyescalationproceduresthatmaybefollowedifnoactionistakenornoresponseisreceived.Measuresforreceiving,handling,andtakingactioninresponsetoabusereportsLastly,abusecanalsobeidentifiedbyaregistryorregistrarduetothereceiptofathirdpartyabusereport.Asafirststep,registriesandregistrarscandefineclearprocessflowsforhowthesereportswillbereceivedandprocessed,andwhatstandardsandprocedureswillbefollowedtodeterminetheappropriatecourseofaction.Allreportscouldundergoinitialevaluationonatimelybasisthatestablishes(1)whetherthereportedabuseiscredibleorcanbeconfirmed;(2)whetherthedomainnamebeingreportedisprimarilymalicious;and(3)andwhetherthereportedabuseiswithinthescopeofcontroloftheregistryorregistrar,orwhetheritshouldbereferredtoathirdparty.

3StopBadware’sReportingPracticesforBadwareURLsprovidesasampleabusenotificationthatcontainstherecommendedelements.

● Recommendation14:Registriesandregistrarsidentifyclearprocesses,criteria,and

allocationofresponsibilitiesforthetakedownofclear-cutphishingsites,andescalationprocessesforreviewingotherreports.

Theinvestigationshouldnotfocussolelyonthedomain(s)referencedinthereport.Widerinvestigationcanbeusedtoidentifyand,potentially,takeactiononadditionaldomainnamesthatarealsoabusive.Thismaybetheresultofawideraccountcompromiseoramalicioususer.

● Recommendation15:Whenanabusereportisreceivedandverifiedasabusive/malicious,registrarsmayreviewotherdomainnamesinthesameuseraccountorusingthesamecreditcardinformation.

Justastheprovisionofcompletereportsbetweenproviderscanhelpimproveoverallsecurityresponses,theprovisionofincompletereportsbythirdpartiescangetinthewayofeffectivehandlingbythepartyreceivingtheabusereport.Often,registriesandregistrarsreceivereportsthatcontaininsufficientinformationtobeactionable,orthatdonotdescribepriororparallelactionsbeingtakenwithrespecttotheparticularabuse.Incompletereportsmayrequireregistriesandregistrantstoengageinbackandforthwiththereporterbeforetheabusecanbeclassifiedandflaggedforactioninaccordancewithitsinternalprocesses.Registriesandregistrarscanhelpexpeditethisprocessbyprovidinginformationandtoolsforreporterstoprovidemeaningfulandactionablereportsonthefirstattempt.Thiscouldincludehelpcenterorreferencearticlesaboutwhatinformationaregistryorregistrarexpectstoreceiveinanabusereport,orwebformsthatidentifymandatoryandrecommendedfieldsfacilitatingthesubmissionprocess.Relativeconsistencyintermsofwhatinformationisexpectedacrossregistriesandregistrarswillalsohelpandencouragethirdpartiestoprovideactionablereportsregardlessofprovider.

● Recommendation16:Registriesandregistrarscanprovidetoolsandinformationtohelpinternetusersprovidemeaningfulabusereports.

Registriesandregistrarsshouldalsomaintainaclearchannelofcommunicationwiththereporter.Thiscanbeusedtoprovideandreceiveadditionalinformationthatmayassistinmitigatingtheabuse.Additionally,itwillincreasereporters’confidencethattheirreportsarebeinggivendueconsideration,evenininstanceswheretheproviderisunabletoundertakedirectaction.

● Recommendation17:Registriesandregistrarsnotifyacomplainantassoonastheirreporterisreceivedandprovideamechanismforthemtoprovidefurtherinformationorcommunicationrelatedtothecomplaint.

● Recommendation18:Registriesandregistrarsprovideadditionalnotificationwhenthereportercaseisclosed,includingadescriptionofanyactiontaken.

Ifaregistryorregistrarbelievesthatanabusecomplaintiscrediblebutnotwithinitsscopeofactionitmayprovideadditionalassistancetotheregistrantbypassingonthereporttoadownstreamprovider(e.g.registrytoregistrar,registrartohostingproviderorreseller)directlyorprovidingguidancetotheregistrantabouthowtoidentifyandcontactthedownstreamprovider.

● Recommendation19:Ifaregistryorregistrarbelievesthatathirdpartyisbettersituatedtomitigateareportedabuse,assistthereporterbyidentifyingtheappropriateprovidertoreceivethereportorbypassingonthereportdirectly.

Whereadomainnameappearstobeabusivearegistryorregistrarcanadditionallyprovideassistancebynotifyingtheproviderandencouragehimorhertomitigatetheabusedirectly.Totheextentpractical,theregistryorregistrarcanprovideadditionalinformationorresourcestoassisttheregistrantinmitigatingtheabuse.

● Recommendation20:Whenadomainnameappearstobecompromised,aregistrarmaynotifytheregistrantandprovideanopportunitytorectifytheabuse.Registriesmay,instead,notifytheregistrarandrequestthattheyortheirresellerpassonthenoticetotheregsitrant.

AppendixB:ChildAbuseContentMitigationProposalDifferentcountriesdefinechildabuseimagesandchildpornographydifferently(e.g.,somedeemcomputer-generatedimages/animetobeillegalwhereasothersdonot).Oneglobaldefinitionof“childabuseimages”istheUnitedNationsConventionontheRightsoftheChildwhichdefinesthetermasanyphotograph,film,video,picture,orcomputerorcomputer-generatedimageorpicture,whethermadeorproducedbyelectronic,mechanical,orothermeans,depictingchildsexualabuse.Formoreinformationaboutvariousgloballawsrelatedtochildprotection,see:http://www.icmec.org/wp-content/uploads/2016/02/Child-Pornography-Model-Law-8th-Ed-Final-linked.pdfandhttp://fosigrid.orgRecommendedpracticesforRegistriesandRegistrars:

● Recommendation1:EachRegistryOperator/Registrarmaypublish,ontheirrespectivewebsites,a“zerotolerance”statementorpolicyagainstchildabusecontentandincludespecificprovisionsintheirregistrationtermsandconditionsprohibitingchildabusecontent.EachRegistryOperator/Registrymayincludetherighttosuspendordeletedomainnamesthatviolatethistermintheiragreement. SampleClause:

Registrant’ssitesshallnotdisplayanychildabuseimages.Registrant’ssitesshallnotengageinpracticesthataredesignedtosuggestthepresenceofchildabuseimages,including,withoutlimitation,theuseofmeta-tagsforthatpurpose.RegistryOperator/RegistrarwillreferanysitesthatarereportedtotheRegistryOperator/RegistrartobeinviolationofthispolicytochildsafetyhotlinesliketheNationalCenterforMissingandExploitedChildren(NCMEC),theInternetWatchFoundation(IWF),ortheInternationalAssociationofInternetHotlines(INHOPE).

● Recommendation2:EachRegistryOperator/Registrarincludecontactinformationfor

an“AbuseContact”sothatuserscanreportsuspectedillegalwebsites.

● Recommendation3:EachRegistryOperator/Registrarestablishaninternalpolicy/protocoladvisingstafftoforwardinternalandexternalreportsofchildabuseimagestotheorganization’sLegalorComplianceDepartment.

○ ItisstronglysuggestedthatmembersoftheorganizationDONOTaccesstheURL/domainname/websiteinquestion.

○ ItisstronglysuggestedthatmembersoftheorganizationDONOTFORWARDANYIMAGES/VIDEOSORSCREENSHOTSCONTAININGIMAGESORVIDEOS–BUTSIMPLYPROVIDETHEURL/DOMAINNAME/WEBSITE.

● Recommendation4:WhenRegistryOperators/Registrarsbecomeawareofsuspectedchildabuseimages,theyexpeditiouslyreporttheURL/domainname/websitedirectlytoachildreportinghotlineandprovidesufficientcontactinformationtothechildreportinghotlinetofacilitatelawenforcementfollowupregardingthereportsubmitted.

o Ifthereportingorganization(orthewebsite)isbasedintheUnitedStates,filea

CyberTipreportwithTheNationalCenterforMissingandExploitedChildren(NCMEC)athttps://report.cybertip.org/index.htm

o Ifthereportingorganization(orthewebsite)isbasedintheUnitedKingdom,fileareportwiththeInternetWatchFoundation(IWF)at:https://www.iwf.org.uk/report

o Ifthereporitngorganization(orthewebsite)isbasedinacountrythatisnottheUnitedStatesortheUnitedKingdom,checktheInternationalAssociationofInternetHotlines(INHOPE)reportingpagetoseeiftheyworkwiththerespectivecountryandreportitaccordingly,seehttp://inhope.org/gns/report-here.aspx

o Ifthereportingorganization(orthewebsite)isnotlistedinanyofthelinksidentifiedabove,submitthereporttoanyofthehotlinesyoupreferbecausethevarioushotlinesoftenworkcollaborativelysothereisgenerallynoneedtoreporttomultiplehotlines;areporttoonehotlinesuffices.

● Recommendation4:WhenRegistryOperators/Registrarsbecomeawareofsuspectedchildabuseimages,theorganizationmaydocumenttheURLsreportedandretainacopyofthoseURLsfortheirinternalfiles,intheeventthereportinghotlineand/orlawenforcementfollowsupwiththereportingorganizationdirectlyand/orforenforcementofany“repeatoffender”policiestheorganizationmayhave.(ItisstronglyrecommendedthatRegistryOperator/Registrardoesnotretainorshareanyscreenshots,imagesorvideos.)

● Recommendation5:Uponcontactfromareportinghotlineand/orlawenforcement,the

RegistryOperator/Registrarmaywishtosuspendthedomainname,deletethedomainname,etc.–pursuanttotheorganization’spoliciesandprotocols.

AspirationalPracticesforOrganizationsthatprovideUpload,Storage,Search,Hosting,Filtering,orSocialMediaServices:

IfaRegistryOperator/Registraralsoprovidesupload,storage,search,hosting,filteringorsocialmediaservices,and/oranElectronicService,4theorganizationmaywishtoconsideradoptingsomeorallofthefollowingadditionalservicesofferedbyUSandUKchildreportinghotlines:

● NCMEC:http://www.missingkids.org/Exploitation/Industry

○ URLInitiative:NCMECmaintainsalistofURLsforactiveWebpagescontainingapparentchildpornography.ByjoiningtheURLInitiative,ElectronicServiceProvidersareprovidedaccesstoNCMEC'sURLlistwhichisupdateddaily.

○ PhotoDNA:ThisisanimagematchingtechnologycreatesauniquesignatureforadigitalimagecalledaPhotoDNAsignature.Thissignaturecanbecomparedwiththesignaturesofotherimagestofindcopiesofthatimage.NCMECandonlineserviceprovidersusePhotoDNAtohelpfind,reportandcurtailtheonlinecirculationofsomeoftheworstknownimagesofchildpornography.

○ NCMECHashValueSharing:ThroughtheHashValueSharingInitiative,U.S.basedElectronicServiceProviderscanpartnerwithNCMECtoreceivealistofMD5hashvalueswhichrepresentthe"worstoftheworst"imagesofapparentchildpornography.

4FortheUnitedStateslegaldefinitionofElectronicServiceProvider,see:https://www.law.cornell.edu/uscode/text/18/2510

● IWF:BestPracticeGuide:https://www.iwf.org.uk/resources/best-practice-guide

ImageHashTagList:TheImageHashTagListletspartiesmatchknownimagesinordertoremovethemorpreventthemappearingonservices.TheImageHashesarecategorizedtosuitinternationaluse.ContactHashList@iwf.org.ukforinformation.

AppendixC:RoguePharmacyAbuseReportProposal

Registry/RegistrarPracticesforCombatingIllegalInternetPharmacies5

Registriesandregistrarsare involvedintheprovisioningandsaleofdomainnames. Fromtimetotime, illegalonlinepharmaciesregisterdomainnamesandthendevelopwebsitesonthesedomainnamestotryandcreateadistributionchannel forpharmaceuticals inviolationof federalandstatelaws. If given the proper notice information regarding these illegal activities, registrars andregistriescantakeeffectiveactiontotakedownthesewebsitesandsuspendthedomainnamesfromuse.

RecommendedpracticesforRegistriesandRegistrars:

● Recommendation1RegistrarsandregistriesmayacknowledgetheongoingproblemofillegalonlinepharmaciesandpubliclysupporttheworkoforganizationssuchasCSIPandtheAllianceforSafeOnlinePharmacies(ASOP)andcompaniesinvolvedincombattingtheuseofdomainnamesfortheillegaldistributionofdrugsandmedicinesbyillegalonlinepharmacies.

● Recommendation2Whenregistriesandregistrarsbecomeawareofasuspectedillegalpharmacytheymayreferthedomaintoathirdpartyproviderthatverifiesthelegitimacyofthesewebsites.

● Recommendation3Afterreceivingadequatelegalconfirmation(pursuanttoeachorganization’sownassessmentofadequatelegalconfirmation)thatadomainnamehostsawebsitethatisusedtomarketanddistributedrugsandmedicinesinviolationofapplicablelaws,registrarsandregistriesmaytakepromptaction.Registriesandregistrarsmaytakeactiononconfirmed,illegalpharmaciesuptoandincludingsuspensionordeletionoftheaffecteddomain(s)inaccordancewiththeirinternalprocedures.

● Recommendation4Registrarsandregistriesalsoincludeontheirwebsite,contactinformationforan“AbuseContact”sothatuserscanreportsuspectedillegalwebsitesforfurtherinvestigationbyaonlinepharmacyverificationprovider.

5ReprintedwithpermissionfromtheCenterforSafeInternetPharmacies’“PrinciplesofParticipation.”Copyright2016.AllRightsReserved.

AppendixD:VoluntaryThirdPartyHandlingofCopyrightInfringementCases

PurposeThepurposeofadoptionandimplementationofaCopyrightAlternativeDisputeResolutionPolicy(“CopyrightADRP”)istoprovidealegallyeffectiveandefficientmechanismmitigatingpervasiveinstancesofcopyrightinfringementintheDNS,whileensuringthatRegistrants’dueprocessrightsareobserved.ThisdocumentprovidesrecommendationstoRegistryOperatorsastohowtostructureandimplementaCopyrightADRPshouldtheyelecttodoso.

PrinciplesRegistryOperatorsarenotjuristsorexpertsinCopyrightlawandarenotinapositiontoadmitandevaluateevidence.Accordingly,underanyCopyrightADRP,RegistryOperatorscanworkwithskilledandexperiencedthird-partyneutrals(an“ADRProvider”)toarbitrateanymatterbroughtunderaCopyrightADRP.ArbitrationoffersalesscostlyandmoreexpeditiousmeansofaddressingallegedpervasiveinfringingcontentascomparedtomostjudicialsystemsandensuresthatRegistrantsreceivenoticeofcomplaintsanddueprocessrights.TheADRProvidershouldbeabletoprovideexpertandexperiencedneutralsthatarecapableofdeterminingthemeritsofanyclaimbroughtunderaCopyrightADRP.InadoptingtheCopyrightADRP,theRegistryOperatoragreestoabidebydecisionsrenderedbytheADRProvider,subjecttoanyappealthateitherthecomplainantorrespondentmayfileinacourtofcompetentjurisdiction.SincetheRegistryOperatorcannotcontrol,affectorremoveindividualpiecesofcontentonawebsite,theRulesofanyCopyrightADRP(the“Rules”)shouldbecraftedtoonlyprovideremediestoaddressdomainswheretheallegedinfringementispervasiveorwheretheprimarypurposeofthedomainisthedisseminationofallegedinfringingmaterial.AnydisputebroughtunderaCopyrightADRPisnecessarilyadisputebetweenthecopyrightholder(the“Complainant”)andtheregistrant(the“Respondent”).RegistryOperatorsshouldneverbepermittedtobeanamedpartyunderanyCopyrightADRP.Similarly,RegistrarsmustnotbenamedasapartyunderaCopyrightADRP,butshouldhavetherighttovoluntarilyintervene,attheirdiscretion.

RecommendationsThefollowingarerecommendationsforRegistryOperatorsthatchoosetoadoptandimplementaCopyrightADRP:

• Recommendation1:TheRegistryOperatorcanworkwithanexperiencedADRProvider.TherearemanyrecognizedandreputableADRProvidersthatworkwithexpertthird-partyneutralsincopyrightdisputes.TheADRProvidershouldbeabletoofferanumberofqualifiedpotentialarbiters.

• Recommendation2:TheComplainantshouldbearthecostandfeeoffilingtheCopyrightADRP(includinganyADRProviderfee)ofinstitutingtheCopyrightADRPdispute.Thisdoesnotincludethecostoflegalfees.IfeithertheComplainantorRespondentchoosetoengagewithcounsel,theyshouldbeartheirowncosts.

• Recommendation3:TheRulesfortheCopyrightADRPshouldrespectthedueprocessrightsoftheRespondent/registrantandclearlyexplaintheprocessandproceduresoftheADRP.Thisshouldinclude:

o Theprocessforfilingacomplaint.

o AcleartimelinesettingforthhowlongaRespondent/RegistranthastofilearesponsetotheComplaint.Similarly,thereshouldbeacleartimelineastohowlongtheADRProviderhastoissuehis/herruling.

TheRulesshouldalsosetforththeprocessforthestatusofthedomain(s)whiletheappealispendinge.g.,duringappealthedomainwillbeplacedundertransferlockattheRegistry).

o TheRulesshouldclarifythattheADRPisnon-exclusive.BoththeComplainantand

theRespondent/RegistrantcanbringanactionrelatedtotheallegedinfringementinacourtofcompetentjurisdictionatanytimebeforethematterhasbeenfullybriefedandsubmittedtotheArbiter.

o TheRulesshouldsetforththeprocessintheeventaRespondent/Registrantfailsto

respondtotheComplaint,or“Defaults.”IntheeventofaDefaulttheADRProvidershouldrulebasedontheallegationsintheComplaint.ThisdoesnotmeanthattheComplainantautomaticallyprevails.TheComplaintandanysupportingmaterialsmustsetforthaprimafacieclaimofpervasivecopyrightinfringement.

o TheRulesshouldsetforththecontrollinglawfortheADRP(typicallythe

jurisdictionwheretheRegistryOperatorislocated).

• Recommendation4:NeitherRegistryOperatorsnorRegistrarsshouldbepermittedtonamedinanyCopyrightADRPComplaint.Registrars,however,shouldbeprovidednoticeoftheComplaintandhavetherighttointerveneattheirdiscretion.

• Recommendation5:TheCopyrightADRPshouldhavelimitedremediesavailable.Nomonetarydamagesorreliefbeyondsuspending,lockingortransferringthedomainnameshouldbeavailable.

• Recommendation6:TheRulesoftheCopyrightADRPshouldrequirethattheComplainantagreetoindemnify,defendandholdtheRegistryOperatorandtheADRProviderharmlessfromanyclaimarisingfromoperationoftheCopyrightADRPoranydecision(andrelatedaction)thereunder.

• Recommendation7:TheRegistryOperatorshouldensurethatitsTermsofUseandor/AcceptableUsePolicyareupdatedtoincludeinclusionoftheCopyrightADRPinordertobindRegistrantsintotheprocess.