Report on Domain Hijacking Gets Mixed Reaction

A report by an Internet Corporation for Assigned Names and Numbers (ICANN) panel on domain hijacking that was intended to raise a red flag in the Internet community about the practice has been met with mixed reaction, leaving at least one victim seeing red.

The Security and Stability Advisory Committee (SSAC) report was issued last week during ICANN’s annual meeting in Luxembourg, along with 10 recommendations for thwarting domain robbers. ICANN is the group that governs the Internet.

The recommendations ranged from circulating “best practices” information to domain registrars to suggesting ICANN investigate “whether stronger and more publicly visible enforcement mechanisms are needed to deal with registrars that fail to comply with the transfer policy, and to hold registrars accountable for the actions of their resellers.”

Tougher Penalties Sought

However, Alexis Rosen, president of the Public Access Networks Corporation (Panix), an Internet service provider (ISP) in New York City whose domain was hijacked earlier this year, contended that even if the committee’s recommendations were followed, they would do little to deter domain thieves. He called for tougher penalties for domain registrars.

SSAC Chairman Steve Crocker, speaking with the E-Commerce Times, contrasted domain hijacking with spyware and spam. “Spyware and spam are the kinds of things that do a little bit of harm to a very large number of people,” he said. “Domain hijacking does a large amount of harm to a smaller number of people.”

“This is akin to identity theft except instead of your personal identity, it’s your business that’s shut down and somebody has, effectively, taken it over,” Crocker said.

The Panix domain was hijacked for a weekend earlier this year by information highwaymen using stolen credit cards. The action resulted in thousands of Panix customers losing their e-mail during the term of the unauthorized maneuver.

“I’m very unhappy with the report,” Rosen told the E-Commerce Times. “It says maybe we should think about instituting penalties for registrars who fail to live up to their obligations. That’s a dreadful decision. Until there’s real teeth in enforcement policy, things will not change significantly.”

No Excuses

He proposed a harsh standard for inept registrars, who are the parties responsible for administering domain names. “These are the people whose business is to maintain the fundamental infrastructure of the Internet,” he said. “If they’re not competent to do that, then they shouldn’t be in the business. There are no excuses here.”

“The fundamental problem is that there are too many untrustworthy writers on the registry database,” Rosen added. “Until you penalize registrars who themselves or through wholesalers act dishonestly or fail to live up to their agreements to safeguard the quality of information, then nothing is going to change.”

“I’m not saying the changes suggested in the report are bad, because they’re not bad,” he observed. “Some of them are very good, but they don’t address the biggest problem.”

Symptomatic Problem

Another target of domain snatchers, Hushmail, had more laudatory comments about the report. “I think ICANN is doing a great job with this report,” Chief Technical Officer Brian Smith told the E-Commerce Times. “I hope they follow up on it and that real changes are made.”

He maintained that domain hijacking was symptomatic of problems found in many areas of the Net.

“The Internet is constantly changing, and it’s largely unregulated,” he explained. “That means you end up with a lot of areas where procedure is not very well developed. Wherever procedure is not very well developed, there are always opportunities for people to exploit that.”

Another area ripe for abuse, he noted, is the issuance of SSL certificates, which are used to secure financial transactions at Web sites. “The issuing of SSL certificates is also not as regulated as it should be,” he said.

Private Registration

Ken Williams, director of threat management content research at Computer Associates in Islandia, N.Y., also praised ICANN. “I think ICANN did a very good job covering this issue and detailing what the damage is to business and what they can do to recover,” he told the E-Commerce Times.

However, he did have some additional recommendations for businesses concerned with domain hijacking.

Companies should consider a private registration of their domain, he said. That would prevent their name, address and phone number from being discovered through a Whois search. Whois is a public database of domain name holders.

Skewed Playing Field

He also recommended domain holders register the names for long periods of time and use automatic renewal, if their domain registrar has it. “Register the domain for 10 or 20 years,” he said. “Seven, eight, ten dollars a year is small amount to spend considering the value of the domain.”

Williams noted, though, the domain game isn’t one played on a level playing field.

“Large corporations have the ability to get results quickly,” he explained. “For an individual user, they might never get their domain back unless they’re willing to spend a few thousand and go through the arbitration process.”