Kelly Hardy explains how companies benefit from fighting abuse and from protecting the employees on the front lines.
At this moment, and for the last several moments, DNS abuse is the most commonly discussed topic in Internet governance circles across all aisles of interest.
The opinions on what constitutes abuse and how it should be handled vary depending on who you speak to. A government representative might, for instance, want to paint DNS abuse (and who is responsible for policing it) with a broader brush than a domain registrar or hosting provider would.
Determining what constitutes abuse, who should be responsible for fighting it, to what extent and whether content and speech should be monitored are complex issues that have been tackled whack-a-mole style within the infrastructure community for years. Just when we think we’ve reached some sort of consensus on what abuse is and the parameters of responsibility for it, the game changes — as is the nature of such things.
While high level arguments swirl, companies and groups which are responsible (or have elected to take responsibility) for mitigating it in real time do the difficult and dirty work of determining how to handle these situations as they arise and minding the safety of employees who are doing this hard work.
Fighting abuse from the European registrar perspective
When dealing with abuse from a corporate perspective, German registrar Key-Systems, which is part of the CentralNic Group (which holds memberships and advisory positions with several anti-abuse groups and organizations), like most players in the domain space, take their cues from the DNS Abuse Framework.
According to my colleague Volker Greimann, Legal Counsel for Key-Systems, in terms of abuse monitoring, third party abuse reports and a daily check of their registration database against multiple publicly available lists that report and provide evidence of abusive behavior, as well as taking direct reports of abusive behavior from third-party reporters via an abuse email address, are the foundation of their abuse program.
While some providers prefer to shy away from some of the grey areas of abuse that can fall under the argument of "free speech", Greimann takes a firm stance on hate speech, child abuse material (CSAM) and undesirable content, explaining: "We have a zero-tolerance policy against content we can identify as hate speech or CSAM and will deactivate affected resources. As we are not legally able to independently verify the presence of CSAM, however, we must rely on third parties such as the members of the INHOPE network to review and report back to us any instances where someone alleges CSAM content to be present on one of our resources, which introduces delay into our ability to take action. Our terms and conditions give us sufficient ability to take action against identified hate speech or CSAM, as well as other undesirable content."
Greimann continues: "As a domain name registrar, our ability to take down specific content is limited, and we only have the ability to suspend or delete the entire domain name. This means that the primary parties responsible for the removal of single instances of such content (e.g., where not the entire domain is used for these purposes) is the registrant and their hosting service provider. We therefore work closely with our resellers to address the specific issues we become aware of.
"Our standard processes usually involve reviewing the merits of the complaint as well as the evidence included with it and unless the violation is immediately obvious DNS abuse, we would refer the matter to the reseller so they can address the issue with their customer(s). Where these parties refuse to act and the dangers of allowing the continued presence of such content outweigh the dangers of removing the rest of the content available under the resource, we will take such action as necessary to stop the abuse as an ultima ratio measure.
"However, as a registrar, we cannot enforce the laws of every country in the world. Therefore, we can only make determinations where the legality is in question under the jurisdiction(s) applicable to us and where the violation is obvious. This is also a reason to involve our resellers as they may be directly affected by laws that may not be applicable to us but are to them and are therefore able to take action under those laws."
Abuse Work is Done by Humans, Keeping Them Safe is a Priority
In addition to the difficult job of acting on abuse violation in a flexible landscape, companies which are doing this work also have an obligation to protect the safety of the humans taking action. Although rarely spoken about in conversations regarding fighting DNS Abuse, the effects of Abuse are occasionally also felt by the acting teams. While abuse is fought at the corporate/business level, these decisions and policies are made by human beings who occasionally become the target of whatever group or person is perpetuating abuse. Whether is it a hate group making credible threats or accusations that lead to public irritation, the path of online recourse can include doxing, swatting, cyberstalking/bullying, threats and hacking.
Having experience with high-risk abuse situations, I have found that when acting in regard to content abuse, there are two simultaneous priorities: keeping the public safe and keeping your team safe.
When looking for resources to create a protocol for employees dealing with high-risk abuse instances to follow, I reached out to Kellie Peterson from Automatic who has experience with taking steps to mitigate the above listed recourse events in the LGBTQ+ community. She provided the foundation for a prevention program that I have shared with multiple clients and companies across the tech space.
Should the need arise, the following actions are the minimum both key employees and companies should consider when acting on abuse from high-profile/ high-risk groups.
- Enable 2 factor authentication on email accounts, gaming accounts, all social media, and banking. — Use Google authenticator where possible rather than SMS.
- Change all existing passwords and use a password generator to create complicated non-personal passwords.
- Order a security key for your company and personal Gmail or other free service-based email account. Yubikey is great for this.
- VPN on all devices
- Call banks, utilities and credit card companies and let them know you are a target.
- Depending on the region in which you are located, call your phone provider and ask to have a port freeze put on your account — this will prevent anyone who isn’t you from intercepting any 2FA requests that come to you via SMS.
- Ask Google to remove your personal information. You can submit a request for this service by visiting the google help page or http://support.google.com/websearch/answer/9673730
- If receiving messages, create an incident log where the date, time, description of message and result/recommendation is recorded. This should not be on an open platform such as google docs but should be kept somewhere encrypted like Etherpad
- Install Signal, Telegram or other secure platform on your phone and desktop for secure messaging.
- For secure group conversations use Wire
- Kill all Orphan accounts — any services or social media currently unused that might have an old password.
- Make sure security is up to date in the event of DDoS attacks
While the full picture of what is described above, both in terms of monitoring/taking action on abuse as well as keeping your radar up for blowback that could include high stakes personal vigilance, can seem onerous at first glance, it is widely believed within the infrastructure community that all companies benefit from fighting abuse, full stop. The more consistent we are across the industry both in terms of how we handle such situations from a policy and enforcement perspective, the easier it becomes to deal with over time.
Kelly Hardy is Head of Registry Policy at CentralNic Group PLC. Kelly helps both ccTLD and gTLD registry partners with policy issues including launch processes, rights protection, eligibility, dispute resolution and more. The former domain consultant is specialized in International Business Development, Channel Management, Policy and Marketing/PR strategy and is an expert in ICANN policy and New gTLDs.