[Mark Datysgeld] Trusted Notifiers and the future of DNS Abuse

Efforts have been ongoing in the ICANN community to develop a better understanding of its role in the combat of abuse. This theme has been rising in prominence every year since 2018, and 2021 appears to be the tipping point, in which consensus has built around the idea that more can be accomplished in terms of reducing the impact of rogue actors using the Internet for malicious purposes. This has been reflected, to cite some examples, in several positions by the BC; statements by the GAC; advice by ALAC; documents by the SSAC; the consolidation of the CPH Working Group on DNS Abuse; and the formation of relevant Working Groups within the different SO/ACs (such as the one being organized by the NCSG).

The most recent "GNSO Trend Session," held March 1, 2021, took place in the presence of most of the GNSO leadership. It was aimed at evaluating the impacts that trends might have on the names and numbers space, either in terms of threats or in terms of opportunities. Not surprisingly, the most significant trend was found to be "Legislation & Regulations," encompassing all international concerns over new laws and norms. Being a relatively focused topic, as opposed to the many concerns that exist under the umbrella of the first trend, "DNS Abuse" can be found in second place. This data reinforces consensus emerging around the need to create better solutions to tackle this issue.

As a reminder, the categories of abuse currently considered consensual are: malware, botnets, phishing, and pharming, as well as certain aspects of spam. The voluntary Framework to Address Abuse establishes some additional, very reasonable, categories of abuse that ideally would be made contractually mandatory, but currently only apply to signatories of the framework: child sexual abuse materials (CSAM); illegal distribution of opioids online; human trafficking; specific and credible incitements to violence.

It is not implied that Contracted Parties are not doing their job. ICANN's Domain Abuse Activity Reporting (DAAR) shows that a significant number of abusive domains are consistently identified. The outreach being carried out by the CPH Working Group on DNS Abuse has also been important in helping the community better understand the challenges associated with this issue. Finally, it cannot be discounted that even if there is a perceivable increase in overall domain name abuse, many ccTLDs are independent actors that enforce their own policies and must be engaged using different mechanisms to be made accountable.

It is clear that Contracted Parties face various challenges in this matter, as fighting abuse is neither free nor easy. Recent discussions have advanced the understanding that they receive a significant number of duplicate reports, together with requests demanding action to resolve non-actionable complaints such as defamation, along with requests that are legitimate, but lack the necessary depth in their reporting to make them actionable. Therefore, the question is, how can we make this process more seamless, balancing the burden of performing due diligence and taking action?

The answer may lie in Trusted Notifiers (or Validated Reporters).

The concept of Trusted Notifiers (TN) is not new and can be defined as a set of approved actors who investigate occurrences of abuse, often within a particular niche (for example, targeting CSAM), and generate reports with the adequate amount of detail supporting the offenses found. This information enables enforcement requests to be issued to the respective parties who have the ability to take action on a given matter, such as a registry operator. These reports have elevated priority and credibility due to their trusted nature.

While this is an existing practice that has seen some use, there is a distinct lack of a framework to guide these partnerships. The advantages and disadvantages of this model are straightforward enough, and the argument made here is that the positive aspects of this approach far outweigh the negative. For transparency and ethical reasons, both angles will be discussed.

A properly structured TN can offer a series of advantages over the current model. For one, instead of attempting to cover a broad spectrum of themes, their specialization enables more consistent identification of activity patterns, trends, and the broader modus operandi of malicious actors within a given niche. By example, the authors of this article believe that it is possible to establish a TN focused on monitoring the sale of medicines using the Internet, enabling registries/registrars to swiftly take down rogue actors posing as pharmacies while allowing licensed and trusted pharmacies that rely on medical prescriptions to operate without fear of being incorrectly flagged as malicious.

Further, it is conceivable that these efforts can be financed by others than the Contracted Parties, who share an interest in seeing the proper oversight of such matters. With the correct guardrails in place to ensure that the public interest is served, the burden on Contracted Parties could be alleviated, allowing them to focus resources on the investigation of the cases and the generation of reports. This would not minimize their role in the process, as TNs only ensure a higher quality of reporting so that actions can be better evaluated. The final decision would remain in the hands of the Contracted Party.

This previous point is associated with what is realistically the most significant disadvantage of the model, which is the need for a very careful assembly of TNs. The notifiers, by definition, must be reliable experts in the subject they are charged with addressing. Wrong incentives can create biases that favor certain groups and ideologies, generating asymmetries rather than balance. The role of the Contracted Party as the ultimate arbiter mitigates this possibility significantly, but this is still an important consideration to have in mind.

We see the opening of this debate as a chance to encourage the ICANN community to organize its thoughts, with the understanding that though this is one of many tools that need to be sharpened to combat abusive actions in the DNS, it is relatively low hanging fruit. ICANN always appears to be playing a game of catch up with malicious actors, who think outside of the box to find new ways to self-serve or cause harm. In like manner, the ICANN community's approach needs to be constantly rethought and revised accordingly so that the good can keep pace.