Subscribe: CircleID
Added By: Feedage Forager Feedage Grade B rated
Language: English
access  data  domain  fcc  industry  innovation  internet  net neutrality  network  neutrality  new  security  today  whois  year 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: CircleID


Latest posts on CircleID

Updated: 2017-12-14T07:30:00-08:00


Partnerships Can Enhance Security in Connected Health and Beyond


This article was co-authored by Bethany A. Corbin, an associate in Wiley Rein's Telecom, Media & Technology (TMT), Health Care, and Privacy & Cybersecurity practices, and Megan L. Brown, a partner in the firm's TMT and Privacy & Cybersecurity practices. Like the poetic prose of Bob Dylan, the reality of modern technology cannot be ignored: "the times they are a-changin'." [1] Transitioning from the novelty of the Internet, society is embracing connected technology as the new digital frontier. Dominated by the Internet of Things ("IoT"), the future will be one of increased interconnection of wireless and computing devices in everyday objects, allowing these devices to send and receive personal data. IoT's limits appear boundless, extending from physical devices and home appliances to vehicles and medical implants. By 2020, the value of this industry is expected to reach $1.29 trillion. [2] However, as the United States enters this increasingly digitized era, cybersecurity is rapidly presenting itself as a major national security challenge. Recognizing possible vulnerabilities associated with connected devices, policymakers have proposed regulatory solutions. Recent legislative drafts include the Warner/Gardner IoT Cybersecurity Improvement Act of 2017, [3] the Wicker/Costello IoT Consumer ALERT Act of 2017, and the Lieu/Markey Cyber Shield Act of 2017.[4] By proposing top-down regulation, these bills have the potential to stifle innovation and creativity in this developing industry. This article argues against hard and fast regulatory controls, and explains why a public-private stakeholder approach — like the one proposed in the Internet of Medical Things ("IoMT") Resilience Partnership Act [5] — is crucial to cybersecurity and industry success. Presented with new and complicated security threats, legislatures may naturally turn to regulatory solutions. To date, the majority of IoT legislative initiatives seek to impose regulatory controls on an industry that is still in its infancy. The Cyber Shield Act of 2017, for example, proposes labeling IoT devices that meet security standards and establishing a best-practices advisory committee to develop industry guidelines and standards. [6] Similarly, the IoT Cybersecurity Improvement Act seeks to ensure, through written certification, that connected devices purchased by the U.S. government have no known security vulnerabilities or defects, and would impose several new obligations on the sellers of such devices to the government. [7] While these bills signify that lawmakers are taking an increasing interest in IoT security, the technology industry is a poor candidate for a top-down regulatory approach for at least three reasons. First, the time-consuming legislative process does not match the fast-paced progression of the technology sector. This mismatch results in obsolete benchmarks and guidance, and leaves newly developed cybersecurity risks unaddressed. For this model of federal bureaucracy and regulation to succeed, the rate of IoT innovation must slow considerably, which is unlikely. Second, prescriptive and stringent regulations may stifle innovation in developing industries. IoT, while quickly growing, is still in its infancy and requires creative innovation to flourish. Imposing regulations on a newly developed industry risks driving innovation out of that sector due to heightened costs associated with regulatory compliance. Startup companies and tech giants may devote their resources to other industries if IoT becomes heavily regulated before its foundational framework has been constructed. In this manner, regulation may prematurely kill innovation and the IoT industry. Third, there are limits to the government's technical skill and knowledge to develop best practices for IoT cybersecurity. Industry actors are more intimately involved in network security efforts and are aggressively working to secure next-generation technologies. The private sector, therefore, is better positioned to develop network and cybersecurity standards to pr[...]

Former Rutgers University Student and Two Other Men Plead Guilty to 2016 Mirai Botnet Attacks


A New Jersey man was one of the three who pled guilty to hacking charges and creating the massive Mirai botnet attacks which spread via vulnerabilities in IoT devices causing massive DDoS attacks. Brian Krebs, security reporter who was first to identify two of the three men involved, today reports: "The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men [updated to three men later] first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called 'Internet of Things' devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). ... In addition, the Mirai co-creators pleaded guilty to charges of using their botnet to conduct click fraud — a form of online advertising fraud that will cost Internet advertisers more than $16 billion this year, according to estimates from ad verification company Adloox."

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime

Deadline of Friday, Dec 15, for Nominations to Internet Society Board of Trustees


As I noted last month, this Friday, December 15, 2017, at 15:00 UTC is the deadline to nominate someone for the Internet Society's Board of Trustees. Anyone who supports the mission of the Internet Society is welcome to submit a nomination (for yourself or for someone you think should be considered).

The Internet Society serves a pivotal role in the world as a leader on Internet policy, technical, economic, and social matters, and as the organizational home of the Internet Engineering Task Force (IETF). Working with members and Chapters around the world, the Internet Society promotes the continued evolution and growth of the open Internet for everyone. The Board of Trustees provides strategic direction, inspiration, and oversight to advance the Society's mission.
In 2018:

  • the Internet Society's chapters will elect one Trustee;
  • its Organization Members will elect one Trustee, and
  • the IETF will select two Trustees.

Membership in the Internet Society is not required to nominate someone (including yourself), to stand for election, or to serve on the Board. Following an orientation program, all new Trustees will begin 3-year terms commencing with the Society's annual general meeting in June 2018.

Nominations close at 15:00 UTC on December 15, 2017. Find out more by reading the Call for Nominations and other information available at:

Written by Dan York, Author and Speaker on Internet technologies - and on staff of Internet Society

Follow CircleID on Twitter

More under: Internet Governance, Policy & Regulation

FTC, FCC to Coordinate Online Consumer Protection Efforts After Roll Back of Net Neutrality Rules


The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have announced plans to coordinate efforts for online consumer protection following the adoption of the proposed 'Restoring Internet Freedom Order'. The draft MOU, released on Monday, outlines some ways in which the FCC and FTC propose to work together including:

— "The FCC will review informal complaints concerning the compliance of Internet service providers (ISPs) with the disclosure obligations set forth in the new transparency rule. Those obligations include publicly providing information concerning an ISP's practices with respect to blocking, throttling, paid prioritization, and congestion management. Should an ISP fail to make the required disclosures — either in whole or in part — the FCC will take enforcement action."

— "The FTC will investigate and take enforcement action as appropriate against ISPs concerning the accuracy of those disclosures, as well as other deceptive or unfair acts or practices involving their broadband services."

— "The FCC and the FTC will broadly share legal and technical expertise, including the secure sharing of informal complaints regarding the subject matter of the Restoring Internet Freedom Order. The two agencies also will collaborate on consumer and industry outreach and education."

Chris Lewis, Vice President of the consumer group Public Knowledge, says there is no comfort in this announcement from the FTC, calling the agreement an honor system for broadband. "Not only is the FCC eliminating basic net neutrality rules, but it's joining forces with the FTC to say it will only act when a broadband provider is deceiving the public. This gives free reign to broadband providers to block or throttle your broadband service as long as they inform you of it."

Follow CircleID on Twitter

More under: Net Neutrality, Policy & Regulation

Russian-Speaking MoneyTaker Group Suspected of Stealing $10M From Companies in Russia, UK and US


According to reports today, Russian-speaking hackers called MoneyTaker, are suspected of stealing nearly $10m by removing overdraft limits on debit cards and taking money from cash machines. The group "also stole documentation for technology used by more than 200 banks in the US and Latin America," BBC reports. "The documents could be used in future attacks by the hackers ... Kevin Curran, an independent expert and professor of cybersecurity at Ulster University, said the attacks were 'as sophisticated as it gets at this moment in time.' ... 'They're able to compromise systems and then extract all the documents for how a banking system works so that they have the intelligence needed to produce fraudulent payments.'"

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Cybersecurity

GDPR: Registries to Become Technical Administrators Only?


On 11 December 2017, about 25 participants from Europe and the US attended the public consultation for the brand new GDPR Domain Industry Playbook by eco (Association of the Internet Industry, based in Germany) at the representation of the German federal state Lower Saxony to the European Union in Brussels. The General Data Protection Regulation (GDPR) poses a challenge for the Registries, Registrars, Resellers and ICANN. By May 25, 2018, all parties need to be compliant, which means that not only contracts need to be reviewed, but also technical systems need to be revisited. To date, various legal memoranda have been shared, and several parties have worked on their own compliance, but no industry-wide proposal has been published that allows for a discussion of the respective roles and responsibilities of the parties involved as well as a review of data flows. The Playbook will facilitate the process of finding a commonly adopted data model to allow for compatibility of the technical, organizational and legal models the parties will use. GDPR: Will Registars still deliver Registrant data to Registries A significant part of the discussion concerned the topic whether the Registrars still are going to provide the Registries with the full Registrant data set (owner, admin and tech data) as their contract with ICANN and the Registries demands. There was a strong opinion of the Registrars present at the meeting (some of the top 5 globally): With GDRP in place we will not longer forward the domain name registration data to the Registries, as they do not need them to maintain their Registry function. It seems that the Registrars are trying to use the GDPR to wipe out a decade-long multi-stakeholder discussion and consultation in the Internet Community which resulted in the thick Whois for all gTLDs. One reason why Thick Whois was introduced is the fact that ICANN terminates year by year dozens of bad actor Registrar going bankrupt or just out of business sometimes leaving millions of Registrants in the dark. Only thanks to those Registries which maintain a Thick Whois, the damage is limited. The bad actor Registrar problem will likely not be solved mid-term. And over-ruling the new Thick Whois quickly with Thin Whois again is also not a way that will happen, even with the GDPR. In the present, the subparagraphs of the GDPR allow for transferring Registrant Data to the Registry if there is (a) Consent and for (b) Performance of a contract and for (c) Legitimate Interests. Let's focus on the Legitimate Interest as (a) and (b) are somehow tricky or literally possible. If a Registry demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims, then the Registrant data would also be given to the Registry. GDPR: A way out of the invidious Situation At the meeting in Brussels representatives of Registrars and Registrars discussed the diverting interests regarding the Registrant data, but it came out that there a number of good reasons and legitimate interests according to GDPR why the Registries may need to have these data. The reasons why Registry should continue to maintain Registrant data are: Registries are maintaining the central abuse contact point for domain name abuse such as spam, phishing, pharming, botnet activity. Multiple participants in the meeting noted from their experience that Registrars often not respond to abuse notifications. Especially if harm is obvious, Registries act quite quickly. Registries are contractually obliged to run mandatory security checks on their domain name. This can only be done properly if Registrant data are available. Registration requirements such as the local present, member of a certain community (e.g., language, culture) or industry sector (e.g., bank, insurance) require full access to Registrant data. Especially geoTLDs need to[...]

FCC Doesn't Understand How the Internet Works, Say Internet Pioneers in Open Letter


Internet pioneers and leading figures published an open letter today calling on FCC to cancel the December 14 vote on the agency's proposed "Restoring Internet Freedom Order." Authors of the letter which include Vint Cerf, Steve Crocker, Dave Farber, Susan Landau, David Reed, Paul Vixie, Steve Wozniak and others state that the "FCC's proposed Order is based on a flawed and factually inaccurate understanding of Internet technology." More from the letter: "This proposed Order would repeal key network neutrality protections that prevent Internet access providers from blocking content, websites and applications, slowing or speeding up services or classes of service, and charging online services for access or fast lanes to Internet access providers' customers. The proposed Order would also repeal oversight over other unreasonable discrimination and unreasonable practices, and over interconnection with last-mile Internet access providers. The proposed Order removes long-standing FCC oversight over Internet access providers without an adequate replacement to protect consumers, free markets and online innovation."

Follow CircleID on Twitter

More under: Net Neutrality, Policy & Regulation

A Digital 'Red Cross'


A look into the past reveals that continuous developments in weaponry technology have been the reason for arms control conventions and bans. The banning of the crossbow by Pope Urban II in 1096, because it threatened to change warfare in favour of poorer peasants, the banning of poisoned bullets in 1675 by the Strasbourg Agreement, and the Geneva protocol banning the use of biological and chemical weapons in 1925 after world war 1, all prove that significant technological developments have caused the world to agree not to use certain weapons. Today, another technology, the cyberspace, poses a new and unique threat. Unlike in the past where there was a separate battlefield, free of civilians, the cyberspace is us, everyone using the Internet. We have seen cyber threats evolve from criminals trying out new ways of robbery and extortion to nations states increasing interested and carrying out cyber attacks. Attacks like those on Sony Pictures in 2014, just because they exercised freedom of speech, the Russian attack on the Ukranian power grid in 2015 and even the 2016 cyber attack on the American political system are testaments to this fact. With 4 billion users and multi-million dollar businesses depending on the Internet ecosystem, policies that preserve the open, stable and secure Internet is important. That is why Microsoft president, Brad Smith called for a digital Geneva Convention earlier this year. If the Microsoft President's claim, that "74 percent of the world's businesses expect to be hacked each year" are indeed true, then the private sector has reason to worry. A digital Geneva convention to protect civilians on the Internet where the private sector is neutral and first responders is necessary. A convention that mandates nations not to cyberattack the private sector nor a nation's critical infrastructure. And just like it was resolved in the 1949 Geneva convention for a neutral and independent organization to ensure humanitarian protection and assistance in times of war and conflict, the digital convention should bring together actors from public and private sectors to create a neutral and independent organization that can investigate and attribute attacks to specific nations. Publicly sharing such information might deter nations from engaging in attacks. A lot of progress has already been made by companies like Google, Microsoft and Amazon in fighting cyberattacks especially in areas like spam and phishing attacks but more still needs to be done. A collaborative effort from the private sector will achieve a lot more as first responders to nation-states cyberattacks. A commitment of a hundred percent defense and zero offense by the tech industry — as recommended by the Microsoft President, must be collectively made. Written by Tomslin Samme-Nlar, Technology ConsultantFollow CircleID on TwitterMore under: Cyberattack, Cybercrime, Cybersecurity, Internet Governance, Law, Policy & Regulation [...]

WHOIS: How Could I Have Been So Blind?


A colleague was recently commenting on an article by Michele Neylon "European Data Protection Authorities Send Clear Message to ICANN” citing the EU Data Commissioners of the Article 29 Working Party, the grouping a determinate factor In the impending death of WHOIS. He is on point when he said: What the European Data Protection authorities have not yet put together is that the protection of people's mental integrity on the Internet is not solely due to the action of law enforcement, but a cast of others (anti-spam/abuse initiates, DDoS mitigation, etc.) who are not law enforcement but do rely upon visibility into the DNS Whois to perform their services. But then goes on to write: … it is apparent that such position lacks consideration of the impact to other fundamental rights provided by the Union. and thus misses the point, and worse yet, fails to sup upon the delicious, delicious irony. Their well-meaning initiatives are subject to a much higher court, the court that administers The Law of Unintended Consequences. Deprecate WHOIS, and so doing, deprecate the very privacy you are seeking to protect. I consider spam to be a common, but mild invasion of privacy, a misuse of personal information, better put. To expect law enforcement to magically become aware of the millions of spam attacks totaling billions of electronic messages of all types that occur daily is either naive or insane. Or so I had thought: I just now had an epiphany, a revelation! I've been looking at this all wrong. Clearly, the EU has set aside massive amounts of money to hire the army of new law enforcement personnel necessary to investigate spam attacks. Obviously, the universally beloved EU Data Commissioners have made expertly-crafted anti-spam laws and creative new international legal frameworks foremost in the docket, ready to be deployed in the coming months. I can't imagine otherwise, nor is the notion conceivable that these wise and exalted Data Commissioners, paragons in every respect, do not have a really fantastic rabbit up their sleeve (or up somewhere), to fully address the open question of what happens when the imminent WHOIS closure causes current spam protection mechanisms and operations teams, dependant to a great degree upon WHOIS to fail; unable to stop untold billions of malicious emails May 29, 2018. No. I won't have a word of it! Between the time the spam is launched at a network and the time these new super-cybercops arrest the criminals with their newly-minted laws, between those points in time, and between those spam and their intended recipients are soon-to-be hobbled spam filters that rely upon WHOIS data. But since that telemetry will be lost, the DPs (using that term in the adult video sense seems to make sense, since all this cleverness will serve to address several holes) must have some new secret technology to protect networks and individual users, slated to be launched May 28, 2018. I can't WAIT to see what they've come up with! A heretofore unknown, top-secret FUSSP* spam filter that will make up for any shortfalls choking the living crap out of WHOIS will accomplish is undoubtedly ready to roll. * Final Ultimate Solution to the Spam Problem At risk of sounding a little cynical, this is also a great personal boon. I consult with law enforcement agencies globally and train them in investigation techniques, so I expect more major new contracts than I can possibly handle. My prices must go up; I adjusted my price list for a 3 x increase June 01, 2018. Too little? So confident am I in the EU Data Commissioners, who enjoy Papal-grade infallibility to have foreseen all angles, I've put in for one of those fancy new Aston Martin Valkyries (although the new Tesla Roadster is tempting, too ... bah. I can afford them both!) It will be like having my birthday at the end of May[...]

EFF to FCC: 'Restoring Internet Freedom' Plan Riddled With Technical Errors and Factual Inaccuracies


Electronic Frontier Foundation (EFF) published a post today pointing out that the FCC continues to ignore the technical parts of a letter sent to it earlier this year by nearly 200 Internet engineers and computer scientists that explained facts about the structure, history, and evolving nature of the Internet. "FCC's latest plan to kill net neutrality is still riddled with technical errors and factual inaccuracies." EFF has highlighted the following as examples:

— "The FCC Still Doesn't Understand That Using the Internet Means Having Your ISP Transmit Packets For You – The biggest misunderstanding the FCC still has is the incorrect belief that when your broadband provider sells you Internet access, they're not selling you a service by which you can transmit data to and from whatever points on the Internet you want."

— "The FCC Still Doesn't Understand How DNS Works – Citing back to language dating from the days of Bell Operating Companies, the FCC claims that DNS functions similarly to a gateway."

— "The FCC Still Doesn't Understand How Caching Works – Like DNS, it treats caching as if it were some specialized service rather than an implementation detail and general-purpose computing technique."

— "The FCC Doesn't Understand How the Phone System Works – The FCC's apparent understanding of the phone system seems to be stuck in the days of rotary phones. For users on a modern American network, voice calling is just one of many applications that a phone enables. If the user has poor signal, that voice call might travel at some point over the circuit-switched PSTN, but it might also never leave a packet-switched network if it's sent over VoIP or LTE/EPC."

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile Internet, Net Neutrality, Policy & Regulation, Telecom, Wireless

Puerto Rico Disaster Stands Alone: A Look at Prolonged and Widespread Impact on Its Internet Access


(image) Doug Madory, Director of Internet Analysis at Dyn, has a report published today examining the state of Puerto Rico's recovery of its internet access. He writes: "We have been analyzing the impacts of natural disasters such as hurricanes and earthquakes going back to Hurricane Katrina in 2005. Compared to the earthquake near Japan in 2011, Hurricane Sandy in 2012, or the earthquake in Nepal in 2015, Puerto Rico's disaster stands alone with respect to its prolonged and widespread impact on internet access." For a more accurate indication of the pace of recovery in the region, DNS activity is being monitored (rather than Border Gateway Protocol (BGP) routes) and currently the DNS query volumes from the island are still only a fraction of what they were on September 19th — the day before the storm hit, according to Dyn.

Follow CircleID on Twitter

More under: Access Providers, DNS

Bitcoin Miner NiceHash Reports Hack, More Than $60 Million Worth of Bitcoin Potentially Stolen


"Nearly $64m in bitcoin has been stolen by hackers who broke into Slovenian-based bitcoin mining marketplace NiceHash." Samuel Gibbs reporting in The Guardian: "NiceHash is a digital currency marketplace that matches people looking to sell processing time on their computers for so called miners to verify bitcoin users' transactions in exchange for the bitcoin. ... The marketplace suspended operations on Thursday while it investigated the breach ... The hack was 'a highly professional attack with sophisticated social engineering' that resulted in approximately 4,700 bitcoin being stolen, worth about $63.92m at current prices."

NiceHash, in a statement posted on its website today, said that it had stopped operations for 24 hours and was working to verify how many bitcoins were taken. A press release posted on the website states: "Our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken."

Follow CircleID on Twitter

More under: Cybercrime

Worldwide Security Spending to Reach $96 Billion in 2018, Up 8 Percent from 2017, Says Gartner


Worldwide enterprise security spending to total $96.3 billion in 2018, an increase of 8 percent from 2017, Gartner forecasts. "Organizations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy. ... Overall, a large portion of security spending is driven by an organization's reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide. Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years. ... several other factors are also fuelling higher security spending. Regulatory compliance and data privacy have been stimulating spending on security during the past three years."

Follow CircleID on Twitter

More under: Cybersecurity

"Restoring" Internet Freedom for Whom?


Recently, a colleague in the Bellisario College of Communications asked me who gets a freedom boost from the FCC's upcoming dismantling of network neutrality safeguards. He noted that Chairman Pai made sure that the title of the FCC's Notice of Proposed Rulemaking is: Restoring Internet Freedom. My colleague wanted to know whose freedom the FCC previously subverted and how removing consumer safeguards promotes freedom. With an evaluative template emphasizing employment, innovation and investment, one can see that deregulation benefits enterprises that employ, innovate and invest in the Internet ecosystem. However, the Pai emphasis lies in ventures operating the bit distribution plant reaching broadband subscribers. The Chairman provides anecdotal evidence that some rural wireless Internet Service Providers have curtailed infrastructure investment because of regulatory uncertainty, or the incentive-reducing impact of network neutrality. If the FCC removes the rules, then rural ISPs and more market impactful players like Verizon and Comcast will unleash a torrent of investment, innovation and job creation. O.K. let us consider that a real possibility. Let's ignore the fact that wireless carriers have expedited investment in next-generation networks during the disincentive tenure of network neutrality requirements. To answer my colleague's question, I believe one has to consider ISPs as platform intermediaries who have an impact both downstream on end users and upstream on other carriers, content distributors and content creators. My research agenda has pivoted to the law, economics and social impact of platforms. Using the employment, innovation and investment criteria, the FCC also should have considered the current and prospective freedom quotient for upstream players. Do nearly unfettered price and quality of service discrimination options for ISPs impact upstream ventures' ability to employ, innovate and invest more? Assume for the sake of discussion that ISPs can block, throttle, drop and prioritize packets. A plausible, worst case scenario has an innovative market entrant with a new content-based business plan less able to achieve the Commission's freedom goals. Regardless whether you call it artificial congestion, the potential exists for an ISP to prevent traffic of the content market entrant from seamless transit. The ISP could create congestion with an eye toward demanding a surcharge payment, even though the market entrant's traffic had no possibility of itself creating congestion. The ISP also might throttle traffic of the innovative newcomer if its market entry might adversely impact the content market share and profitability of the ISP, its affiliates and its upstream content providers that previously agreed to pay a surcharge. Of course network neutrality opponents would object to this scenario based on the summary conclusion that an ISP would never degrade network performance, or reduce the value proposition of its service. The airlines do this and so would an ISP if it thought it could extract more revenues given the lack of competition and the inability of consumers on both sides of its platform to shift carriers. ISPs do not operate as charities. The FCC soon will enhance their freedom which translates into higher revenues and possibly more customized service options for consumers willing to pay more. Before the FCC closes shop and hands off any future dispute resolution to the generalist FTC consider this scenario. Subscribers of Netflix, or the small content market entrant discussed above, suddenly see their video stream turn into slideshows. The FTC lacking savvy as to the manifold ways ISPs can mask artificial congestion and network man[...]

Eliminating Access to WHOIS - Bad for All Stakeholders


Steeped deep in discussions around the European Union's General Data Protection Regulation (GDPR) for the past several months, it has occurred to me that I've been answering the same question for over a decade: "What happens if WHOIS data is not accessible?" One of the answers has been and remains the same: People will likely sue and serve a lot of subpoenas. This may seem extreme, and some will write this off as mere hyperbole, but the truth is that the need for WHOIS data to address domain name matters will not disappear. Without the WHOIS system to reference — including automated access for critical functions — there will be no starting point and nowhere else to turn but to the registries and registrars who would need to address requests on ad-hoc and non-standardized terms. Contracted parties concerned with the cost of doing business should take note! Today WHOIS data is used to: resolve matters involving domain name use/misuse/ownership; conduct investigations into the myriad of criminal activities involving domain names; carry-out day-to-day business transactions such as the routine tasks associated with managing domain name portfolios; buying and selling domain names; and protecting brands and IP — just to name a few uses. Creating barriers to WHOIS access for such uses would unnecessarily increase risks and disputes for domain name registrants and create enormous burdens on all stakeholders — not the least of which would include significantly increased registry and registrar compliance burdens with substantial additional expenditure of resources. Simply put, unless an automated system for obtaining or verifying registrant contact information is maintained, we are likely to force a situation where parties need to pursue unprecedented quantities of Doe suits and subpoenas, and enter into motion practice (e.g., motions to compel) to access registrant data. This is simply unnecessary! The GDPR offers bases for maintaining a system for obtaining or verifying registrant contact information, including within Art. 6(1)(b) (performance of a contract), Art. (6)(1)(e) (performance of a task carried out in the public interest), and Art. 6((1)f) (legitimate interests). Moreover, having anticipated the GDPR and debated for nearly two decades the privacy aspects and concerns raised by the WHOIS system, the ICANN community has already produced numerous detailed recommendations that go toward addressing many of the concerns under discussion today (e.g., Final Report from the Expert Working Group on gTLD Directory Services: A Next-Generation Registration Directory Service). The existing ICANN community work product should be leveraged to simplify the task of accommodating existing contractual obligations and the GDPR with a model or "Code of Conduct" that reconciles the two. A Code of Conduct (as allowed for and encouraged under Articles 40 and 41 of the GDPR) is an especially attractive and efficient means for associations or other bodies like ICANN representing controllers or processors to demonstrate compliance with the GDPR through binding and enforceable promises that can be developed, approved, and enforced in a uniform manner — reducing risk and creating market efficiencies for all involved through reliance on a uniform "code" that has European Commission approval. I'm hopeful that before our community heads down a path that could result in a system with fewer benefits for all stakeholders, we recognize that the WHOIS system is an important tool maintained and used to serve the public interest and that we work together to preserve this system in a manner that reconciles existing contractual obligations and [...]

2017 Domain Name Year in Review


Given that it's been a few years since my last domain name year in review, I've really enjoyed looking back at this year's biggest domain name stories and seeing how this industry has evolved. This year, in particular, has seen some notable changes which are likely to impact the domain name landscape for years to come. So without further ado, here is my list for 2017: * * * 10. Mergers and acquisitions continue to shape the domain industry landscape Earlier this year, Onex Corporation and Baring Private Equity Asia announced their acquisition of MarkMonitor, and Vespa Capital announced their investment in Com Laude and Valideus. In addition, Donuts announced their acquisition of Rightside Group. It appears that more than ever, investors see the value in the domain name industry's recurring revenue models. 9. .Com domains still fetching low seven-figures on the secondary market According to DNJournal, .com domain names such as, and are still commanding low seven-figures on the secondary market. While there may be some softening in the market, those who can afford to wait for the right buyer can still strike it rich. 8. Some .Brands begin actively marketing with their TLDs While the floodgates haven't exactly opened, there are now a number of well-known .Brands which are actively leveraging their TLDs including Fox, Barclays and AXA with, and, respectively. Although most notable is Amazon with their highly visible campaign for 7. New gTLD registrations stand at 23.5 million domain names Down from a high of 29.4 million registrations in April of this year, new gTLD registrations total 23.5 million domains as of today. According to, there are 1223 new gTLDs of which the top 5 TLDs by registration are currently .xyz, .top, .loan, .club and .win. Approximately 61.4% of new gTLD registrations are parked. 6. .Com and .net new domain registration growth slows The Q2 2017 Verisign Domain Name Industry Brief reported that, ".Com and .net TLDs had a combined total of approximately 144.3 million domain name registrations" representing a 0.8 percent increase year over year. The same report for the previous year stated, that ".com and .net TLDs experienced aggregate growth, reaching a combined total of approximately 143.2 million domain name registrations" representing a 7.3 percent increase year over year. 5. Greater representation of IP interests at ICANN With the appointment of Sarah Deutsch to the ICANN Board and Heather Forrest to the Chair of the GNSO Council, representation of IP interests at ICANN has never been greater. Sarah is currently Senior Counsel at Winterfeldt IP Group, bringing more than 30 years of experience in intellectual property law. Heather Forrest is an Associate Professor in Law at the University of Tasmania. 4. Expired domain results in critical outage Always shocking are stories of outages resulting from expired domain names. While not the only outage this year, Sorenson Communications in Utah failed to renew a critical domain which resulted in an outage to critical services such as 911 for those with hearing or speech disabilities. As a result of the outage, Sorenson was required to reimburse the FCC $2.7 million and pay fines of $252,000. 3. Federal officials raid the .Cat registry amidst political turmoil In September of this year, the Spanish government ordered the .Cat Registry to remove all .cat domains being used to support the Catalan independence referendum. In a raid by federal officials, .Cat's Director of Innovation and Information Systems, Pep Masoliver was arrested [...]

Internet Regulation in the Age of Hyper-Giants


As we enter the seventh round of the net neutrality fight, advocates continue to make the same argument they've offered since 2002: infrastructure companies will do massive harm to little guys unless restrained by strict regulation. This idea once made intuitive sense, but it has been bypassed by reality. Standing up for the Little Guy When Tim Wu wrote his first net neutrality paper, the largest telecoms were Verizon, AT&T, and SBC; they stood at numbers 11, 15, and 27 respectively in the Fortune 500 list. Microsoft, Apple, and Amazon ranked 72, 325, and 492; Google was an unranked startup and Facebook wasn't even an idea. Today these five are America's largest corporations, with combined market caps in excess of three trillion dollars. Smaller tech companies have thrived beyond our wildest dreams. The Internet as We Knew It The rise of these powerhouse companies to economic dominance brought massive changes to the organization of the Internet. In the early days of the web, companies housed their websites on single computers located in well-connected hosting centers. They reached the Internet in essentially the same way consumers do today: companies paid specialized Internet Service Providers who connected to each other over backbones operated by still more specialized companies such as WorldCom and Level 3. The neutrality concept was limited to the connections between ISPs and backbone companies. Neutrality made sense, even if it was never the only way to run a railroad. The New Internet Backbones are disappearing from today's Internet. Small companies use Content Delivery networks such as Akamai to accelerate their pages by connecting directly to ISPs in multiple locations. The Big Five have their own private CDNs, connecting as the public providers do. Hence, the traditional distinction between scrappy content companies and Big Telecom is much less meaningful. Relationship Status: It's Complicated This is a bitter pill for career telecom policy wonks to swallow because the content vs. carriage distinction has been a hallowed principle of telecom policy since the FCC's first "Computer Inquiry" in 1966. To make things even more complicated, the Big Five are increasingly invested in providing services to competitors. Amazon's industry-leading cloud computing service, AWS, is indispensible to its video streaming rival Netflix. The End of the Internet Congress discovered net neutrality in 2005 when advocacy groups insisted offhand remarks by phone company officers were portents of doom. Congressman Ed Markey (D, Mass.) and others offered net neutrality bills touted as indispensible. Chief talking point: "It's the end of the Internet as we know it." Senator Al Franken (D, Minn.) wants to apply net neutrality to websites, and others want to apply it to new CDNs and protective infrastructure services such as Cloudflare. Calls for expansion of net neutrality's reach make a curious kind of sense, given new business models and the reorganization of the Internet. Cloudflare claims the power to reduce the speed of individual Internet users, such as FCC chairman Ajit Pai. Simple Rules for Complex Times More than anything else, net neutrality is a prediction, holding that deregulated ISPs would destroy the Internet. They're claimed to have unique incentives to harm innovation as well as unparalleled power. While the FCC has paid lip service to its importance from time to time, prior to 2015, the Commission did little of lasting significance to carry it out. The Internet has thrived in a largely deregulated legal regime regardless. But it's not devoid of pr[...]

Innovation Today is IN the Network


The largest and most important global information infrastructure today by any measure is clearly the global mobile network and all of its gateways, services, and connected devices. That network is standardized, managed, and energized by a combination of the 3GPP and GSMA. The level of 3GPP industry involvement and collaboration today probably exceeds all other telecom, internet, and assorted other bodies put together… and then some. Nowhere was this better demonstrated than the stunning 3GPP standards mega-meeting this past week in Reno — and the message was clear: innovation today is *in* the network. There were 14 groups covering every segment of the global infrastructure meeting in parallel. Nearly 10,000 input contributions from 268 different companies and their subsidiaries (plus significant contributions from government agencies in China, Europe, and a few in the U.S.) were submitted. In a number of cases, companies have created a dozen different subsidiaries and sent people from all of them. There were a total of 2,756 people in Reno from basically every provider and vendor worldwide. As new network-based services and technologies like NFV and 5G scale globally, these groups now meet every 60-90 days at different locations around the world. Some groups are even holding "bis" and "ter" meetings in-between. What is even more significant, however, are the new innovative platforms being instantiated in infrastructure, services, devices, and radio access networks. 3GPP is subdivided into three major divisions: SA (infrastructure and services), CT (edge/end-user devices), and RAN (radio access networks and gateways). SA had 2,096 inputs, CT — 990, and RAN, an amazing 6,827 inputs. The security group SA3, alone, had 411 input contributions. A virtual cornucopia (no pun intended) of new capabilities are being baked into the network infrastructures and gateways that provide enhanced performance and security for end users, and greater resiliency overall to meet national and regional policy objectives. An increasingly apparent observation from multiple technical, standards, industry, and legal/regulatory developments unfolding today is that a paradigm shift is underway towards "innovation in the network." Those 10,000 input documents into the 3GPP meetings last week and the FCC's removal of 19th-century NetNeutrality regulation are prominent bellwethers. Even at the prominent university engineering schools, a new generation of professors are devising curricula and turning out a new generation of professionals and lots of published papers exclaiming that the innovation is *in* the network. In addition to all those contributions and new work items in the principal industry venue, 3GPP, vendors are also pushing new products into the provider marketplace as can be seen in the dramatic rise of network middlebox patents. Even a cursory search of Google, Google Patents, and Google Scholar produces stunning results of the trends. Of course, NFV-SDN rollouts are all about the same thing. Part of that paradigm shift arguably involves a hard reality that it will be increasingly providers in the networks or at data centers orchestrating network capabilities. The NFV industry standards organization is today the second most active body, and it works closely with 3GPP. The nonsensical myth promulgated by self-serving internet religious that innovation only occurs at the "edges" is finally disappearing down the "alt-truth" rabbit-hole. The strange internet-centric world that came into fashion 20 years ago — especially prominent in Washington — i[...]

Voluntary Reporting of Cybersecurity Incidents


One of the problems with trying to secure systems is the lack of knowledge in the community about what has or hasn't worked. I'm on record as calling for an analog to the National Transportation Safety Board: a government agency that investigates major outages and publishes the results. In the current, deregulatory political climate, though, that isn't going to happen. But how about a voluntary system? That's worked well in avaiation — could it work for computer security? Per a new draft paper with Adam Shostack, Andrew Manley, Jonathan Bair, Blake Reid, and Pierre De Vries, we think it can. While there's a lot of detail in the paper, there are two points I want to mention here. First, the aviation system is supposed to guarantee anonymity. That's easier in aviation where, say, many planes are landing at O'Hare on a given day than in the computer realm. For that reason (among others), we're focusing "near misses" it's less — revelatory to say "we found an intruder trying to use the Struts hole" than to say "someone got in via Struts and personal data for 145 million people was taken". From a policy perspective, there's another important aspect. The web page for ASRS is headlined "Confidential. Voluntary. Non-Punitive” — with the emphasis in the original. Corporate general counsels need assurance that they won't be exposing their organizations to more liability by doing such disclosures. That, in turn, requires buy-in from regulators. (It's also another reason for focusing on near-misses: you avoid the liability question if the attack was fended off.) All this is discussed in the full preprint, at LawArxiv or SSRN. Written by Steven Bellovin, Professor of Computer Science at Columbia UniversityFollow CircleID on TwitterMore under: Cyberattack, Cybercrime, Cybersecurity, Policy & Regulation [...]

Artful Misrepresentations of UDRP Jurisprudence


The jurisprudence applied in adjudicating disputes between mark owners and domain name holders under the Uniform Domain Dispute Resolution Policy (UDRP) is essentially a system that has developed from the ground up; it is Panel-made law based on construing a simple set of propositions unchanged since the Internet Corporation for Assigned Names and Numbers (ICANN) implemented them in 1999. Its strength lies in its being a consensus-based rather than dictated jurisprudence. That being said it should also be noted that panelists do not walk in lock-step, and since there is no "appellate" authority to correct errors of law (in the U.S. only the Anticybersquatting Consumer Protection Act (ACPA)), there are some who go their own way by applying alternative theories to find bad faith (all turned aside and rejected, incidentally). While these alternatives have caused vibrations (even consternation), they have also proved intellectually stimulating in identifying the right balance between conflicting rights. Paradoxically, we could not have arrived at the consensus-based jurisprudence we have without the intense conversations that have taken place. It is, of course, frustrating for mark owners to learn that their exclusive rights to particular strings of characters (which is what domain names are) are not sufficient to prevail on claims of cybersquatting even when the marks predate the domain names. The jurisdictional limitations of the UDRP must also be frustrating since there is no remedy under the UDRP if their claims are for trademark infringement. Of the core principles of the UDRP, the first (because it was enunciated in the first decided decision before being recanted by its author) is that the UDRP is a conjunctive model of liability (as opposed to the ACPA which is disjunctive). Principally, this means that if a domain name composed of generic terms is registered lawfully but subsequently pivots to bad faith use it is not in violation of the UDRP (although it may be a trademark infringement). Misconceived by some mark owners and panelists as bad faith is a variant of these facts in which the domain name is lawfully registered, but later pivots to bad faith use coinciding with the mark's rising reputation. There are different alternative theories depending on whether the domain names predate or postdate the existence of the mark (both theories have been rejected). It is with these variants that some panelists have applied the alternative approaches as though they represent the current state of the law. The panelists essentially focus on mark owners' "exclusive" rights to particular strings of characters rather than assessing rights according to the developed jurisprudence of the UDRP. The most recent example is, Incorporated v. Manuel Schraner, FA171000 1755537 (Forum November 27, 2017) (). (I do not say, and want to be perfectly clear here, that the Panel, in this case, is not a recidivist, but here he has strayed from the principles of the UDRP jurisprudence by applying the alternative theories that I mentioned above). The facts in are quite straightforward: the domain name was registered on March 7, 2005; the registration date for the mark was December 15, 2009. Complainant's application for DEVEX certifies that its first use in commerce was April 1, 2008, so there is no common law right antedating the registration of the domain name. (There is an allegation that Respondent's acquisition of the domain name is 2016, but the Panel accepts the 2005 date[...]