by Constantine von Hoffman

VeriSign Anti-malware Plan Highlights Internet’s Big Jurisdictional Problems

Opinion
Oct 14, 20115 mins
CybercrimeIntrusion Detection SoftwareMalware

How do you determine whose laws have to be obeyed on the internet? Can one nation order a site to be shut down that is run from another nation? What happens if China doesn’t like something being put out by a site in Taiwan?

VeriSign has withdrawn a proposed anti-malware policy that was clear and straightforward and aimed at doing good. Unfortunately, it would have placed them in the middle of some very big political messes. This is the problem facing all attempts to govern the internet.

VeriSign has outlined a new malware abuse policy.

The Anti-Abuse Domain Use Policy was submitted to ICAAN with the good and reasonable goal of letting VeriSign quickly take down sites harboring malware, launching phishing attacks, or otherwise being used for internet attacks. Specifically it would have let the company deny, cancel or transfer  “any registration or transaction or the placement of any domain name on registry lock, hold or similar status as necessary.”

It then said that “as necessary” meant:

(a) to protect the integrity, security and stability of the DNS

(b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental  agency, or any dispute resolution process;

(c) to avoid any liability, civil or criminal, on the part of VeriSign, as well as its affiliates, subsidiaries, officers, directors, and employees;

(d) per the terms of the registration agreement,

(e) to respond to or protect against any form of malware (defined to include, without limitation, malicious code or software that might affect the operation of the Internet),

(f) to comply with specifications adopted by any industry group generally recognized as authoritative with respect to the Internet (e.g., RFCs),   

(g) to correct mistakes made by VeriSign or any Registrar in connection with a domain name registration, or

(h) for the non-payment of fees to VeriSign. VeriSign also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute;

The problems arise with point (b), which says it will be used to comply with court orders, government rules or requests from governments.  

First, how do you determine jurisdiction on the internet? Can one nation order a site to be shut down that is run from another nation? What happens if China doesn’t like something being put out by a site in Taiwan? If Taiwan objects then someone has to arbitrate. It is hard to imagine that either VeriSign or ICAAN would want that responsibility.

What if Germany objects to sites which violate laws around the use of Fascist symbols? What if Iran objects to sites which don’t support the lie that the Holocaust didn’t happen?

Would VeriSign (or any other managing body) have any discretion over what requests from governments it will honor? Whether it did or not, that body would then be responsible for enforcing a lot of morally problematic laws. What if Egypt’s or Libya’s governments had decided Twitter and Facebook and similar sites needed to be taken down to promote public order? There are few if any nations where the government doesn’t view maintaining its power as essential to the public good and will take actions to enforce that. 

One possible solution is to restrict access from a geographic area, this would comply with the nation’s laws and allow the site to continue operating. For the sake of the discussion, lets just say this could be done effectively. It is hard to imagine any of the internet managing groups could handle being at the epicenter of the public and political storms some of these actions would cause.

(Neither VeriSign nor ICAAN has responded to requests for comment on this.)

A precise definition of malware could have been used as the determining factor when dealing with government requests. In that case action would only be taken if the request for action also met the criteria to be defined as malware. Unfortunately in order to be useful for this malware would have to be defined so narrowly and technically that it would have to be continually redefined to keep up with technological developments. The policy says malware is “defined to include, without limitation, malicious code or software that might affect the operation of the Internet.” That is very good and useful way to define it for probably 99 percent of the situations this plan would have encountered. It is the other 1 percent where things get very dicey.

VeriSign’s goal with this policy was a very laudable thing: Making it possible to move quickly against threats to the internet. Unfortunately there are a few situations which would create huge problems out of doing this. None of these problems are new or unique to this plan, of course. For years the internet’s managing bodies have muddled through as best they could and done a pretty good job. Soon, if not now, that may not be enough.

I don’t have a solution and neither does the rest of the world. That’s why we have things like the U.N., and numerous international courts (or similar) which deal with issues from the laws of the sea to international trade disputes. We may need something similar for the internet.