The purpose of the session was to discuss governance gaps in achieving a safer DNS. There is a separation between structural layers of the Internet and content issues, and the ecosystem understands those lines. But when we talk about harmful content, sometimes those lines become blurred and governance gaps become evident.
The conversation sought to discuss what to do about those gaps and how to be action-oriented.
Keith Drazek from Verisign began by setting the scene. In his view, the ecosystem seeking to address DNS issues, security, and online harms has to recognise that each actor has different roles, responsibilities, and capabilities, whether that is a registrar, a registry, a CDN or an ISP. There are different governance models, for example the ICANN community and the gTLDs have governance by contract. ccTLDs, on the other hand, develop local governance models based on their relationships with local governments or local Internet communities. Hosting companies and providers are subject to the laws of their respective jurisdictions, and operate in response to that regulatory guidance. In the overlap of these various models, there are governance gaps still remaining. He believes there is an opportunity for better communication, collaboration, and good work across the various parts of the DNS ecosystem, up and down the stack. There is also a need for the technical operators, registrars, and registries to collaborate better together as a sector to mitigate online harms in a proactive way. This will help reduce costs and demonstrate to regulators that the industry is taking the initiative. Hopefully, this will also help avoid being regulated in a fragmented way when it comes to different jurisdictions.
He also highlighted there are conversations to be had as well about the advent of blockchain, alternate identifiers and technologies, as there are governance gaps in that area as well that will require collective addressing by industry.
Jia Rong Low from ICANN providing background on the role of ICANN supporting abuse mitigation. He explained how ICANN is governed by a multi stakeholder model, and how the community was adamant that the issue of DNS abuse needed addressing within the ICANN structure. At the time of the session, there is an open voting period to approve updates to the agreements between ICANN and contracted parties to incorporate specific actions to address DNS abuse as a contractual requirement. In his view, “sometimes with models such as ICANN’s, it can feel like things are not moving, but the community has come a long way.”
Esteve Sans from the European Commission (EC) came in next with a perspective from a regulatory body. He started off by highlighting the bodies such as the EC are not just regulators, they are members of the multistakeholder community, and in the EC’s case, they are very active in ICANN. The EC does not have any new regulation in mind, and is currently looking forward to supporting ICANN in what they see as “a moment of truth in dealing with abuse.” Esteve shared the view of the EC that amendments to the agreements of the contracted parties have not gone far enough, missing elements such as transparency or proactive measures.
Fiona Alexander from American University welcomed the reactivation of the DC as a safe place for conversation. She highlighted how DNS Abuse and what constitutes harm can mean different things to different stakeholder groups, especially governments. She went on to highlight jurisdictional differences in approaches. In some jurisdictions, there is preference for proactive approach (e.g. the EU), in others there is preference for having demonstrated harm versus preventive action (e.g the US). In addressing harm, governments also have to balance the important issues of free expression and human rights. Addressing online harm is a cross‑jurisdictional challenge that can be difficult to resolve. In her view, it is important to (a) have a shared understanding of terms, and a shared understanding of some of the challenges, (b) to look at the proportionality of the response, when do you take a small versus larger measure, and (c) who is best suited to take action. Voluntary commitments such as those reflected in the updated agreements of the contracted parties are good. They could also be more targeted, more rapid. When looking at voluntary action, it is really important to make sure there is transparency in those systems and that there is due process in those systems.
Jen Chung from .Asia reflected on the contractual amendments with ICANN. She explained how the .Asia organisation is looking forward to using the trusted notifiers system in collaboration with APNIC and APCIRT and TWNIC to periodically identify risks and share lists. She pointed out how this type of collaboration with the ecosystem is important to tackle threats such as phishing, and highlighted how these are actions that go beyond their contractual obligations. She illustrated this point in connecting to the definition of DNS Abuse. “DNS abuse can mean different things to different people; for the the contracted parties it refers to malware, botnets, phishing and spam. But this is not intended to limit our sphere of work, we go above and beyond our contractual obligations.” Lastly, she concluded with call to action to include the CSIRTS in work related trusted notifiers, and mentioned that .Asia is discussing with APNIC and APCERT the possible set up of a South Asia CERT.She highlighted how in regions where there are no harmonised approaches –like in the European Union— the onus is on operators like .Asia and other organisations Internet organisations to step up to fill this gap.
Rocio de la Fuente from LACTLD brought in a perspective from the ccTLD community. She explained how ccTLDs are not bound by the consensus policies formulated in ICANN, as their policies are based on local regulations established with their communities. She shared LACTLD’s experience organising workshops for dealing with illegal content and DNS abuse targeted at judges, prosecutors and Law Enforcement Agencies (LEAs) which has been co-organised with LACNIC, ICANN and the region’s technical community organisations. The workshops have been successful in building cooperation networks with the judiciary and LEAs. “We see a positive impact when policy makers and LEAs can have direct conversations with their local ccTLD,” she explained. Private sector has also sometimes participated in the workshops to address issues related to illegal content on their platforms and services besides the DNS threats or DNS abuse issues.
Jean Jacques Sahel from Google came in next to bring a perspective from the private sector dealing more broadly with content-related issues. Jean Jacques began by pointing out that from a Google perspective, the company is not trying not to be regulated; the internet has achieved a certain level of maturity and regulation is to be expected.It is rather a question of how, and understanding there is much of self regulation. He went on to share some lessons on how to tackle bad content, and take action on inappropriate behaviour. Google analyses content flagged to them by users or governments and follows content policies; in platforms like youtube, they demonetize bad content. They also seek to build out collaboration with relevant organisations. Honing in on APAC, there is a trend for increasing regulation –some omnibus regulation that concerns all intermediaries in APAC, some do “social media” regulation only. Back in the day they were copying regulations of other regulations, now it is changed — they add their own veneer. APAC is a very large market so this is bound to impact millions of users.
Jean Jacques highlighted that the one thing he sees as lacking is policy makers seeking out for input from the multistakeholder community – the tech community, industry and civil society. “We can remind them, and some of us are raising concerns of collateral damage, massive collateral damage to the ecosystem, but it gets scant attention.” He concluded that regulation is coming, and that regulators will go for whoever can bring actions. From a DNS industry perspective, the Internet’s core has been spared, but not for long. He called for regulators to leave room for freedom of expression and not to over regulate.
Esteve Sanz was invited to address Jean-Jacques’ points. Sanz said that the EU DSA offers an approach that strikes a good balance between users' fundamental rights and tackling abuse. In terms of coordination, he highlighted that the EC coordinated with the US on the declaration for the Future of the Internet, which he described as a straight jacket for the states not to regulate the internet in certain ways that are harmful. Lastly, he warned of digital authoritarianism in that authoritarian governments use the internet to control their populations. “We cannot think the internet is just a tool to promote freedom.”
Keith Drazek elaborated on the point of industry collaboration. He finds industry does not collaborate sufficiently, especially when up and down the stack, or across the range of operators. There is an opportunity for registries, registrars, hosting companies, CDNs and ISPs to engage more constructively and proactively together, and to collaborate in identifying trends of bad actors and in devising mitigation strategies.
He agreed that regulation is upon us, but urged for it to be informed, educated regulation and to take into account concerns by civil society. When we speak of content, it gets very complicated from a rights perspective. Registries and registrars have one option to address abuse, and that is to take the entire domain out of the zone – the third level is with the hosting company. If it is a bit of offending content or harming content on a third‑level name or a website, the hosting company has to be involved in that conversation about how to mitigate those harms to ensure proportionality.
He offered five points for consideration that apply to dealing with online harms through the DNS, and also for any trusted notifier schemes. These include consideration of:
- Provenance of a threat, to have the closest stakeholder take action
- Proportionality, to ensure actions do not impact users or other parts of the ecosystem disproportionately
- Transparency on how we use the DNS to mitigate online harms. What process was followed and what actions taken
- Due process
- Recourse –we need to offer recourse for the impacted party if you got it wrong,
Fiona Alexander weighed in and said that what is unique about how the Internet operates is the multistakeholder model. So it is important that industry and governments do not broker on their own, but that conversations are held in reach of the multistakeholder community. “How you do something is just as important as what you do.”
Connecting to regulatory efforts by the EU, Jia Rong Low highlighted the impacts of GDPR on the Whois database. He explained how he interacts with LEAs, and complaints by Interpol that Whois has become difficult to work with, highlighting how regulations have losers and winners.
Jen Chung offered an example of how articulation can play out. .ASIA is the registry operator for .kids, which is one of the first gTLDs with a mechanism for restrictive content. She explained how downstream, there are the hosting providers, DNS resolvers; at every point, there could be abuse happening all the way to content. For DotKids, they rely on Google AI to look at the content, they have a policy that listens to child rights experts and online rights experts. They are also highly transparent and have the paper trail of how reports are dealt with. They also offer recourse.
Rocio de la Fuente came back with additional perspectives from the LAC region where there are no overarching regional regulations to harmonise approaches. She explained that while abuse in ccTLD communities is low, the ccTLDs have introduced actions to help mitigate abuse. For example, .co has a national hotline for reporting CSAM materials and mechanisms in place to review reports.
Some comments from the audience included Mark Dattysgeld who in response to the comments by the EC explained that the community came up with a technical definition of DNS Abuse which could be agreed upon as a baseline from which we can always build on. Kanesh from Nepal urged for capacity building. Andrew Campling asked whether new standards introduce new governance gaps, hinting at DoH.
In terms of what is required, the panel recommended
More capacity building, as done in the LAC region, with governments, LEAs, operators, judges, policy-makers and other relevant stakeholders. Esteve warned that the conversation has been dominated by the global north, and that this will play badly in the WSIS+discussions.
Bringing people together and having conversations. Continue the discussion about more coordinated action from the ecosystem, ensuring we get feedback from the multistakeholder community. Making it a sustained conversation.
Clarity on what tools we have, what to scale. From a cooperation perspective, Jen Chung highlighted the need to Join the dots on the things we are doing, and scaling what works.
More collaboration on DNS security, including involvement of CSIRTs.
Measure DNS Abuse
Be attentive to new standards being developed
Takeaways
There should be more coordination across the Internet ecosystem dealing with online harms, particularly to deliver proportionate responses that look beyond action at the DNS level.
Asia and Latin America offer good examples of (a) better coordination across the ecosystem and efforts to build collaborations among existing initiatives (example of operation of .kids by .Asia) and (b) capacity building and networking between the DNS, content and technical communities on the one hand, and policy makers, law enforcement and the judiciary, on the other.
Calls to action
The numbers and names communities as well as companies dealing with content need to actively build capacities with policy makers, LEAs and the judiciary to help them understand adequate and proportionate options for dealing with online abuse.
The Internet ecosystem needs to have better coordination mechanisms in place that break away with industry silos in dealing with online harms, and build ecosystem-wide consensus and collaborations for addressing harmful content on the Internet.