beyond take down

Sun Nov 20 19:11:43 CET 2011

http://www.isc.org/software/rpz
On Nov 20, 2011 12:10 PM, "Milton L Mueller" <mueller at syr.edu> wrote:

>  Does anyone on this list know more about the way BIND is being amended
> to allow the “rewriting” of DNS answers? Jorge? Timothe?****
>
> ** **
>
> *From:* NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] *On Behalf Of
> *William Drake
> *Sent:* Sunday, November 20, 2011 10:22 AM
> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
> *Subject:* [NCSG-Discuss] beyond take down****
>
> ** **
> Hi**** As discussed on our call the other night, some of the key
> developments from a global public interest standpoint go beyond GNSO &
> ICANN policies but we might still consider whether there's grounds for
> useful NC engagement…****
>
> & BTW Monika quotes Wendy in the below...****
>
>
> http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/
>
> Filtering and Blocking Closer To The Core Of The Internet?
> By Monika Ermert for Intellectual Property Watch on 20/11/2011 @ 1:00 pm**
> **
> With protests against draft US legislation like the Stop Online Piracy Act
> (SOPA) and the Protect IP Act ongoing and the European Parliament voting on
> 17 November for a resolution to request that the United States should be
> “refraining from unilateral measures to revoke IP addresses or domain
> names,” politicians are talking a lot about technology for the internet
> domain name system. But at the same time, engineers are getting more
> political and are intensively discussing technology providing the tools for
> blocking – by governments and private parties.
>
> For the community that cares for the functioning of the domain name system
> (DNS), it came as a shock when Paul Vixie, founder of the Internet Software
> Consortium (ISC), said that the BIND software would allow the filtering out
> of sites with a bad “reputation” – like listed malware sites – and also the
> “rewriting” of DNS answers – manipulating what people get to see when
> asking for domain names.
>
> Vixie is a guru of the DNS and one of the authors of the letter by
> well-known experts against DNS blocking in the Protect IP Act. But he is
> perhaps best-known for being the father of BIND, which has for a decade
> been the open source tool that makes the DNS work.
>
> More Filter-Friendly DNS Software
>
> Jim Reid, one of the chairs of the DNS working group at the Réseaux IP
> Europeéns, said during a recent debate about principles that he was “rather
> saddened” by ISC’s decision to allow the rewriting. “We’re giving the bad
> guys tools,” Reid warned.
>
> The rewriting – which sends back a “lie” upon a request to the DNS from
> someone looking for a website – “also sends a rather nasty message saying
> it’s okay to do this kind of thing.“ What is worse from the engineers’
> standpoint with the rewriting is that it breaks new measures to secure the
> DNS, because the “lies” are detected and dropped without users knowing what
> happened.
>
> The “lying” is currently happening for domains seized by the US government
> agency ICE (US Immigration and Customs Enforcement), some of them legal in
> their country of origin, like the Spanish RojaDirecta.com, (a
> case discussed intensively by the experts). When typing RojaDirecta.com,
> users do not get to that site, but to a warning/blocking site by the ICE.
>
> It is this kind of case that has stirred up debate in the European
> Parliament, pushed by the European Digital Right initiative (EDRi). “By
> this you render a site and the data inaccessible without having any court
> order in the site owner’s country,” said Joe McNamee, who fought for the
> declaration now officially included in the Parliament’s resolution on the
> upcoming European Union-US Summit of 28 November 2011.
>
> The text of the Parliament resolution is here [1].
>
> Under the topic “Freedom and Security,” the declaration stresses the need
> “to protect the integrity of the global internet and freedom of
> communication by refraining from unilateral measures to revoke IP addresses
> or domain names.”
>
> SOPA, McNamee warned, would be so broad that “it could be interpreted in a
> way that would mean that no online resource in the global internet would be
> outside US jurisdiction.”
>
> Of those who provide users with domain names – with the so-called DNS
> registrars closer to the user and the user’s jurisdictions – it is the
> registry companies who manage the central database for zones like .com (for
> example) who are an easy target when it comes to take-downs. They keep the
> record of who every .com domain name is delegated to and inform those
> looking for a site where to go. So they can from a top spot in the DNS
> hierarchy point to a “wrong” location.
>
> What makes things difficult is that many large registries, like VeriSign
> (registry for .com and .net) which changed the rojadirecta.com record,
> are located in the United States and while offering services globally in
> name, they in fact are bound by US law.
>
> Registries – Target for Take-Downs
>
> VeriSign recently tried to get a new registry policy acknowledged by the
> Internet Corporation for Assigned Names and Numbers (ICANN), the DNS
> technical oversight body, which would have allowed the dot com and .dot net
> registry (VeriSign) “to comply with any applicable court orders, laws,
> government rules or requirements, requests of law enforcement or other
> governmental or quasi-governmental agency, or any dispute resolution
> process.” After a first wave of protests, the company backed off and
> withdrew the test for the time being.
>
> Matt Pounsett from Afilias, the registry for .info and some other TLDs,
> explained the dilemma. While the registries certainly like people to see
> the correct DNS-answers that they send, “there are cases where even we
> participate in things like that, particularly domain take-down.“ Many
> take-downs were made when it was found out “that a particular domain is
> being used in a way that violates acceptable use.”
>
> Registry operators and a software providers like ISC underline that the
> fight against malware mainly drives their interventions. BIND’s filtering
> function will help the manager of a local domain to protect his network.
> Customers are pushing, for example, for options like rewriting, said Joao
> Damas, a developer at ISC.
>
> The rewriting not only allows ICE to lead people to their website instead
> of Rojadirecta’s, it also allows commercial companies to attract traffic to
> their search engine with recommendations and paid ads. Some big
> telecommunications providers, for example, lure users to their search site
> every time they mistype a domain name or simply look for something that
> does not exist.
>
> “If we do not do offer functionalities like the rewriting in our BIND
> software, we will drive them away from BIND,” said Damas. BIND’s new
> “reputation policy zone” function allows people to have names checked
> against lists of alleged bad actors, known spammers or
> malware-distributers, and in case of a match do not display the respective
> sites.
>
> More Private Filtering
>
> But what about the governance of increased private manipulation and also
> filtering that is enabled by better tools, asked Peter Koch, a DNS expert
> at Denic, the registry for the .de. country code TLD of Germany. “When we
> talk about a near real-time facility that would enable certain groups to
> influence resolvers to block or rewrite resolution data,” Koch warned,
> collateral damage and even liability issues could arise. The more sceptical
> engineers also warn that such interventions could make the deployment of
> secure DNS on the last mile to the user very difficult. As they,
> including Vixie, have worked for a decade to implement this kind of
> security, they oppose it from an architectural standpoint.
>
> Civil liberty advocates like McNamee or Wendy Seltzer, co-founder of the
> project Chilling Effects, point to the difficulties for victims of the
> varieties of filtering possibilities to push back. Why can a DMCA
> (US Digital Millennium Copyright Act [2]) request from a private party lead
> to Google even filtering a part of the rojadirecta website included in the
> Spanish version and housed under .es, the country code TLD of Spain – as
> actually happened?
>
> “Today the biggest problem is there’s too many things happening not based
> on legislation,” said Patrik Fältström, chair of the Security and Stability
> Advisory Committee of the ICANN. Fältström belongs to the engineers hoping
> that fixing the political code might be the first necessary step to solve
> the problems. Only then would the next step be addressed, Fältström said,
> in addressing conflicting national legislations. A mega-size example is
> coming with regard to this problem: the introduction of new TLDs as
> approved by ICANN.
>
> Could ICANN approve a domain name that is illegal in one jurisdiction?
> asked Fältström. Several jurisdictions have announced they would otherwise
> block complete TLDs, with new top level domains like .gay being only one
> example not being welcome everywhere in the world. Or should controversial
> new address zones be blocked at the outset by ICANN?
>
> If the registries are close to the core, the root zone that lists existing
> TLDs (like .com, .net, .ch) and future ones could be seen as one core spot
> of the global internet.
>
> With the new contract for the managing of this root function, the Internet
> Assigned Numbers Authority (IANA) contract, the US administration seems to
> have put itself in a difficult spot. The contract has been performed by
> the ICANN so far, and the US National Telecommunications and Information
> Administration oversees the work. The difficult spot for NTIA is that they
> will for every new TLD check if ICANN’s procedure for approving a new TLD
> has been supportive of the “global public interest”. What will the US do
> about potential knocks at their door from those who do not like to have a
> .gay or a .sex? It will be a difficult filtering function, close to the
> core.
>
> Related Articles:****
>           • IP Enforcement Permeates ICANN, US Internet Policy [3]****
>            • US Gets Threatening Over ICANN’s New Internet Domain Plan [4]
> ****
>            • ICANN Board Approval Opens Internet To Many New Domains [5]**
> **
> Categories: Access to Knowledge,Enforcement,English,Features,Human
> Rights,Information and Communications Technology/ Broadcasting,IP
> Policies,Language,Themes,Trademarks/Geographical Indications/Domains,United
> Nations,US Policy,Venues
> Article printed from Intellectual Property Watch:
> http://www.ip-watch.org/weblog
>
> URL to article:
> http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/
>
> URLs in this post:
>
> [1] resolution is here:
> http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2011-0510&language=EN&ring=P7-RC-2011-0577
> [2] Digital Millennium Copyright Act:
> http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act
> [3] IP Enforcement Permeates ICANN, US Internet Policy:
> http://www.ip-watch.org/weblog/2011/03/13/ip-enforcement-permeates-icann-us-internet-policy/
> [4] US Gets Threatening Over ICANN’s New Internet Domain Plan:
> http://www.ip-watch.org/weblog/2011/05/06/us-gets-threatening-over-icann%e2%80%99s-new-internet-domain-plan/
> [5] ICANN Board Approval Opens Internet To Many New Domains:
> http://www.ip-watch.org/weblog/2011/06/20/icann-board-approves-long-awaited-plan-for-new-internet-domains/
> ****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20111120/8ba86c11/attachment-0001.html>