CENTR, which represents European national top-level domain name registries (ccTLDs) such as .si or .eu, has published a comment on the European Commission’s DNS abuse study, calling out some of the misleading analysis and unfortunate conclusions in the study.
CENTR members consider keeping abuse low on the internet to be an important element in keeping their zones safe and trustworthy for end-users. CENTR welcomed the European Commission’s aim to “analyse the scope, impact and magnitude of DNS abuse” within its recently published “Study on Domain Name System (DNS) abuse” (referred to here as the Study), and for this reason actively took part in the stakeholder interviews that served as the basis for the Study.
Despite its good intentions, the final Study and its accompanying documents include several inconsistencies, and many of its recommendations are not based on clear evidence or verifiable research. Despite concluding that European ccTLDs are “by far the least abused”, the Study applies a one-size-fits-all approach to its recommendations addressing DNS service providers, domain name registries and registrars, largely ignoring the existing good practices within European ccTLDs.
Furthermore, the broad definition of DNS abuse, as suggested in the Study, does not take into account the role of different service providers and other categories of stakeholders that are part of the internet ecosystem, when discussing abuse mitigation measures. As a result, the Study offers a skewed view on the DNS abuse problem and how to tackle it.
As this Study was written with the aim to guide further policy development in the EU, CENTR members call on policy-makers to tread carefully when reading the Study. A summary of CENTR’s main points can be found below, as well as the link to the full comment.
Summary of CENTR’s key points:
- CENTR members regard keeping abuse low on the internet as an important element to safeguard end-user trust and safety within their zones.
- CENTR members are pleased with the fact that the DNS Abuse Study recognises many good practices in place within European ccTLDs that contribute to low levels of abuse within their managed ccTLDs.
- The DNS abuse definition proposed by the DNS Abuse Study encompasses all common forms of cybercrime, and as a result should also include mitigation and prevention measures addressed at all actors involved in sustaining and using the DNS.
- The recommendations put forward in the DNS Abuse Study do not adequately take into consideration the essentiality of the internet infrastructure, such as the DNS, and the role and responsibilities of different operators active on the internet.
- The data sources used to assess the magnitude of DNS abuse in the DNS Abuse Study cannot be independently verified, and are not optimised for mitigation measures available for domain name registries and registrars.
- The DNS Abuse Study generally disregards the proportionate resolution path targeting the intermediary that is closest to the content, codified in EU legislation, without any clear and abuse-specific justification.
- The DNS Abuse Study disregards the fundamental difference between the governance of ccTLDs and gTLDs and demonstrates incoherent analysis by adopting a “one-size-fits-all” approach with measures targeted at both ccTLDs and gTLDs despite finding that ccTLDs are by far less abused. As a result, any measures targeted solely at ccTLDs will have a limited impact on effectively reducing abuse online.
- The recommendation to adopt harmonised Know-Your-Business-Customer practices across ccTLDs, despite the lack of proof of abuse, is unjustified and disregards the existing data accuracy practices already in place.
- The recommendation for a unified approach to accessing complete registration data across ccTLDs disregards the overarching EU data protection framework, as well as the recommendations put forward by data protection authorities within ICANN community discussions.
- The DNS Abuse Study recommends publishing DNS zone file data without assessing the potential negative consequences that such publication may entail for the security and stability of the DNS, including the confidentiality of customer data.
