Invoicing scams. Illegal drug sales. Fraud and money laundering. Defamation and harassment. Phishing and malware hosting.
These are just some of the dodgy activities being carried out by organisations or individuals with websites ending in .nz, according to a report released Thursday.
And while virtually everyone agrees there is serious harm being caused by so-called “domain name abuse”, the report reveals New Zealand is woefully short of information on the nature and scale of the harm in this country.
Moreover, the industry is strongly divided about what to do about it.
The Domain Name Commission Regulatory Review sounds dull. And much of the 94-page document is worthy but a bit dry – regulatory capture, market concentration threshold, fee-setting theory.
But between pages 60 and 69, report author and public policy consultant David Pickens gets his teeth into something that touches many New Zealanders: internet-related harm. In particular, harm caused by websites administered by the local (.nz) regulatory body, the Domain Name Commission.
It’s a hot topic in 2019 – from Jacinda Ardern’s heartfelt post-bombing Christchurch call, to the problems of cybercrime; from fake news to calls for stricter controls over tax-dodging online importers.
There are an estimated 700,000 websites with a .nz domain name (newsroom.co.nz is one). At an average retail price of $25, the market is worth an estimated $18 million.
Mostly, the widespread availability and relative affordability of domain names is a good thing. It makes it easy for companies and individuals who want to set up genuine businesses. But it also creates a headache for the Domain Name Commission (DNC): how to stop the bad guys.
There are serious deficiencies on the magnitude and nature of internet-related harm in New Zealand.
The first stop, says Pickens, is to know how big a problem it is.
“There are serious deficiencies on the magnitude and nature of internet-related harm in New Zealand. Only with good information (relevant, timely, complete, accurate) will it be possible to effectively target real problems with the best tools available and assess the effectiveness of strategies deployed.”
Step two: what to do about the problem? And who should be responsible for doing it?
At the moment, InternetNZ and its subsidiary the Domain Name Commission, have a wide role. They set the policy frameworks and strategy for the .nz space, make decisions on monthly registration fees, and run the registry of domain names and their owners. They liaise with governments and regulators here and overseas.
And when things go wrong, the Domain Name Commissioner has some powers to take a website down – for example if someone has used fake details to get a domain or “where maintaining the registration would put the commission in conflict with any law, court order or tribunal of competent jurisdiction”.
That last sentence would have caught the Christchurch terrorist’s video content, because the Chief Censor (a “tribunal of competent jurisdiction”) moved quickly to make distributing the footage illegal.
But beyond that, the commissioner has limited powers to stop harm. It can’t rule on malicious use of a domain name – spam or phishing, for example. And it can’t cancel or suspend a site for offensive content – porn, or someone advertising dodgy products for sale.
For those the commission needs to go to court. But that can take time. And often with malicious activity or dodgy content, time is of the essence. The quicker you can take down the website, the fewer people will get harmed.
One of Pickens’ roles in the report was to find out what stakeholders thought was the best option for dealing with harm.
And that’s where it got tricky.
The level of disagreement between stakeholders is a threat to performance, confidence and reputation in the .nz space.
An industry divided
“No interviewee suggested there were not significant or real problems in New Zealand, or for the .nz space,” the report said. However “the level of disagreement between stakeholders on the appropriate role of the Domain Name Commission in reducing internet-related harm is in itself a threat to performance, confidence and reputation in the .nz space. It must be dealt with.”
On one side, some people are calling on the commission to “harden up, as others have done around the world, even if it is uncomfortable”.
They say regulators here and overseas are concerned about “missed opportunities to reduce community harm through the quick removal of offending registrants from the Register”. And these official bodies are putting pressure on organisations like the Domain Name Commission.
That pressure will only increase and it is up to the DNC to be proactive and seek out and stop harmful websites and material, they say.
But other people interviewed for the report point out the potential conflict of the commission being judge, jury and executioner over domain names.
“The DNC’s appropriate role is as custodian of the registry and the information contained within, not as a policeman of how that information might be used,” one person says.
Decisions, particularly around content, can be complicated and it is “inappropriate” for the DNC to be making these judgements.
“Further, the consequences of removing a registrant [domain name customer] could be significant for that registrant and others,” another interviewee says.
Yet another notes “the opportunity for competitors to make frivolous and vexatious complaints against a legitimate registrant.”
Where to from here?
Pickens’ report, which summarises feedback on a number of topics from the commission, is just one piece of the solution to the issue of internet-related harm in New Zealand.
It follows Internet NZ’s Domain Name Abuse Forum late last year, and the setting up earlier this year of the .nz Policy Review Advisory Panel.
The panel is chaired by Consumer NZ chief executive Sue Chetwin. It is due to release an issues paper next month and aims to finish its solutions report early next year.
Domain Name Commissioner Brent Carey says he’s already started working on the problem of domain name abuse. He has just employed someone to check up on new and existing domain name registrations to make sure they are real. And another staffer is joining soon from a domain name registry in Qatar to put some of the technical recommendations into practice.
Carey says he’s open to various options, including giving the commission more powers, or taking some or all enforcement roles into a separate body.
One solution could be to treat damaging malware and phishing separately from harmful content. Some overseas registries differentiate between technical abuse and content abuse. This allows them to act proactively and quickly on scams while requiring court orders for offensive content, the DNC regulatory review says.
“In particular where the harm is caused by malware of phishing, for example… Often most of the harm is done in the first few hours of a site being activated.”