DNS Abuse Mitigation and Human Rights Impact Assessment

The Internet’s Domain Name System (DNS) is critical for connecting us online, but it is also a potential vector for abuse. DNS abuse, encompassing activities like phishing, malware distribution, botnets, poses significant threats. However, the measures taken to mitigate this abuse can inadvertently impact fundamental human rights. This is where Human Rights Impact Assessments (HRIAs) come into play, aiming to ensure that efforts to secure the DNS are balanced with the protection of individual rights.

This blog post will explore DNS abuse mitigation and human rights, drawing insights from two important sessions dedicated to this topic within the ICANN community.

Understanding the Landscape: DNS Abuse and Human Rights

DNS abuse, as defined within ICANN’s contractual frameworks, focuses on technical security threats. Registries and registrars are contractually obligated to take appropriate mitigation actions when they have actionable evidence of such abuse.

However, the implementation of these obligations has significant human rights dimensions. As highlighted in the “DNS & IHRL Cheat Sheet“, DNS abuse mitigation can touch upon several fundamental rights and freedoms:

• Right to Privacy: Disclosure of domain name holder data for mitigation purposes can create privacy risks.
• Freedom of Expression: Overly broad or vague mitigation requirements could lead to unfair suspension or takedown of domain names, infringing on freedom of expression online.
• Right to Equal Treatment/Non-discrimination: Mitigation mechanisms should be available equally across service regions.
• Freedom of Association: Disabling online services used for assembly due to abuse mitigation could impact freedom of association.
• Access to Remedy: Individuals affected by takedowns or suspensions must have access to dispute resolution mechanisms.
• Right to a Fair Trial/Due Process: Mitigation processes should afford domain name holders due process.

What is HRIA and why is it needed?

The Noncommercial Stakeholder Group and its members, notably Article 19 have been at the forefront of discussing the human rights implications of ICANN policies for many years. The result of the community work can be found here. The cross community working party materials can also be found here. 

The importance of the intersections of DNS abuse mitigation and human rights led to dedicated sessions, including a tabletop exercise at ICANN 81. The primary goal was to raise awareness about HRIAs and their potential benefits in qualitatively measuring the success of DNS abuse mitigation efforts.

The ICANN 81 session included role-playing scenarios designed to explore the human rights implications of different DNS abuse cases. These scenarios, while deliberately broad to stimulate discussion, touched upon various complexities:

• Phishing from subdomains of a national oil company: Raising questions about societal impact and proportionality of takedown.
• A human rights activist’s website compromised: Highlighting the potential impact on freedom of expression, association, and access to remedy.
• A trademark-related domain name dispute: Clarifying what constitutes DNS abuse versus other forms of disputes.
• A protest website engaging in phishing: Presenting a conflict between freedom of expression and the need to address clear DNS abuse.

Discussions during this session underscored the need for transparency and accountability in DNS abuse mitigation. Participants from various stakeholder groups, including law enforcement, intellectual property, civil society, registries, and registrars, brought diverse perspectives to the table.

A key takeaway from the ICANN 81 session was that mitigation mechanisms used by registrars are often more granular than simply suspending a domain. Registrars may attempt to contact the registrant, work with hosting providers, or take other less drastic measures to address the abuse. The session also highlighted the challenges registrars face, including the need for clear evidence, the potential for false positives, and the importance of due process for domain name holders.

Building a Framework: The Second HRIA Session at ICANN 82

Building on the momentum from the first session, a follow-up session at ICANN 82 focused on developing Human Rights Impact Assessment (HRIA) guidelines for DNS abuse mitigation. The goal was to operationalize human rights considerations and create practical tools for registries and registrars.

The session included a case study presented by Sara Mohamed concerning the inaccessibility of multiple independent media platforms in Sudan. This real-world example powerfully illustrated how DNS-related actions can have significant impacts on access to information and online freedom, emphasizing the need for transparency, technical accuracy, and due process.

Volker Greimann raised a crucial point about the efficiency of abuse mitigation processes, highlighting the limited time abuse teams have to assess complaints. He emphasized that any HRIA guidelines must be quick and implementable, without requiring extensive documentation and research.

Michaela Shapiro further elaborated on the importance of adhering to the three-part test for any limitations on freedom of expression, ensuring legality, legitimacy, and proportionality.

Alan Woods aptly pointed out the importance of mapping the impact, timing, action, and appropriate party when addressing DNS abuse, suggesting a spectrum of impact to guide mitigation efforts.

The session then moved towards examining draft HRIA guidelines, broken down into areas such as proportionality, legitimacy, transparency and accountability, and necessity. These are the human rights impact assessment criteria. Participants actively engaged in discussing the applicability and practicality of these tests using further case studies.

Discussions around these scenarios reinforced the complexities involved in balancing DNS abuse mitigation with human rights protection. For instance, in a scenario involving phishing and trademark infringement, the immediate bulk suspension of all implicated domains, including the legitimate trademark owner’s domain, was deemed a wildly disproportionate action, highlighting the critical need for due process and careful investigation.

The Path Forward

Both HRIA sessions have been instrumental in fostering a deeper understanding of the intricate relationship between DNS abuse mitigation and human rights. The ongoing efforts to develop practical HRIA guidelines signify a commitment within the ICANN community to move beyond purely quantitative measures of success in combating DNS abuse. The Noncommercial Stakeholder Group, especially its member Michaela Shapiro from Article 19 and Sara Ali worked tirelessly to make this session a success. DigitalMedusa looks forward to organizing more and coming up with tangible, practical solutions for registrars and registries to uphold human rights when mitigating DNS abuse. 

The next steps involve refining these draft guidelines based on the valuable feedback received, aiming to create a tangible and actionable framework for registries and registrars. This will be an iterative process, recognizing the evolving nature of both DNS abuse tactics and the understanding of their human rights implications.

By proactively integrating human rights considerations into DNS abuse mitigation practices, the internet can strive towards a more secure and rights-respecting digital environment for all users. This requires more continued dialogue, collaboration, and a steadfast commitment to both security and fundamental freedoms.