Seizing Malicious Domain Names and IP Addresses is Complicated: M3AAWG Submits Comments on the United Kingdom’s Review of the Computer Misuse Act 1990
The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) has submitted comments to the Government of the United Kingdom in response to their Review of the Computer Misuse Act 1990: consultation and response to call for information. One proposal under review would allow law enforcement agencies to take control of domains and internet protocol (IP) addresses being used to commit crimes. The review also proposed giving law enforcement the power to direct the preservation of computer data to aid in a future criminal investigation.
M3AAWG praised the U.K.’s efforts to tackle malicious domains but cited many complexities in the associated actions required in takedowns or seizures.
Seizing a Domain Name is Challenging: Unknown and Unwilling Parties
A request to take down, seize or prevent the creation of a domain name would be served to a relevant party who was in control of the domain, such as the registry (who creates it and ensures that only one instance of it exists), a registrar (who effectively leases it) or the registrant (who rents it and deploys their content).
Only the registrars and the registries have the technical ability to change the status of suspended domain names. And it would solve the problem if a malicious actor (a registrant) suspended their own domain upon request, but that’s unrealistic. Further, registrants are often unknown and unreachable. And some registrars vie for business on their willingness to let registrants be anonymous.
Collateral Damage is Hard to Avoid
Domain names, and IP addresses may be shared by multiple parties. This means that one user may be engaging in nefarious and/or unlawful behavior while other users sharing a domain or IP may be law-abiding third parties. Collateral damage is hard to avoid.
Any process meant to tackle maliciously used domains or IP addresses must recognize the agility of online criminal perpetrators. Criminals move faster than due diligence. Enforcement efforts should consider the amount of time and effort required by bona fide providers when performing due diligence on taking down resources versus the ability of malicious providers to deflect such processes and/or to warn affected criminals.
Strategic Partnerships Are Key in Mitigating Malicious Domains
M3AAWG suggested that the U.K. government engage with the Numbers Community, including regional internet registries (RIRs) such as the Réseaux IP European Network Coordination Center (RIPE NCC), the African Network Information Center (AFRINIC), the Asia Pacific Network Information Center (APNIC), the American Registry for Internet Numbers (ARIN) and the Internet Address Registry for Latin America and the Caribbean (LACNIC), as well as key players like ISPs to align on a feasible approach.
Compelling Service Providers to Preserve Data is Problematic
Electronic evidence is often required to support law enforcement investigations. The consultation sought to understand the consequences of mandating preservation of data by the system owner, pending a decision on whether a formal request for seizure was made to a court. The scope of any order to preserve data could be problematic.
Some of the data may be compact, already routinely retained for business or technical purposes, and may be of limited sensitivity. Other data may potentially be voluminous, or privacy sensitive, even if it is only defined as metadata.
Providers should not be required to build new collection capabilities, nor be compelled to routinely collect and preserve entire categories of data not currently collected and preserved. Only data that is directly needed to address criminal or national security incidents and only the use of existing collection mechanisms should be in scope for this new capability.
M3AAWG urged the U.K. government to consider approaches and measures that ensure that such requests are actionable, meaning that all requests are complete, specific, and clear, especially when it comes to the technical detail and data sought, and are addressed to the right entity and therein to an officer with appropriate authority.
Overall, M3AAWG advocated for careful execution when legislating around domain names and IP addresses and stressed continued partnerships with key security and anti-abuse groups, including M3AAWG and its partner organizations, as well as key U.K.-based and international industry stakeholders.
Additional recommendations can be found in the full report, M3AAWG Comments on Review of the Computer Misuse Act 1990 available on the website.
M3AAWG has previously offered comments on various public policy initiatives. Visit the Public Policy section on the M3AAWG website for more information.