Many people see optional anonymity as a key feature of the Internet but increasingly there are calls for stricter identity checks.
While a full-blown ‘Internet passport’ is not yet required anywhere just yet, ‘know your customer’ requirements are increasingly common as a means to deter fraud and abuse.
“Know Your Customer” Rules
In recent years, copyright holders and industry groups have argued to expand these identity verification rules to tackle the online piracy problem. These efforts have begun to pay off in Europe and, over in the United States, similar calls are heard.
In 2021, President Donald Trump signed an executive order aiming to stop foreign cybercriminals from using US-based Infrastructure as a Service (IaaS) services. This kicked off a proposed rulemaking process to require advanced services to implement “Know Your Customer” regimes.
Last year, this proposal was followed up by an executive order from President Biden, with an added focus on potential abuses of online services to train Artificial Intelligence models. If adopted, the rules would put an end to anonymity for users of online cloud services.
Before taking the matter forward, the Department of Commerce asked the public for input on its plans which resulted in some noteworthy responses.
Rightsholder Coalition Chimes In
The Coalition for Online Accountability filed a response yesterday. While not generally known to the wider public, the coalition’s members are seven well-known copyright industry players; the RIAA, MPA, ESA, Broadcast Music, Disney, Warner Bros, and NBCUniversal.
Given the makeup of the coalition, it doesn’t come as a surprise that its submission has a strong focus on piracy.
“There is no doubt that the motion picture, music, and video game industries have long suffered from widespread online piracy and other abuses,” the coalition writes.
The proposed rule could help to tackle the piracy problem. After all, pirate sites use cloud hosting and other IaaS services. Making it easier to identify the owners would greatly help to hold them accountable. However, the coalition sees a major shortcoming too, as the proposal doesn’t include domain name services.
The proposal is very clear about this exclusion. Since domain name registrars and registries don’t host any content, they fall outside its scope.
“It does not, however, capture domain name registration services for which a consumer registers a specific domain name with a third party, as that third party does not provide any processing, storage, network, or other fundamental computing resource to the consumer.”
‘U.S. Domain Name Services Should be Included’
The Coalition urges the Department of Commerce to reconsider its position. According to the rightsholders, domain name registrars must be included in the IaaS category, as they are broadly abused by pirate sites and services, with little recourse.
“Currently, many domain name registrars turn a blind eye on the rampant domain name abuse practices. They provide the means and instrumentalities for impersonation making no effort to collect true and correct data about their clients,” the coalition writes.
To address this, the Coalition for Online Accountability proposes two main changes to the proposed rules.
The first one states that U.S. domain name service providers, including Verisign and GoDaddy, should be classified as IaaS providers. In addition, domain registries must ensure that the identifying information they collect is accurate.
“[I]t is important that all U.S. domain name registries be required by the forthcoming regulations to maintain complete and accurate databases of the identity and contact information of all registrants for the domain names that such registries administer,” the coalition writes.
Currently, U.S. domain registries such as Verisign and PIR already require customers to supply accurate information but pirate sites typically don’t do so. In addition, it’s not always easy for rightsholders to access shielded Whois information.
The coalition proposes to make domain name registration directories openly accessible, free of charge. Many domain name services shielded this data for privacy reasons when the EU adopted the GDPR, but the rightsholders would like to go back to the old system, where all information is public.
If registrars use proxy or anonymizer services, these too should be required to disclose a domain name’s owner in response to good faith claims of abuse.
Suspend Pirate Domain Names
As the cherry on top, the coalition goes beyond the “Know Your Customer” framework by proposing that domain name services should also take enforcement actions if “Trusted Notifiers” flag a domain for abuse.
This means that U.S. domain registrars and registries should suspend or disable a domain that is reported by a ‘trusted’ rightsholder representative.
“The domain name registrar, registry, privacy service, proxy service, or other domain name registration authority must disable, disrupt, or suspend any domain names used for domain name abuse within 48 hours of receipt of a notice submitted in good faith from a Trusted Notifier.”
This type of scheme is not unprecedented. Currently, the MPA and RIAA already have trusted notifier status at several online intermediaries. This includes the domain registries Identity Digital and Radix, which regularly take action against piracy-related domains.
Whether the Department of Commerce is open to broadening the scope of its proposal remains to be seen. Rightsholders previously argued for similar expansions during the earlier inquiry, which didn’t lead to the inclusion of domain name services.
—
A copy of the comments submitted by the Coalition for Online Accountability is available here (pdf)
