Abuse Prevention Policies

Abuse Prevention Policies are policies instated by registries and registrars in order to guard against practices that endanger "security and stability" on the Internet.^[1] When creating these policies, registries and registrars sometimes refer to the GNSO's Registration Abuse Policies Working Group (RAPWG) definition of abuse.^[2] According to RAPWG, "Abuse is an action that:

• Causes actual and substantial harm, or is a material predicate of such harm, and
• Is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed."^[3]

Public Perception

Abuse prevention policies are generally viewed favorably as they encourage responsible and ethical behavior. Additionally, registrars and registries frequently have differing abuse policies,^[4] creating a market for registrants and allowing them to choose the amount of protection and oversight that they believe is most prudent.

Outcome

Abuse prevention policies help create a safer environment on the web by seeking to address abuses actively at the registry or registrar level.

Historical Use

To show the variance of behaviors specifically addressed by abuse prevention policies, a few examples are listed below.

• Radix's Abuse Prevention Policy: this policy is an example of a fairly comprehensive abuse prevention policy and addresses violations such as phishing, pharming, false Whois, scamming, and trademark infringement.^[2] In addition to outlining abuses, Radix also discusses what mechanisms it will use to combat such abuses, including blacklisting, profiling, and a "proactive quality review" procedure.^[2]
  • See Radix's Abuse Prevention Policy

• GoDaddy's General Rules of Conduct: this policy allows GoDaddy to take action if a domain name is conducting illegal practices, promotes violence or terrorism, or spreads malware.^[5] Additionally, GoDaddy takes a strong stance against the illegal sale of pharmaceutical drugs online.^[5][3]
  • See GoDaddy's General Rules of Conduct

• Afilias' .INFO Domain Anti-Abuse Policy: Afilias requires an anti-abuse policy to be included in all agreements between the registry and its registrars.^[1] This policy defines violations such as illegal or fraudulent actions, spam, phishing, pharming, willful distribution of malware, fast flux hosting, botnet command and control, distribution of child pornography, and illegal access to other computers or networks. If a violation is discovered, "Afilias reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion."^[1]
  • See Afilias' .INFO Domain Anti-Abuse Policy

• ICM's Rapid Evaluation Service (RES) Policy: because of the potentially sensitive or adult content displayed within the .xxx domain, the RES policy creates "a prompt remedy to address a limited class of situations in which there is objectively clear abuse of well-known, distinctive registered trademarks or service marks of significant commercial value, or of personal or professional names of individuals."^[6] It has been in use since September 1, 2011.^[7] This policy is more controversial than some of the policies listed above as it is managed by the National Arbitration Forum (NAF) and does not require the same amount of transparency as a UDRP or URS proceeding.^[8]
  • See ICM's RES Policy
  • See PDF DOWNLOAD ICM's RES Rules

• ICM's International Foundation for Online Responsibility (IFFOR) Baseline Policies: because of the adult content featured on .xxx domains, ICM also adopted additional "baseline" policies to help prevent abuse. While the RES Policy addresses trademark infringement and the use of names, the IFFOR Baseline Policies prohibit malicious content and the use of "child abuse images." ^[9] These policies also state that registrants in the .xxx domain must submit to "automated scanning of their sites for compliance with IFFOR policies."^[9]
  • See ICM's IFFOR Baseline Policies
  • Report IFFOR Policy Abuses

ICANN Policy

• In the 2013 Registry Agreement (RA), Specification 11 states that registries must require their registrars to include policies that prohibit registrants from participating in abusive activities, like creating botnets, phishing, spamming, and pirating media files.^[10] Additionally, registries are required to "periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats" and to keep security files on threats and the actions taken by the registries.^[10]
  • If a registry is non-compliant with any of the Public Interest Commitments set forth in Specification 11 of the 2013 RA, then concerned parties can file a complaint under the Public Interest Commitment Dispute Resolution Procedure (PICDRP).^[11]
• However, ICANN has no specific mandate telling registries or registrars exactly how they should address registration or domain name abuses.^[4] A report was issued to determine whether to pursue a uniform abuse policy for registries. However, it was determined that registries often struggle to address different kinds of abuses and that giving registries the freedom to address what they considered to be problematic abuses in their TLDs would be more effective than establishing a "minimum baseline of registration abuse provisions."^[4]

Legislation

The U.S. currently has no legislature addressing how registries and registrars address abuses. If the abuse committed by a registrant is illegal, the registry or registrar can contact law enforcement as in the cases of Phishing, Piracy, or Spam.

Additional Resources

• Read the GNSO's Registration Abuse Policies Working Group Final Report
• View the GNSO's Preliminary Issue Report on Uniformity of Contracts to Address Registration Abuse
• Find more information on ICM Registry's RES Policy

Related Articles

• PICDRP

References