The Domain Name System (DNS) has become such a fundamental part of the Internet over the years, and yet it has also become more political than ever. In our introductory piece, we introduced the main themes for this series, and in this article we explore the specific issues of censorship, domain seizures, thefts, and privacy. Decentralization can address these important issues in a direct way.
Much of what is wrong with the status quo stems from the centralized structure of our DNS. From a political perspective it is a three-tired hierarchy. ICANN is in charge, at the center of it all. On the second level are the registries, like Verisign, who are in charge of top-level domains (TLDs) like .com.
On the bottom tier are registrars, who provide retail services like domain registration to customers. They are proxies who typically present an assortment of TLDs for consumers to register. There are currently around 1000 registrars accredited by ICANN, and many have networks of resellers working with them. Think of registry operators as the wholesalers, and registrars as the retailers.
All these are eliminated, or at least marginalized, with a decentralized solution—there is just no need for them. People and companies are now empowered to register their domain names without going through intermediaries, and without being forced to adhere to the rules set by political bodies like ICANN.
The hacker inside me likes decentralization architecture. It could be argue [sic] that much of the "political problems" we have today derives [sic] from the centralized nature of the DNS with the root. So technology like Namecoins or other decentralized identifier system [intrigues] me.
—James Seng, March 2014 draft from ICANN's Technology Innovation Panel
Vint Cerf explaining who controls the DNS
Protecting Freedom of Speech
Censorship is an important issue for us all. National governments are the primary concern here, with many exerting as much control as they can. Extreme examples include North Korea and Iran, where authoritarian regimes control virtually all available information.
In countries where political speech is stifled, dissidents are often prevented from publishing anti-government opinions. The use of Tor in Turkey nearly tripled this past March in the wake of videos on YouTube implicating government officials in trying to stage an event as a pretext to declare war on Syria. Government officials also banned Twitter in March by redirecting DNS queries, after leaked recordings surfaced of the prime minister apparently instructing his son to dispose of large amounts of cash.
The situation in most countries is far more nuanced. It is all too easy to single out countries like Turkey and Iran for what many consider to be draconian censorship. But some level of censorship takes place pretty much everywhere, including in less oppressive Western nations. Google, the world’s largest search provider, now discloses the number of requests they receive to remove search results.
Luckily, no matter the current level of censorship in a country, blockchain systems can provide a solution. Namecoin’s .bit domains and BitShares DNS upcoming .p2p domains cannot be seized or pointed to government sites against the will of the registrant. Even if a government seized control of the network through a 51% attack, it does not appear possible to change ownership of a blockchain-based domain name without being in possession of the corresponding private key.
A next-generation DNS like Namecoin is immune to censorship! People can now publish political content without worrying about government censors seizing their domain names. We cited political dissidents, but this is a critical assurance for journalists operating in hostile environments as well. This freedom to speak out will certainly be used by bad actors too, but the benefits are indisputable.
People often believe that theft of domain names is rare, because there is a lack of supporting evidence. There is anecdotal evidence, and a few high profile cases like sex.com (video). There was even a conviction in the much publicized case of the P2P.com domain name theft.
Most people own very few domain names and have never experienced domain theft firsthand. No reliable data on domain thefts seems to be available. The registrars are in a position to collect this information, but they have a strong disincentive to publicizing incidents that might damage their reputation.
As far as I know, no one has a really good handle on just how much of a problem domain theft is. We hear of occasional instances of high profile thefts that catch everyone's attention, however I'm sure the vast majority of thefts go unreported.
—Ron Jackson, editor and publisher, DN Journal
Registrars are typically the ones who engage in bad behaviors that result in lost or stolen domain names. However, both registry operators and registrars can behave in questionable ways, like registering domain names right after their customers search for them.
Registrars have been caught stealing users' domain names too. Bad actors lose their accreditation when caught, but that is small consolation to a person or company that no longer holds their domain names. If only these domain names had been registered on a blockchain! Domain name theft in the world of crypto-DNS requires stealing a private key. Theft of a .bit or .p2p domain name cannot occur as result of a company abusing its authority.
Domain Name Seizures
Registrars commonly seize domain names at the behest of government agencies or judicial systems. Many people feel there are appropriate instances for seizure, but again it comes loaded with the potential for abuse. As mentioned before, although there is a nearly universal consensus on the undesirability of domains being used to host child pornography, it is less clear in matters involving intellectual property rights or political speech.
The DNS pecking order goes something like this. The US Department of Commerce has had the authority to approve changes to the root zone file since it was inherited from the US Department of Defense in 1998. ICANN awards contracts for management of TLDs to registry operators, who enter into contractual relationships with registrars.
Individual domain names are sometimes seized as a result of court orders when the domain is operated by a registry that operates in that jurisdiction. The .com registry, for example, is run by Verisign, a US corporation, and can therefore be compelled to comply with US federal court orders.
The US Department of Homeland Security has seized domain names on several occasions, when illegal activities were alleged. In fact, other nations routinely seize domain names as well when a registry is located within their jurisdiction.
This is the rationale for a blockchain-based DNS, where domain names exist independently of national jurisdictions. If a government agency wanted to take control of a Namecoin .bit domain name, for example, how could they? It is basically impossible for governments, courts, registries, or registrars to seize domain names in a decentralized system.
Department of Justice takes down 130 websites, Thanksgiving 2011
Seizing Entire Namespaces?
There are several types of extensions, and they are not all treated the same. The two letter country code domains (ccTLDs), such as .de (for Germany), are administered entirely as national governments decide. This is in stark contrast with how sponsored top level domains (sTLDs) are forced to abide by very restrictive terms and conditions.
Yet plaintiffs in a lawsuit are currently asking a US federal court to compel ICANN to seize control of the ccTLDs of Iran (.ir), Syria (.sy) and North Korea (.kp) to satisfy judgments against those nations. At stake is the fate of three entire namespaces, despite there being virtually no functioning websites in North Korea.
This raises legitimate questions about Internet governance. In a blockchain-based DNS, federal courts have no agency. Even in the case of BitShares DNS, where the underlying technology is being developed by a for-profit company, it seems that they cannot be compelled to intervene because they simply don't have that capability.
To whom is a particular domain name registered? Many would like to know. Registration data is generally stored by the registry operator, and can be accessed using a protocol called WHOIS. Providing accurate information including name, street address, and phone number is required by ICANN. Failure to comply is grounds for forfeiting the domain name.
The status quo is convenient for law enforcement to help locate lawbreakers. It also makes life easier for intellectual property holders to identify those who they believe to be infringing. The current system is also of great benefit to prospective buyers who wish to negotiate a domain name sale, or potentially to anyone interested in contacting the domain owner. But the status quo offers no good options for individual registrants to protect their private information.
In fact, the current scheme has serious disadvantages for individuals. We make a distinction between individual and corporate registrants because the latter can use corporate contact info, and no personal information is exposed. Individual domain owners are often targets for scammers because their personal information is required to be public. For example, an easy way to bootstrap a botnet intended for mass spamming is to harvest the millions of e-mail addresses publicly available in WHOIS records.
Over the years, registrars began to sell private registration services. This service typically involves replacing the ownership data on the official WHOIS record with that of the registrar. This scheme unfortunately requires the extension of even more trust.
Technically these registrars are in a position to make an ownership claim, which might be important if the owner disappears from public view. More troubling still is the notion that they keep the real ownership info in their database. These private details must be kept hidden from both misbehaving employees as well as hackers.
Two Systems Going in Different Directions
ICANN wants to replace the current system with one where more detailed contact information is required from registrants, but data lookup would be granted only for "permissible purposes" to authenticated and approved users. Despite thoughtful objections by the sole privacy advocate on the working group that came up with this proposal, both registrants and agents looking up information would need to be clearly identified in the latest proposed scheme.
Namecoin requires no information from the registrant to simply reserve a domain name. Possession of the private key corresponding to that domain’s address on the blockchain is the only thing required. Registrations are pseudonymous in that no identifying information is available by default, except that particular tokens can be tracked through the blockchain. With some effort, a registrant could come to posses tokens that could not be traceable back to any personal identifier.
But this is not an anomaly. According to project lead Nikolai Mushegian, "all domains are anonymous by default" in BitShares DNS, meaning that personal identifiers are only public record if the registrant chooses to provide that info. In their soon-to-be launched system, domain names will be pseudonymous, meaning that they are by default only associated with internal identifiers.
A registrant in either the Namecoin or BitShares DNS systems can provide specific contact details entirely at their discretion. Meanwhile ICANN steadily continues down the path of eroding user privacy in order to appease the interests of big business.
A quick reminder: This is a multipart series on decentralizing the Domain Name System. Stay tuned for the next installment as we explore how a decentralized DNS allows us to solve some of the most pressing online security issues we face today.
If you enjoyed this article and want to show your gratitude, you can do so by signing up with Let's Talk Bitcoin! using my referral code: http://letstalkbitcoin.com/?ref=52b52db8