28 Abuse Prevention and Mitigation

Prototypical answer:

At DotHealth, LLC (“DotHealth”) our mission is to establish .health as a safe, trustworthy and secure top-level domain for global health stakeholders. As part of its enterprise commitment to abuse mitigation, DotHealth will utilize Neustar’s malicious monitoring and cyber-threat mitigation services. As the back-end registry service provider for .health, Neustar is at the forefront of the prevention of such abusive practices and is one of the few registry operators to have actually developed and implemented an active “domain takedown” policy. DotHealth and Neustar will also collaborate with LegitScript, LLC (“LegitScript”) on an exclusive enterprise basis for the .health TLD and in support of its abuse prevention and mitigation approaches. LegitScript is the healthcare industry’s leading provider of online fraud intelligence and monitoring services.

Numerous policies and procedures have been identified and shall be established and enforced to combat or prevent abusive, malicious or fraudulent activities that have a negative impact on Internet users and registrants. Affirmations of support for these policies and procedures have been secured from numerous global and regional health and wellness industry associations and non-governmental organizations, including the Inter-American College of Physicians, National Association of Boards of Pharmacy (NABP), the World Federation of Chiropractic, the Association of Black Cardiologists and the Regulatory Harmonization Institute which have been described in DotHealth’s response to Question 18 and are affirmed in the attached exhibits.

In active coordination with Neustar and LegitScript, DotHealth will vigilantly monitor the .health namespace for the illicit promotion or sale of prescription drugs, controlled substances, tainted dietary supplements, ingredients for psychoactive highs, and others which are have been validated by regulatory authorities as safety concerns. LegitScript is the only verification and monitoring service for Internet pharmacies recognized by the National Association of Boards of Pharmacy (NABP), the non-profit organization that represents the government agencies that license and regulate pharmacies and pharmacists in the US, Canada, and other jurisdictions. Major search engines and e-commerce providers including Google, Microsoft, Amazon utilize LegitScript’s services to prevent “rogue” Internet pharmacies from operating in violation of applicable laws and regulations. LegitScript also works with multiple Registrars to verify violations of the Registrars’ Terms of Service.

Acceptable Use Policy
DotHealth will adopt and enforce compliance with an Acceptable Use Policy that clearly defines the types of activities that will not be permitted for users of the .health TLD. Each ICANN-Accredited Registrar must agree to pass through the Acceptable Use Policy to its Resellers (if applicable) and ultimately to all .health registrants:

This Acceptable Use Policy gives the .health registry the ability to quickly lock, cancel, transfer or take ownership of any .health domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk.
The process also allows the .health registry to take preventive measures to avoid any such criminal or security threats which may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the ongoing monitoring by the Registry or its partners. In all cases, the Registry or its designees will alert Registry’s registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.

The following activities are subject to compliance with this policy:
• Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .health.
• Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.
• Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
• Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
• Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
• Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
• Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.
• Illicit Promotion or Sale of Harmful Substances: the illicit promotion or sale of prescription drugs, controlled substances, tainted dietary supplements, ingredients for psychoactive highs, and others which are have been validated by regulatory authorities as safety concerns.

The Registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the Registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by the Registry or any Registrar in connection with a domain name registration. Registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Domain Name Takedown Processes and Procedures
Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm to unsuspecting Internet users. DotHealth’s back end registry partner, Neustar, is one of only a few registry operators to have actually developed and implemented an active “domain takedown” policy in which the registry itself takes down abusive domain names. Neustar’s approach is quite different from a number of other gTLD Registries and the results have been unmatched. For the .health TLD, Neustar will target verified abusive domain names and remove them within 12 hours regardless of whether or not there is cooperation from the domain name registrar. Given their potentially harmful implications, removing such threats from the consumer outweighs any potential damage to the registrar⁄registrant relationship. Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail.

Rapid Takedown Process
DotHealth and Neustar have defined and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry. Since implementing malicious monitoring service-levels, Neustar has developed two basic variations of the process. The more common process variation is a lightweight process that is triggered by “typical” notices. The less-common variation is the full process that is triggered by unusual notices. These notices tend to involve the need for accelerated action by the registry in the event that a complaint is received by Neustar which alleges that a domain name is being used to threaten the stability and security of the .health TLD, or is part of a real-time investigation by law enforcement or security researchers.

Lightweight Process
In addition to having an active Information Security group that, on its own initiatives, seeks out abusive practices in the .health TLD, Neustar is an active member in a number of security organizations that have the expertise and experience in receiving and investigating reports of abusive DNS practices, including but not limited to, the Anti-Phishing Working Group, Castle Cops, NSP-SEC, the Registration Infrastructure Safety Group and others. Each of these sources are well-known security organizations that have developed a reputation for the prevention of harmful agents affecting the Internet. Aside from these organizations, Neustar also actively participates in privately run security associations whose basis of trust and anonymity makes it much easier to obtain information regarding abusive DNS activity.Once a complaint is received from a trusted source, third-party, or detected by Neustar’s internal security group, information about the abusive practice is forwarded to an internal mail distribution list that includes members of the operations, legal, support, engineering, and security teams for immediate response (“CERT Team”). Although the impacted URL is included in the notification e-mail, the CERT Team is trained not to investigate the URLs themselves since often times the URLs in Question have scripts, bugs, etc. that can compromise the individual’s own computer and the network safety. Rather, the investigation is done by a few members of the CERT team that are able to access the URLs in a laboratory environment so as to not compromise the Neustar network. The lab environment is designed specifically for these types of tests and is scrubbed on a regular basis to ensure that none of Neustar’s internal or external network elements are harmed in any fashion.

Once the complaint has been reviewed and the alleged abusive domain name activity is verified to the best of the ability of the CERT Team, the sponsoring registrar is given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hNeustar’s period (i.e., is unresponsive to the request or refuses to take action), Neustar places the domain on “ServerHold”. Although this action removes the domain name from the .health TLD zone, the domain name record still appears in the .health TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.

Full Process
In the event that DotHealth and⁄or Neustar receives a complaint which claims that a domain name is being used to threaten the stability and security of the .health TLD or is a part of a real-time investigation by law enforcement or security researchers, Neustar follows a slightly different course of action. Upon initiation of this process, members of the CERT Team are paged and a teleconference bridge is immediately opened up for the CERT Team to assess whether the activity warrants immediate action. If the CERT Team determines the incident is not an immediate threat to the security and the stability of critical internet infrastructure, they provide documentation to the Neustar Network Operations Center to clearly capture the rationale for the decision and either refers the incident to the Lightweight process set forth above. If no abusive practice is discovered, the incident is closed. However, if the CERT TEAM determines there is a reasonable likelihood that the incident warrants immediate action as described above, a determination is made to immediately remove the domain from the zone. As such, Customer Support contacts the responsible registrar immediately to communicate that there is a domain involved in a security and stability issue. The registrar is provided only the domain name in Question and the broadly stated type of incident. Given the sensitivity of the associated security concerns, it may be important that the registrar not be given explicit or descriptive information in regards to data that has been collected (evidence) or the source of the complaint. The need for security is to fully protect the chain of custody for evidence and the source of the data that originated the complaint.

Additional Abuse Mitigation Procedures and Measures

Abuse Point of Contact
As required by the Registry Agreement, DotHealth, LLC (“DotHealth”) will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. DotHealth will also provide such information to ICANN prior to the delegation of any domain names in the .health TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. We will ensure that this information will be kept accurate and up to date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-Accredited registrars, our back-end registry service provider, Neustar, shall provide an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.

Measures for Removal of Orphan Glue Records
As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf. While orphan glue often support correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the .health TLD Registry has written evidence of actual abuse of orphaned glue, the Registry will take action to remove those records from the zone to mitigate such malicious conduct. For the .health TLD, Neustar will run a daily audit of entries in its DNS systems and will compare those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone. In addition, if either DotHealth or Neustar become aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.

Measures to Promote WHOIS Accuracy
DotHealth acknowledges that ICANN has developed a number of mechanisms over the past decade that are intended to address the issue of inaccurate WHOIS information. Such measures alone have not proven to be sufficient and DotHealth will offer a mechanism whereby third parties can submit complaints directly to the Applicant (as opposed to ICANN or the sponsoring Registrar) about inaccurate or incomplete WHOIS data. Such information shall be forwarded to the sponsoring Registrar, who shall be required to address those complaints with their registrants. Thirty days after forwarding the complaint to the registrar, DotHealth will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the Registrar has failed to take any action, or it is clear that the Registrant was either unwilling or unable to correct the inaccuracies, Applicant reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.

In addition, DotHealth shall on its own initiative, no less than twice per year, perform a manual review of a random sampling of .health domain names to test the accuracy of the WHOIS information. Although this will not include verifying the actual information in the WHOIS record, DotHealth will be examining the WHOIS data for prima facie evidence of inaccuracies. In the event that such evidence exists, it shall be forwarded to the sponsoring Registrar, who shall be required to address those complaints with their registrants. Thirty days after forwarding the complaint to the registrar, the Applicant will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the Registrar has failed to take any action, or it is clear that the Registrant was either unwilling or unable to correct the inaccuracies, DotHealth shall reserve the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.
Regular monitoring of registration data for accuracy and completeness, employing authentication methods, and establishing policies and procedures to address domain names with inaccurate or incomplete WHOIS data.

Resourcing Plans

For the .health TLD, responsibility for abuse mitigation rests with a variety of functional groups within Neustar. The Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. The customer service team also plays an important role in assisting with the investigations, responded to customers, and notifying registrars of abusive domains. The necessary resources from Neustar will be pulled from the pool of available resources described in detail in the response to Question 31.

The following resources are available from Neustar’s various teams:

• Customer Support – 12 employees
• Policy⁄Legal – 2 employees

LegitScript’s enterprise service-levels in support of abuse mitigation will be provided to DotHealth on an outsourcing basis. Resource allocation for these services are assumed in the financial models as an outsourced cost which is expected to increase in conjunction with registration volume and overall growth of the .health TLD.

Similar gTLD applications: (0)