[IP] Release 1-0 on piece on ICANN
Begin forwarded message:
From: Esther Dyson <edyson@xxxxxxxxxxxxx>
Date: December 2, 2004 5:07:50 PM EST
To: David Farber <dave@xxxxxxxxxx>
Subject: for IP - piece on ICANN
Dave -
from
www.release1-0.com/refer.cfm?
ref=IP&issue=AccNet120105&author=ED&location=freshproduce/article.cfm?
serialnum=FRP200412010000
The Accountable Net: Who Should Be Accountable?
Dec 01, 2004 By
<http://www.release1-0.com/contributors/contributor.cfm?
author_id=1>Esther Dyson
<http://www.release1-0.com/release1/abstracts.cfm?
Counter=4526287>EDitor's note: The current issue of
<http://www.release1-0.com/release1/abstracts.cfm?
Counter=4526287>Release 1.0 covers current industry (as opposed to
government) initiatives for a safer, less spam-ridden Net. E-mail
service providers and a variety of other players are getting together
to authenticate the sources of e-mail, thereby making mail senders more
accountable for their behavior. But they are only one part of a broader
web of parties that should be accountable if we want to take back the
Web for its users.
Two weeks ago, the Federal Trade Commission held a summit on e-mail
authentication in Washington, DC; the community of people who handle
bulk mail came together and agreed on standards and processes that
should help reduce the proliferation of spoofed mail and fraudulent
offers. This was a big, collective step in the right direction. (See
<http://www.release1-0.com/release1/abstracts.cfm?
Counter=4526287>Release 1.0 for a full analysis. See
<http://news.com.com/Hot+and+bothered+over+spam/2009-1032_3
-5453094.html>News.com for news coverage.)
But e-mail sender authentication alone won't solve the Net's fraud and
phishing problems - nor will any single thing. It requires a web of
accountability among a broad range of players. Yet this week there's
another meeting, in Cape Town, South Africa, that could make even more
of a difference...but it probably won't. That's a meeting of ICANN, the
Internet Corporation for Assigned Names and Numbers, the international
organization that sets and to some extent enforces policy for the
Domain Name System (DNS). The e-mail summit was about people's ability
to send e-mail; the ICANN meeting, in essence, is about people's
ability to have a presence in cyberspace.
The ability to have a presence should of course be available to anyone;
but the ability to act in cyberspace – for example, to collect
someone's personal information or their money – should be accompanied
by some accountability.
Please bear with me while I go into a little detail on how things work,
what the problem is – and how it could be addressed.
The DNS was set up back in the 70s (before it had a name) at a time
when most people online were trustworthy (or at least behaved that
way), and the number of individual consumers using the Net was small.
When ICANN was created in 1998 (I was founding chairman, 1998-2000), it
set about solving the most pressing problems – notably, privatization
of the DNS and the creation of an open, competitive market for domain
names. While ICANN is not a government organization - and should not be
- it has the responsibility of regulating the DNS and the organizations
that maintain the databases of names (registries) and those that
register them into the registries (registrars) according to policies
developed and agreed to by its members. Most of them would prefer to be
responsible players if the other guys were held to the same standards.
But instead of opening the Net up to serious competition among the
registries for top-level domains (TLDs), such as .com, .net or .jp (for
Japan), it focused on creating competition among registrars of
second-level domain names (SLDs) such as cnet.com. The registrars are
in essence retailers working with the wholesalers, who are the
registries (such as VeriSign and a few others) that control the TLDs.
The problem is, the registrars can't really differentiate their
product: They mostly sell the same TLDs from the same registries. They
can try to differentiate themselves on the basis of service to their
customers, the domain-name holders, but most of the competition among
registrars is on the basis of price and speed of service.
I won't go into most of the problems that has produced, but there is
one that extends outside the domain-name community, and that is that
domain names are so easily available that their use in committing fraud
is becoming a growing problem. Along with grandmothers, political
activists and honest entrepreneurs, fraudsters and criminals can buy an
online identity - that is, a domain name such as sleazyfisher.com or
sterlingstartup.net - for a few dollars. In fact, they can buy hundreds
of such names, use them for whatever purposes they please - such as
collecting individuals' identity information under false pretenses -
and abandon them hours later.
The solution, I believe, is to create a system where the registries can
compete with TLDs that stand for something and whose SLD-holders are
bound by some contract to specific standards of behavior. These
contracts would be different for each TLD, rather than the current
situation where most of the contracts are specified or ratified by
ICANN. For example, there would be .travel for travel operators vetted
by a travel-industry consortium (that's a real proposal before ICANN);
.fun, a hypothetical idea for edgy humor; or .safe, my basic proposal
here – and then the registrars can compete to work with those
registries whose policies they support (while the registries are free
to pick and choose only the registrars that they believe can uphold
their standards). That is, ICANN could foster the addition of new TLDs
that would face a market test of attracting users, rather than the
current bureaucratic tests currently necessary for the establishment of
a new TLD.
True, ICANN has allowed the creation of some new TLDs – notably .biz,
.info and .name, but none of them has gained much visibility or
differentiation, and the restrictions ICANN imposes has made it tough
for new registry entrants. In essence, by trying to make the market
open to everyone, ICANN restricts the ability of the TLDs to
differentiate themselves by discriminating in favor of specific kinds
or qualities of registrants. It's really hard to legislate goodness –
or to define it, for that matter. It's more effective, I believe, to
allow registries to compete on the basis of goodness, and then let
customers pick the kind of goodness they prefer.
In short, ICANN should consider a fundamental overhaul of the system -
not next year, but this year. It could start doing so at its meeting in
Cape Town this week, where it plans to consider its policies for new
registries – but the movement seems to be towards more bureaucracy
rather than less. It's not in ICANN's nature to act speedily; the
organization works through consensus policies, developed during a
tortuous "due process" of discussion, comments, postings and more
discussions. But that's all the more reason for those discussions to
begin now.
What exactly am I proposing? I'll be sending these comments as a memo
to ICANN's At-Large Advisory Committee, of which I am a departing
member, and to its board.
Action requires accountability
Originally, a domain name was a form of presence, a way to express
oneself, and a medium for freedom of speech and information. But it is
also, more and more frequently, a medium for collection of information
(and money). How can we foster freedom without allowing fraud free
rein? We can make identity freely available, but we can tie some
identities to specific, competing, "local" rules of behavior – and
users can choose, depending on the context.
Take the example of the e-mail community, which is developing a system
where authentication of mail servers is coupled with reputation systems
and recipient choices about what mail to accept. It's time for the
possibility of similar approaches to work for visits to websites.
Imagine a world where there's a new TLD; let's call it .safe. .safe
advertises itself as a TLD for domain-holders who are willing to
identify themselves, contract to engage in certain business practices,
and so forth. One TLD could be, for example, something similar to an
eBay, with its own reputation system and dispute-resolution service –
and, of course, government law enforcement at the sidelines. Companies
can register an SLD in the .safe TLD through a number of registrars;
those registrars are required – by the .safe registry, not by ICANN –
to go through a specific validation process so that .safe can make
promises to .safe website visitors that the site has been vetted by the
registry behind .safe.
That registry, for what it's worth, will need to be a fairly credible
organization itself. Perhaps it could be a credit-card company. But
note that .safe will not be alone. It will have to compete with other
security-conscious TLDs, such as, say, .bank (sponsored by a consortium
of banks). And it will differentiate itself from TLDs designed for
entertainment that offer advertiser-sponsored content and would never
ask for a consumer's credit card information.
Now, what does this mean for the various players?
For individual users, .safe is a sign that they can safely hand over
their credit card details and expect to receive what they were promised
in return. They can choose to buy from .safe merchants, or they can go
to familiar names they trust, such as gap.com, target.com, whatever.
They get a benefit, and no downside. They can also still visit all the
sites they want (with a variety of TLDs) not just for commerce, but for
news, political commentary, porn, sports videos, health information...
For the owners of trusted sites/SLDs such as gap.com, .safe is
unnecessary – and perhaps slightly unwelcome, since it levels the
playing field for smaller merchants who don't have a reputation but who
can rely on .safe to gain consumers' trust.
For those smaller (honest) merchants, .safe is an interesting
proposition. They know it will cost more to go through the .safe
vetting process (and they may have to put up a bond of some kind), but
they hope it will be worth it: more consumer trust (and business), and
ultimately a safer environment overall for e-commerce. Accountability
systems are not free, but they are more locally responsive than
government regulation. Just consider: Taxes are higher in a good
neighborhood, but you get to choose the neighborhood. The accountable
Net is a Net of neighborhoods, rather than a one-size-fits-all,
impossibly scaled global village. (What we actually seem to have is a
global urban-distress zone.)
For the credit-card companies, who are troubled by the prevalence of
fraud and phishing and who want consumers' trust, .safe is an
interesting idea...so much so that they might even be compelled to
support it. Anything that will increase consumer confidence and reduce
fraud is a good idea. Of course, the credit-card companies don't want
to train consumers to mistrust any non-.safe website, but that's a
challenge that .safe will have to overcome.
The existing registries, of course, may not immediately welcome .safe
either. But chances are they would appreciate the opportunity to open
new registries of their own, and to compete on the basis of something
other than price. Meanwhile, the very existence of .safe may cause them
to tighten up their own registration practices, or to promote their
registrants' websites to consumers as places where you can go to get
information but not to give out your own personal information.
The idea is not to create a one-size-fits-all, regulated Internet. In
fact, it's precisely the opposite. It's to create a differentiated,
more transparent Internet where individuals can trust the road signs.
They can choose what virtual neighborhood they want to venture into on
the basis of those road signs and the local regulatory regimes they
indicate. Want the official story? Try .gov. Want lots of edgy
information with little accountability? Try .rumor.
This system would not take away the possibility of anonymity, nor would
it force registrars to become agents of the police, the Motion Picture
Association of America, or any other body. Instead, ICANN would be
fostering a market where different policies can compete on the basis of
rules that may (or may not) be appealing to the ultimate users of
domain names – people who visit websites and who have varying degrees
of interest in who is behind them. (But users may end up choosing to
listen to music at a site where the downloads are certified not to
contain spyware or viruses...)
Some people think "the government" (or ICANN, for that matter) should
be regulating the behavior of all the entities on the Net. I don't
believe government (or ICANN) is up to that task, especially not on the
worldwide Net. But I do believe that the entities on the Net can
regulate one another, if systems are set up properly and if individuals
have the information they need to choose the peer-to-peer regulatory
system they prefer. Call the whole set-up "the accountable Net."
Real reputation-based and quality-controlled competition among TLDs
would not be a solution to everything, but it would be one more
important step towards cleaning up the Net. Either those who use domain
names need to be accountable to those they interact with, or those who
register the domain names need to be accountable for them, in a way
visible to individuals and the public. This accountability needs to be
specific and granular, so that one can separate the good from the bad.
Otherwise, the public will hold the Net as a whole accountable for the
actions of its malefactors.
Esther Dyson Always make new mistakes!
Editor, Release 1.0
CNET Networks - www.cnet.com
104 Fifth Avenue (at 16th Street)
New York, NY 10011 USA
+1 (212) 924-8800
www.edventure.com
current status (with pictures!) at http://www.flickr.com/photos/edyson/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/