There has been increasing interest on the topic of Internet Governance (IG) — on a global level, we have the World Summit on the Information Society (WSIS) +20 Review; at the local level, many governments are starting to enact local legislations that regulate activities on the Internet. The best practice for governance of the Internet remains a bottom-up, multistakeholder, consensus-based model, in which governments are one of the important stakeholders alongside the technical community and others. Some however contend that the model has been slow to resolve some of the latest governance issues, with DNS abuse (phishing, pharming, botnets, malware, and spam as a vector for the above) being one of the most discussed topics. Regardless of whether this is accurate or not, we have seen an influx of local and regional government regulations challenging the bottom-up IG philosophy. It is now critical for the IG ecosystem to collectively defend and create a workable solution to address these issues. This will reinforce the vibrancy of a bottom-up, community-led multistakeholder governance model.
It is against this background that we are building a Trusted Notifier network in the Asia Pacific (APAC) region. Trusted Notifier is one of the solutions initially proposed by the domain name industry to address DNS abuse and website content abuse questions that fall within its respective policies as part of a decentralized approach, avoiding the call for ICANN to regulate content abuse that falls outside the organization’s remit. The concept of a Trusted Notifier network has existed for many years and has been recognized as a best practice by the registry and registrar community.
In the domain name industry, Trusted Notifiers can be defined as designated entities for alerting registries and registrars about alleged malicious online activities such as illegal activity, content, and/or DNS abuse associated with a domain name. These reports will be reviewed by the registries/registrars through an expedited process.
We believe there are a few important success criteria for a Trusted Notifier network:
1. Commercially viable
The Internet community has always addressed the DNS abuse issue under the “social responsibility” paradigm — which means that registries and registrars have built their internal governance and audit teams as a “cost center” out of goodwill. As DNS abuse increases, so does the costs for registries and registrars to address and mitigate such issues. We want to approach the Trusted Notifier network differently – by focusing more on practicality and cost-efficiency. We believe that a properly built Trusted Notifier network should be able to lower the cost for combating DNS abuse.
2. Active planning
There are many aspects to consider for a Trusted Notifier network. For example, how can the trustworthiness of a Trusted Notifier be evaluated? What kind of notifier error rate (i.e. false positives) would be acceptable? Should/can we share the data across the wider Trusted Notifiers network? What is the process to “distrust” a Trusted Notifier if needed?
The Trusted Notifier framework should also focus on reducing operational costs for registries and registrars when combating DNS abuse, while still protecting the rights of domain name holders/registrants. The framework should also consider distributing legal risks and requirements across the registries and registrars and the Trusted Notifier.
There would be no answer to these questions until we build a strong network across the region and more data is available for analysis and decisions. Therefore, we opt to employ an active planning approach where interested parties sign up for bilateral arrangements. With multiple relationships (e.g. through Memorandum of Understanding (MoU)) established, together we could further develop into a Trusted Notifier network. We will then cooperate to test and improve the Trusted Notifier network concept.
3. Resolve actual problem
A goal for building the Trusted Notifier network is to refresh the bottom-up, community-led, multistakeholder model, to effectively address some of the sensitive issues raised by governments and the wider society. As such, the program must be able to address actual and practical issues. The Trusted Notifier network in Taiwan has already partially integrated with another local program— DNS Response Policy Zone (RPZ)— to address phishing issues within Taiwan. This could be a model for future Trusted Notifier networks where we integrate with the wider community to ensure optimal effectiveness of the network, which should reduce the need for further legislative interventions.
4. Beyond the domain name industry
For the program to be effective, it is also very important for the Trusted Notifier network to extend beyond just the domain name industry. The wider community in the Internet space needs to be included in the discussions of addressing cybersecurity threats. No Internet issues are purely technical as the Internet is a communication tool for human beings.
The Trusted Notifier network should also involve hosting providers, Computer Emergency Response Teams (CERTs), or even social media platforms so that we can address Internet governance issues collectively. Currently in the region, we have already seen LINE Taiwan Limited and Indonesia CERT (ID-CERT) joining the Trusted Notifier network. Both entities have signed the Trusted Notifier Memorandum of Understanding (MoU) along/at the ICANN APAC DNS Forum 2024 hosted in Bali, Indonesia.
Call to Action
We hope that the Trusted Notifier network in the APAC region will continue to grow and expand as we collectively address and mitigate security threats online. Fostering that growth requires all of us. We therefore call on additional organizations and companies to participate in the Trusted Notifier network. Further to this blog, you may also find this info page useful. If you are interested in joining the Trusted Notifier network, please reach out to us with any questions or suggestions.