26 September 2009

dot au DNS Industry

The Supreme Court of Victoria in Australian Style Pty Ltd v .au Domain Administration Limited [2009] VSC 422 has upheld a decision by auDA, the dot-au regulator, to restrict the activity of registrar Bottle Domains, controlled by controversial entrepreneur Nicholas Bolton.

Bolton had earlier gained national attention over efforts to by Bolton, through his Australian Style, to wind-up Multiplex Prime Property Fund and BrisConnections. The latter of particular interest to me as an illustration of identity issues, because some investors had sought to evade liabilities by ostensibly transferring their stake in the ailing infrastructure company to individuals by the name of M Mouse and D Duck.

In January this year the Australian Federal Police (AFP) investigated hacking of Australian Style's customer database and that of its subsidiary Bottle Domains. Credit card information from the databases had been put up for sale on the internet. It is reported that personal details from 40,000 of Australian Style's 60,000 customers were downloaded, including the complete credit card details of some 25,000 people.

The good news is that a 22 year old Perth man was been arrested over the hacking and has been charged with dishonestly dealing in personal financial information. The bad news is that auDA, in investigating the incident (alerted by the AFP's Australian High Tech Crime Centre in accord with a standard information exchange protocol) and the registrar's handling of the data breach, discovered that the first breach of the Bottle Domains customer database had occurred in 2007. Bolton and Bottle Domains had failed to notify auDA of that breach.

As a consequence of that failure, auDA invoked its agreement with registrars in terminating the accreditation of Bottle Domains. Activity as a dot-au registrar (ie popularly, albeit inaccurately, known as 'selling' .au names) is dependent on the registrar's compliance with conditions in that registrar agreement. auDA has the power, under contract law - consistent with the safety-net authorisation provided by the Telecommunications Legislation Amendment Act 2000 (Cth) - to terminate the accreditation of registrars. Termination is an appropriate action by auDA in carrying out its responsibilities.

Bolton responded by taking auDA to court, with Justice Hargrave ruling in favour of the regulator. Bottle Domains will no longer be able to operate as a registrar for dot-au domain names. Three other domain name registrars controlled by Bolton (eg Domain Central and Explorer Domains) will be reviewed by auDA, which has questioned his actions after the discovery of three separate security breaches.

The case is interesting because auDA had ordered Bolton to warn his customers of the security breaches. The Court found that he had changed the agreed wording of that letter and had deliberately omitted a warning for customers to monitor their credit card details and accounts. Justice Hargrave stated that those changes had "the obvious intention of downplaying the seriousness of the security breach".

The Court was critical of Bolton's handling of the breaches, stating that Bolton delayed handing over credit card information to the AFP - "This is an early example of Mr Bolton seeking to downplay any risk that credit card information had been or may be fraudulently used".

It appears to have been unimpressed by Bolton's explanation that he sent the wrong letter to customers as a result of a "cut-and-paste error" caused by having two versions of the letter open on his computer screen. That explanation, used by some law undergrads in plagiarism mode, was described by Justice Hargrave as "improbable".
In my view, whatever work pressures may have presented themselves to Mr Bolton and Mr Steven at this time, it is highly unlikely that they would have authorised the defective e-mail to be sent if they had read it before sending it to the responsible staff for despatch. There are very significant differences between the amended e-mail and the defective e-mail. The e-mail was being sent to approximately 40,000 registrants about a serious matter. It is highly unlikely that Mr Bolton would not have noticed that the e-mail he was authorising to be sent was not in the form of the amended e-mail. After all, only a few hours earlier he had proposed a critical amendment to the agreed e-mail, by the deletion of the reference to the need for registrants to carefully monitor their credit card transactions.
The Court stated that the 'error' was was "a deliberate decision", that Bolton had "failed to act in good faith" and had demonstrated "an extraordinary indifference to the effect of credit card fraud upon its victims". Timely notification of the initial security breach might have prevented the later misuse of the credit card details.

The case is also of interest for a demonstration of auDA's authority in relation to registrars, as a court's interpretation of obligations in the registrar agreement and as an illustration of bad practice among parts of the DNS industry (eg among some dot au registrars).