13 April 2018

Domains and Squatters

The AIC research report by Tony Krone and Russell Smith on Criminal misuse of the Domain Name System comments
The DNS is a naming system for resources, such as personal computers or other devices, that connect to the internet via the World Wide Web. It coordinates internet addresses and domain names—the two kinds of unique identifiers that make internet connection possible. The study was funded by the auDA Foundation, which was established by the .au Domain Administration (auDA), the policy authority and industry self-regulatory body for the .au domain space in Australia. The aim was to support the objective of the Foundation by ‘promoting and encouraging educational and research activities that will enhance the utility of the Internet for the benefit of the Australian community’ (auDA Foundation 2015).
Methodology
Public source, non-technical literature was comprehensively reviewed to identify instances of DNS misuse, the risks that led to the commission of these instances, and the crime prevention and regulatory measures available to address the problem. The study was particularly focused on exploring existing legal and criminological frameworks that could be used to conceptualise the problem of DNS misuse and provide a framework for developing effective control strategies.
The literature review was international and examined English-language resources including academic sources, legal databases and relevant policy documents. The review primarily focused on the risks of misuse of the DNS from an Australian perspective although, due to the global nature of the internet, all legitimate users would benefit in many ways from a more secure and trusted domain name system, both as domain name owners and consumers.
Scope
The results address current identified risks, but they could also inform further and more detailed cross-disciplinary research into the nature of the problem and appropriate solutions. The research was not intended to be an overly technical examination of the problem and does not address the architectural or programming features of particular examples of misuse. Rather, it explores the issue from a policy perspective that will be beneficial in devising appropriate legal and policy responses.
The research looks at the connections that exist between various forms of misuse and DNS governance. The discussion explores the internet as a network of networks based on an addressing system known as the Internet Protocol (IPv4 and IPv6), which creates IP addresses for resources within the DNS and is focused on what might be called the ‘open web’ or the World Wide Web (the public internet) most users commonly access when using the DNS. Resources which are accessed via the public internet, but located behind a barrier such as a paywall or an account login for hosted services, are included in the research. These hosted resources are from the DNS core and so are not directly subject to DNS regulation, but rather are immediately subject to any regulation the host imposes or any conditions imposed on the hosting service. Regulation at the level of a hosting service varies, and debate about whether service providers are responsible for the online activities of those who use their services continues. The report deals briefly with resources that are essentially invisible to or hidden from the open internet, or that cannot be accessed directly from the public internet. While these parts of the internet present the majority of regulatory challenges and are of significant concern for law enforcement, they are not analysed in detail in this report as they are too far removed from the limited scope of regulation through the operation and governance of the DNS.
Research questions
These questions formed the basis of the current research.
• What is the DNS and how does it operate within the framework of internet governance?
• How has the DNS been misused for criminal purposes?
• What is known about perpetrators of DNS misuse? That is: –– What are their motivations and what benefits did they obtain? –– What are their countries of origin? –– Do they operate alone or with others? –– Why did they select the targeted domain name? –– How have instances of DNS misuse been dealt with and what were the outcomes of any investigations?
• What crime prevention strategies do domain name owners, DNS server owners and registrars currently use to prevent DNS misuse?
• What other crime reduction strategies could be implemented to prevent misuse of the DNS?
Findings
Background
This section explains the internet’s development and operation and reviews the environment in which criminal misuse of the DNS has emerged. It explains the internet’s infrastructure and discusses the operation and governance of the DNS, highlights weaknesses in the regulatory framework that increase the potential for misuse, and identifies the strengths that may help prevent misuse. The internet’s nature and its governance structures result in weak regulatory responses to misuse of the DNS.
Criminal misuse of the DNS
This section explores criminal misuse of the DNS by firstly considering illegal acts that do not amount to cybercrime offences, including property offences like the theft of hardware and domain names, and, secondly, misuse that falls within the general classification of cybercrime. It presents a tentative analytical model that relates forms of misuse to particular aspects of the DNS, namely to:
• the DNS architecture;
• domain names (or domains);
• domains as virtual spaces; and
• other layers at some remove from the DNS.
This model helps to explain misuse occurring within the architecture of the internet (software engineering) as well as misuse facilitated through human interaction (social engineering). The section then examines opportunities for misuse in terms of the DNS’ primary purpose, which is to overcome restrictions created by the internal architecture of the early internet. This misuse concerns how machines use internet addressing to make connections between resources. Misuse through software engineering is further classified according to whether the DNS is itself the target of misuse or is used to facilitate other offending; facilitating other offending may involve misusing the DNS as a mechanism to do harm, a vector to transmit harm or a platform from which to commit harm.
The outward appearance and presentation of internet for human users is then considered. A division can be drawn between misuse intended to manipulate machines through software engineering and misuse intended to manipulate people through social engineering. To distinguish between abuses of the DNS and abuses that exploit applications layered above the DNS, DNS misuse may also be categorised according to the architecture of the internet. This helps identify who could potentially prevent misuse and potential points for regulatory intervention.
Perpetrators of misuse
The many and varied forms of DNS misuse identified in this study make it difficult to describe a typical offender or criminal justice response, particularly given the absence of criminological research in this area. The limited research so far conducted has found a high incidence of organised crime activity. This often involves loose groups of people, usually young men with limited technical abilities who rely on online guidance. Perpetrator profiles also differ according to the extent of the perpetrator’s involvement in the darkweb. There is limited evidence to indicate where those misusing the DNS are located.
Legal responses to DNS misuse
Although some instances of misuse can be addressed through the criminal justice system, there are many impediments to harnessing the criminal courts as a regulatory response. Few conventional crime categories are relevant apart from, arguably, some property crime offices such as theft of domain names, or the criminal infringement of intellectual property rights. Of greater relevance are specific offences created under cybercrime legislation that governs unauthorised access to networks, data interference and acts of online dishonesty associated with domain name misuse. There are also criminal offences arising from social engineering, including identity misuse, misleading and deceptive conduct, and fraud. To date, these have not been used due to problems of evidence and proof, jurisdiction, and the limits of law enforcement resources in identifying suspects, seeking mutual legal assistance and mounting prosecutions. Over time, as the jurisprudence of DNS criminality develops, criminal proceedings may be more successful. Whether this would deter criminals from committing DNS crime remains conjectural.
In addition to criminal justice responses to DNS misuse, there are a number of avenues for redress through the use of the civil laws relating to obligations and intellectual property. ‘Webjacking’, and disputes about the registration of domain names that could lead to legal action about ‘cybersquatting’ or ‘domain name squatting’, can be resolved by taking action under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) adopted by domain name registrars. In appropriate cases of infringement of contractual rights or intellectual property related to registered names, where economic loss can be quantified and proved, civil action can be taken in relation. Where business interests are at stake, injunctive relief can also be useful.
Preventing misuse of the DNS
A number of environmental crime prevention strategies could be used to reduce the harms associated with DNS misuse, including routine activities theory, crime pattern theory and rational choice theory. Crime prevention is considered by reference to various regulatory touchpoints within DNS regulation. Importantly, these regulatory touchpoints often lie outside the scope of national laws, which creates opportunities for exploiting regulatory weaknesses for criminal purposes. Some strategies to reduce the risk of DNS abuse include:
• enhancing identification checks when registering domain names;
• using Domain Name System Security Extensions;
• making DNS abuse less profitable by coordinating reporting mechanisms and controlling online profit centres;
• neutralising offender rationalisations; and
• improving user education on the risks of DNS misuse.
Conclusions
The DNS is fundamental to the functioning of the internet, and its potential for misuse is one of the most important legal and regulatory challenges facing internet governance in the years ahead. A failure of the DNS would impede machine-to-machine communication, and make it difficult for users to navigate the internet.
However, the capacity to regulate possible misuse of the DNS is limited. While the DNS requires centralised authority, no single global entity is responsible for the regulation of all its aspects. This is because regulation of the DNS, like other aspects of the internet, occurs under a multistakeholder model of governance and a distributed administration model. It is also a result of the fact that much of what happens on the internet is beyond the jurisdictional reach of the criminal law of individual nations.
Nonetheless, regulating DNS registration and addressing the security weaknesses of internet architecture would provide some limited means of controlling the environment to prevent criminal misuse of the DNS and the internet. Although there will always be a place for criminal justice responses to internet abuse, in the global regulatory environment in which the DNS operates prosecution of DNS misuse will be difficult, and is likely to be reserved for the most serious and obvious infringements. As with other online crime, enacting a uniform set of policies to prevent misuse before it arises is likely to be the most effective strategy.
The 2018 WIPO report on cybersquatting  indicates that banking and finance (12% of all cases), fashion, 'internet and IT' account  for around one-third of all cybersquatting disputes handled by WIPO’s Arbitration and Mediation Center in 2017. Trade mark owners filed  3,074 cases under the Uniform Domain Name Dispute Resolution Policy (UDRP).  Cybersquatting disputes relating to new generic Top-Level Domains (New gTLDs) accounted for more than 12% of WIPO’s 2017 caseload (some 6,370 domain names.) with registrations in the  .STORE, .SITE, and .ONLINE new gTLDs,the most-commonly disputed.

WIPO Director General Francis Gurry states
By abusing trademarks in the Domain Name System, cybersquatting undermines legitimate commerce and harms consumers. This is true especially where squatters use domain names to offer counterfeit goods or for phishing, as is seen in numerous WIPO cases. The availability of the highly effective UDRP procedure is an indispensable support for the credibility of commerce on the Internet and for protection against fraudulent practices.
The US (with 920 cases filed in 2017) remained the country where most WIPO UDRP cases originated, followed by France (462), the UK (276), Germany (222) and Switzerland (143).  Complainants asserted fraud, phishing or scam in almost one-third of banking and finance-related decided cases filed in 2017.

WIPO notes that  Philip Morris leads the list of filers with 91 cases,  followed by Michelin,  Electrolux, Andrey Ternovskiy (Chatroulette), Sanofi, Zions Bank, Carrefour, Virgin, Accor,  BASF and LEGO.

09 April 2018

Designs and the Hague Agreement

IP Australia has released an economic analysis of the costs and benefits to Australia of joining the Hague Agreement Concerning the Registration of Industrial Designs.

The report states
The report assesses the impacts with reference to the Productivity Commission’s (PC) guiding principles of effectiveness, efficiency, adaptability and accountability. This report is intended to form part of the evidence base in relation to whether Australia should join the Hague Agreement. In addition to feedback on this report, we are seeking feedback on any unquantified impacts, not limited to those acknowledged in the report, and welcome case studies and any experience users of the Hague system, or applicants for design overseas have had. Joining the Hague Agreement would enable Australian designers easier access to international markets by allowing them to file a single design application to gain protection in 68 countries and regions. Joining would also require Australia to increase its maximum term of protection for designs from 10 to 15 years, at a minimum. Both the former Advisory Council on Intellectual Property (ACIP) and the PC considered that a cost-benefit analysis should be conducted before the Australian Government decides whether to join the Hague Agreement. In their final report, the PC urged caution - advising a “wait and be convinced” approach.
Under the proposed methodology, it appears that the economic costs to Australia of joining the Hague Agreement outweigh the benefits. The net benefits to Australian applicants are outweighed by significant net costs to Australian consumers (with IP professionals and the Australian Government being subject to smaller net costs). Some costs and benefits are not as easily assessed, and were not quantified in the current analysis, but could affect the net outcome over time. The objective of providing a fertile ground for innovators that is adequately balanced with costs to consumers is an issue requiring careful and ongoing calibration. Realistically, these costs and benefits might only be assessed and quantified at a later date should Australia join the Hague Agreement. Furthermore, we acknowledge that there may be additional evidence gathered in the future which will necessitate further analysis of the potential impacts.
The results are driven by the fact that non-residents currently file almost three times more designs into Australia than resident Australians file abroad, and non-residents maintain these registrations longer on average. Based on the cost-benefit methodology adopted in this report, joining the Hague Agreement could increase this disparity. The report takes account of the fact that accession to the Hague Agreement should also make it easier for Australian residents to file abroad into multiple jurisdictions. The methodology tries to forecast the impact on Australia based on the experience of other Hague accession countries, taking the most positive and negative experiences of other accession countries and using these as the upper and lower bound of what might occur if Australia joined the Hague Agreement.
ACIP concluded that “a significant uplift in international usage would support Australia joining” the Hague Agreement. Despite the United States of America, Japan, and Republic of Korea recently joining, less than 10 per cent of global non-resident design applications were filed through the Hague Agreement in 2016. A number of countries are expected to join in the future, including the People’s Republic of China, Canada and Thailand. These accessions will impact upon any future cost-benefit analysis and may make it more beneficial for Australia to join. This report notes that under certain circumstances, Australian applicants can file design applications through the Hague Agreement already, despite Australia not being a signatory. This pathway is available to Australian applicants that have a residence or an establishment in a member country. Increased awareness of this existing avenue may hold additional benefits to Australia and designers alike.
The report argues -
Net cost to Australia of joining the Hague Agreement at present 
The net present cost to Australia is estimated to be between approximately $25 million and $124 million over ten years, with $61 million being the best estimate. Ten year impacts by stakeholder group are:

  • Australian designers: a potential net benefit of approximately $0.03 million to $6 million, with a best estimate of $1.7 million. This is due to increased savings on international applications and increased profits from taking new designs overseas. 

  • Australian consumers: a net cost of approximately $23 million to $114 million, with a best estimate of $58 million. This is due to income flowing overseas from Australian consumers paying higher prices to non-resident designers over a longer term of design protection. 

  • Australian IP professionals: impacts estimated as between a benefit of approximately $0.3 million and a cost of $12 million, with the best estimate being a cost of $2.5 million. Australian IP professionals will receive some extra business from non-residents at the examination stage, but will likely lose more business at the filing stage as non-residents go through the Hague system. 

  • Australian Government: a net cost of approximately $2.3 to $3.4 million, with a best estimate of $2.8 million. This is due to Information Technology system changes that will be required to process applications filed via the Hague Agreement. 
It concludes
We estimate there is a net cost to Australia of joining the Hague Agreement (see Tables 7.1, 7.2, and 7.3 in Appendix 4).
• The most optimistic show an annual net cost starting at just under $1m in the accession year, growing to an annual net cost of $2.5m in the tenth year. The cost over 10 years would be $25.5m in net present value terms under an average 10% annual discount rate.
• The best case show an annual net cost starting at $2.2m in the accession year, growing to an annual cost of $7.1m in the tenth year. The cost over 10 years would be $61.5m in net present value terms.
• The worst show an annual net cost starting at $3.9m in the accession year, and growing to $17.3 m in the tenth year. The cost (over 10 years) would be $123m in net present value terms.
The costs outweigh the benefits, presently
Both ACIP and the PC recommended that Australia should take a “wait and be convinced” approach to joining the Hague Agreement. Most Hague member countries considered similar to Australia) have more incoming registered designs than they do outgoing registered designs, so the benefits to using the Hague system to go overseas are small. While there are some savings to Australian applicants filing overseas, the costs to Australian consumers of the extension of term from 10 to 15 years are estimated to outweigh these benefits by a significant margin under all scenarios.
While we note that some benefits could not be quantified, we also note that there are also costs (for example, social welfare costs) that we have been unable to quantify. We particularly welcome feedback on this aspect.
Applying the PC’s suggested framework for assessing IP policy changes (effective, efficient, adaptable and accountable) we have been unable to find compelling evidence that joining the Hague Agreement would be a net benefit to Australia at the present moment.
We have been unable to find reliable evidence that a longer term of protection would be effective in stimulating additional design innovation. We have found that the efficiency benefits to Australians going overseas are outweighed by the negative income flows (and possibly also the economic inefficiency due to the unquantified social welfare costs) arising from the longer monopoly period. Locking Australia into the Hague Agreement would limit our ability to adapt our IP system in the future. And the above analysis is accountable because it seeks to provide a transparent evidentiary basis to inform a decision to join the Hague Agreement.
8.2 The Hague Agreement landscape will change
A number of countries will join the Hague Agreement in the near future, including China, Canada and Thailand.
The size of the Chinese economy and the volume of its design applications make it a candidate for a country whose accession to the Hague Agreement could represent a ‘tipping point’ that could substantially increase global usage of the Hague system. While China is by far the largest filer of designs globally, China is also Australia’s largest trading partner. Easier access for Australian designers to this significant market, facilitated by the Hague system, might tip the balance for Australia to the point where we had more outgoing applications than incoming applications, which would increase the benefits and reduce the costs to Australia of joining the Hague Agreement.
Canada’s accession is unlikely to be a tipping point in the same way as China. However, their experience could provide a valuable comparison for Australia to re-evaluate the cost and benefits in the future. Canada is similar to Australia in size and population; has a resource-dependent economy; and has a similar legal system. More importantly, Canada, like Australia, would also be moving from a 10 to 15 year design term in order to accede. Canada is set to join the Hague Agreement no earlier than 2018 based on public accounts. We are not aware of any detailed cost benefit analysis performed by Canada. Information from Canada’s experience, once they have joined, would be extremely valuable to assessing the costs and benefits to Australia.
Thailand has previously indicated its intention to join the Hague Agreement in 2015. While that timetable has been delayed, it may be expected to join at some point in the near future. Again, Thailand may provide a useful comparison for Australia when it joins: it is one of the few countries that will have to move from a 10 to 15 year term and is closely linked to many of the same regional markets as Australia.

Enforcement

The national Attorney-General's Department has released a consultation paper regarding recognition and enforcement of foreign judgments.

The paper states
Through the Hague Conference on Private International Law, the Australian Attorney-General’s Department (AGD) is currently engaged in negotiations on behalf of Australia for a draft Convention that is intended to establish uniform rules for the recognition and enforcement of foreign judgments in civil or commercial matters (the Hague Conference Judgments Project).
The draft Convention aims to provide parties to litigation with a simple and predictable framework that will govern how a judgment in one Contracting State (a State that signs up to the Convention) can be recognised and enforced in another Contracting State.
To inform Australia’s negotiating position, this consultation paper seeks public comment on law and policy matters raised in the draft Convention of November 2017..... The draft Convention may also be downloaded from the Hague Conference website (www.hcch.net).
AGD is seeking both general and specific comments on the proposed text of the draft Convention ahead of a fourth, and possibly final, meeting of a Hague Special Commission from 24 29 May 2018. The purpose of the Special Commission meeting is to develop an appropriate text that can be submitted to a Diplomatic Conference for final negotiations and agreement. The Special Commission, set up by the Hague Conference in 2016, has met three times over the past two years to prepare the current draft Convention.
The fourth meeting of the Special Commission will focus on a limited number of outstanding issues. This includes contentious issues such as the extent to which intellectual property and privacy should fall within the scope of the draft Convention. Some members of the Special Commission propose that matters relating to intellectual property should be excluded from the draft Convention completely, while others seek its general inclusion, or inclusion on a restricted basis (see Part 5 for further discussion on intellectual property).
Any text in the draft articles in square brackets is not yet settled. That text includes intellectual property and privacy matters. Square brackets represent proposals, alternatives and options that are the subject of ongoing consideration by members of the Hague Conference.
It is intended that a draft Convention will be put to a Diplomatic Conference of the Hague Conference for consideration and conclusion no earlier than 12 months after the final meeting of the Special Commission (on current timing that is mid-2019 at the earliest). Until it has been concluded at a Diplomatic Conference, the text in the draft Convention is not finalised.
If the draft Convention is concluded at a Diplomatic Conference of the Hague Conference, and Australia determines that it is appropriate to sign the Convention, its implementation in Australia will be subject to the usual government processes and Joint Standing Committee on Treaties processes and review. Implementation is likely to require subsequent amendments to Australian domestic legislation.
The paper features several questions -
Q1 Have you experienced any problems with seeking to recognise or enforce a foreign judgment? If so, what have the main problems been? What are the benefits for Australian parties in the recognition and enforcement of foreign judgments abroad, and what are the risks for Australian parties if foreign judgments are recognised and enforced in Australia or overseas?
Q2 Have you encountered issues and/or inconsistencies with the current regimes for recognition and enforcement of either Australian judgments in foreign countries or foreign judgments in Australia? If so, please provide details. Issues may encompass increased costs and timeframes associated with obtaining recognition and enforcement of judgments, including through duplicative proceedings in more than one jurisdiction, or an inability to obtain meaningful relief. Information on types of judgments and jurisdictions relevant to your experience is appreciated.
Q3 What are your views on the scope of the draft Convention? Are there any civil or commercial matters that are currently in scope that raise concerns? In particular, do you have any views on those matters in bracketed text, ie privacy/unauthorised public disclosure of information relating to private life; and/or intellectual property [and analogous matters]?
Q4 What are your views on the jurisdictional bases for recognition and enforcement? Do any of the currently proposed bases cause concern?
Q5 What are your views on the grounds for refusing recognition or enforcement? Do any of the currently proposed grounds cause concern?
Q6 What are your views on damages, costs and/or other provisions in the draft Convention?
Q7 Should intellectual property matters be included or excluded in the draft Convention (see Article 5(3) and Article 2, respectively)? To what extent should the circulation of intellectual property judgments be treated differently to that of other judgments under the draft Convention?
Q8 If included in the draft Convention, what are your views on the scope of intellectual property rights as currently defined/categorised?
Q9 Are the suggested discretionary safeguards in the draft convention adequate for intellectual property matters?
Q10 What are your views on the recognition and enforcement of monetary vs non-monetary judgments for infringement in intellectual property matters? Are there any other issues relating to intellectual property that should be addressed by the draft Convention?