Columns Archive

Verisign’s tampering shows high cost of apathy

Internet governance is an issue that relatively few people care much about. For the vast majority of Internet users, the technical and policy details that underlie the Internet matter little so long as their e-mail goes to the correct address and their domain name resolves correctly so that their Web site is accessible.

While some people become engaged in hot button policy issues — domain name dispute resolution, privacy, and online elections to name three — for the most part policy decisions are largely left to the small cadre of technical and policy wonks who engage in heated online discussions and meet several times a year in a variety of exotic locales around the globe to continue discussions face to face.

The general lack of enthusiasm for Internet governance has enabled those stakeholders with a direct financial interest, primarily domain name registries and registrars (the companies that sell and register domain names) and the intellectual property community, to seize significant control over the governance structure. Although the initial structure of the Internet Corporation for Assigned Names and Numbers (ICANN), the California-based non-profit company charged with managing the domain name system, envisioned a meaningful role at the board level for individual Internet users, those visions are now little more than a distant memory as the voice of individual users has been steadily marginalized to the point of near silence.

This gradual transformation has developed with the open acquiescence of governments worldwide. Although many governments, including the Government of Canada, profess to view the Internet as a critical resource, they have been content to leave this resource alone, governed by self-regulation with a bare minimum of intervention.

Last Monday, at 10:45 a.m., the danger of this laissez faire approach became evident to millions of Internet users. At that moment, VeriSign, the U.S. company that enjoys a monopoly over dot-com and dot-net domain name registration (there are competing registrars who sell domains to the public but they must all buy their domains from VeriSign), flicked a switch and launched a new service called Site Finder.

Site Finder is designed to deal with a fairly common occurrence for many Internet users — the entry of an incorrect domain name, either because the domain is no longer active or because of a typo. While users are accustomed to receiving an error message when this occurs, VeriSign’s Site Finder service now replaces the error page with a VeriSign page that displays advertising and a search tool.

For VeriSign, this new innovation is potentially very lucrative. It estimates that dot-com and dot-net domains are mistyped 20 million times per day, resulting in an additional 20 million visitors to VeriSign’s Web site daily and millions of dollars in additional revenue from advertising and click-through searches.

For the rest of the Internet, the new service is potentially very damaging. Technical experts have repeatedly warned against tampering with the domain name system in this fashion, suggesting that it could result in significant instability for the network.

The service has also had an immediate negative impact on fight against spam. Many ISPs use anti-spam tools that rely on the ability to discern between domains that exist and those that do not. Since Site Finder ensures that all domains resolve, even where they do not exist, that spam- fighting mechanism has been rendered inoperable for the moment (VeriSign pledged to develop a fix late last week).

Domain name owners also feel cheated by the new system. As one domain name owner noted, many would not have opted for a dot-com domain years ago had they known that a system would later be established that would take a user elsewhere if they mistakenly enter a typo on the way to their site.

Hardest hit, however, are individual Internet users. Twenty million times a day Internet users who inadvertently enter a typo now find themselves subjected to a lengthy VeriSign terms of use contract found on the Site Finder page. That contract includes provisions relating to user privacy that specify that the company has the right to collect statistics — information such as the user’s IP address, page views, from which domains users come, and the browser settings installed on users’ computers. In fact, Verisign now places a data identifying “cookie” on every user’s computer that further assists with data analysis of users’ activities.

Despite the Internet community’s near unanimous outcry against the Site Finder service, it quickly learned just how powerless it has become. ICANN, the supposed steward of the domain name system, took until Friday evening to issue a weak statement calling on VeriSign to voluntarily suspend the Site Finder service while it reviewed the matter. National governments, who were witnessing one company tamper with a public resource they had promised to protect, also did nothing, rendered powerless by their years of adherence to a self-regulatory policy that diminishes traditional regulatory oversight. In fact, last week the United States government extended ICANN’s mandate over the domain name system for an additional three years, guaranteeing many more years of governmental abdication of leadership responsibility.

Given the continuing concern over the Site Finder service, it is likely that technical fixes will be developed to override VeriSign’s approach. It is also possible that VeriSign will drop its new service, either voluntarily, by order of a court (it was hit with a $100 million lawsuit over the service by a leading search engine late last week) or under compulsion by ICANN.

Regardless of the eventual outcome, Internet users will look back on the day that Internet governance mattered and remember that they didn’t.

Comments are closed.