You have asked us for examples of the potential impact of Associated Domain Checks (ADC) on domain name registrants. We are providing two examples below.One is about investigation scope and another is about surveillance and data protection.
. Before doing so, however, I want to make one point clear.
Examples involving real people and real-world contexts will always be imperfect. They can be dismissed as unlikely, as “not how we work,” or as edge cases. But that is exactly why risk analysis and safeguards are necessary. Our society should not assess the legitimacy of a mechanism only by how it treats ordinary or low-risk cases. It should also consider how the mechanism affects vulnerable communities, politically sensitive users, minority groups, and others who are more likely to experience harm. You can read this incredible report by Afsaneh Rigot on how to design and govern from the margins across digital products and services.
Another point is, the distinction between malicious and compromised domains is not, by itself, a sufficient safeguard. Nor is it enough to say that investigation is not mitigation, or that an ADC will not necessarily lead to suspension. It can lead to suspension and we need to have safeguards in place and remedy for when things go wrong. The safeguards we are proposing are simple: investigations should be proportionate, their scope should be narrow and tied to the context, and there should be a meaningful remedy when things go wrong. We cannot predict every potential harm to registrants or end users, but we can design processes that reduce foreseeable risks.
Example 1: 2019 Hong Kong Protests
In 2019, protesters in Hong Kong took to the streets in response to a controversial government bill, leading to the largest series of demonstrations in the city’s history. Hong Kong police arrested hundreds of people, including prominent activists. During this period, protesters relied on apps that helped them track police locations. Some of those apps were later removed from Apple’s App Store, cutting off a critical channel of access. This created demand for alternative distribution channels, including proxy registrations or mirror domains that could help users access tools no longer available through traditional app stores.
In contexts of political unrest, messaging apps such as Telegram can become critical tools for coordination and access to information. At the same time, these moments can create opportunities for malicious actors to register domains impersonating services like Telegram, for example “telegram-login.app,” in order to conduct targeted phishing or distribute malware. A well-evidenced report about an impersonating domain, timed to coincide with a period of protest or heightened repression, can be a valid contextual indicator for triggering an ADC. The timing, target, and surrounding circumstances may reveal something that the domain name alone cannot.
However, a registrant or reseller may also have a history of registering domains on behalf of others in their community, including people who lack access to financial institutions, whose prepaid cards are not accepted by registrars, or who face legal or political risk if they register a domain directly. In the Hong Kong context, this might include mirror or access-support domains such as “protest-hongkong.app” or “wherearethepolice-hongkong.app,” intended to help protesters access apps or information no longer available through official channels.
If an ADC is triggered and the investigation sweeps across the registrant’s entire portfolio, those domains become visible to the registrar. That creates a serious problem. Once the registrar has knowledge of those domains, it may lose plausible deniability. Depending on the jurisdiction, that knowledge may create legal obligations to act or expose the registrar to political pressure from governments or other actors seeking to have those domains suspended. The investigation itself may therefore generate liability that would not otherwise have existed and could lead to suspension of those domains. The risk is not only to the registrant or reseller. It can also create risk for the registrar.
Example 2: Reproductive Health Provider
Consider a small web developer or community organization that helps several local groups register and maintain domain names. Some of these groups may not have the technical capacity to manage their own registrations. Others may lack access to accepted payment methods. Others may avoid registering directly because the nature of their work creates legal, social, or personal risk.
Among the domains managed through this account is a website for a reproductive health provider operating in a legally contested jurisdiction. The provider is lawful, but its work is politically sensitive. The domain is not abusive and has not been reported for DNS abuse.
Now assume that a different domain in the same account is reported for phishing. The report is credible. The registrar therefore has a legitimate reason to investigate the reported domain and closely related indicators, such as a distinctive naming pattern, shared malware infrastructure, or repeated registration behavior connected to the abusive activity.
The problem arises if the ADC expands beyond those indicators and becomes a broader portfolio review. The registrar may rely only on data already available to it, such as account information, billing records, login history, payment details, registration history, support tickets, reseller identifiers, or nameserver data. But when those data points are combined, they can reveal more than the registrar needed to know for the original abuse investigation.
For example, the ADC may show that the same account, payment method, or support contact is connected to the reproductive health provider’s domain. It may reveal that the provider relies on a particular community organization, web developer, or intermediary. It may also expose other domains connected to the same network, such as legal aid, counseling, travel support, medication information, or patient-resource websites. None of these domains were the subject of the abuse report. Yet the ADC has now linked them together in an investigative context.
This creates a data protection problem even if the registrar takes no mitigation action. The harm is not limited to suspension. The harm may occur through excessive processing, linkage, inference, and retention. Data collected for registration, billing, account security, or customer support has been repurposed into an investigative graph. That graph can reveal relationships among unrelated domains, expose sensitive activity, and create new knowledge that did not need to be generated to address the original phishing report.
The argument that the registrar is using only “available data” does not resolve the issue. Availability is not the same as necessity or proportionality. A registrar may possess data for operational reasons, but that does not automatically justify using it to examine unrelated domains or infer relationships among registrants. The relevant question is whether each category of data used in the ADC is necessary, relevant, and proportionate to the specific abuse indicators that triggered the investigation.
NCSG Position and Recommendations
The NCSG is not arguing that an ADC triggered by a single reported instance of DNS abuse is always disproportionate. A domain mimicking a popular communications platform like Telegram during a period of protest could signal a systematic effort to target a specific population, and that may be a valid contextual indicator. The context of reported abuse must always be carefully analyzed.
What the NCSG emphasizes is that proportionality applies not only to the decision to trigger an ADC, but also to how the ADC is conducted.
First, ADC investigations should be contextual. The triggering evidence should be assessed against the broader circumstances, including the nature of the abuse, the target, the timing, and the surrounding political or social context.
Second, ADC investigations should be narrow. The scope should be limited to the specific patterns, keywords, registration characteristics, or other indicators associated with the malicious domain. It should not become a general audit of the registrant’s broader portfolio.
I also want to address directly the argument that a broad sweep is acceptable as long as the registrar carefully distinguishes between malicious and compromised domains, or that harm only arises if the investigation leads to suspension. Harm can occur at the point of investigation, not only at the point of mitigation. A registrar that conducts a wide sweep and acquires knowledge of sensitive domains may already have created legal and political exposure for itself and potential harm for the registrant, regardless of whether any domains are ultimately suspended. Limiting mitigation does not undo the consequences of an overbroad investigation. This is why scope limitation must be built into the investigation itself, there should be remedy and there should be safeguards in place.