Please find our comments on Versign's proposed Anti-Abuse policy below: easyDNS Technologies Inc. thinks the goal of having a mechanism to takedown domains that destabilize the internet (via malware or some other technical issue) in the absence of a non-responsive registrar-of-record a laudable one, with the following caveats: - the Registrar-of-Record should be the first avenue of approach on all takedown matters. Verisign should step in with an unilateral takedown only in lieu of a response from the Registrar, or if the Registrar of record has opted-into the malware scanning program and explicitly enabled Verisign to execute takedowns. - the definition of "malware" is currently overly broad, deeming many harmless practices as malware (cookies with longer lifespans, web bugs set in accordance with a valid privacy policy) or else what constitutes malware is open to Verisign's interpretation. But the most alarming aspect of the proposed policy are the presence of additional provisions which make it possible for any domain to be taken down in the absence of due process. The provision (known as section b) in the proposal is worded as follows: " (b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process; " A court order is the result of due process and has by definition been subject to some form of judicial review. A "requirement" or a "request" is entirely subjective opinion and devoid of due process under the law. Further, quasi-governmental agencies have no need to be imbued with additional powers of arbitrary domain takedowns. All takedown requests coming from governmental or law enforcement agencies should require due process under the law and obtain some form of court order. Of course, with the com and net being unsponsored generic TLDs, the issue of jurisdiction is important. Are we to assume then, that the requests and the requirements are those of the United States government only? What of domains registered to registrants via regsitrars in which one or both are outside the legal jurisdiction of the United States? Can other governments then request Verisign to takedown a domain? (Can the government of Canada then request that a domain registered to a US-based registrant be taken down? How about China? Or Iran?) This issue becomes so convoluted that maybe there should be a wider debate around if the registries themselves should even be allowed to be operated by a private entity subject to governing law of one country that could then unfairly force its own law upon all others. Perhaps maybe we need to think about having .com and .net be run by an international organization such as the ITU? Or some other UN agency? Does that sound reasonable? If that route is unpalatable, then perhaps the easiest path is to - strike section b from the proposal - more accurately define what "malware" means - remove section (c) (which is a backdoor mechanism to takedown a domain simply by threatening legal action against Verisign) - provide a realtime rollback and challenge mechanism that registrars can invoke to address improper takedowns Thank you. -mark -- Mark Jeftovic <markjr@easydns.com> / Jabber: markjr@easysip.com Founder / President, easyDNS Technologies Inc. Company Website: http://www.easyDNS.com Better Living Through Private World Domination: http://PrivateWorld.com