Nominet

Nominet is the company that operates the .uk domain registry and manages common second-level domains such as .co.uk. It also operates UK-relevant TLDs including .wales and .cymru.

It has sponsored the annual Parliament and Internet Conference.

Statutory duties

Although a private body, its management of the .uk registry and of other UK-relevant registries is governed by the Communications Act 2003, as amended by the Digital Economy Act 2010. Sections 124O and 124P allow the Secretary of State to intervene in the case of serious failures and appoint a new organisation to run the registry. As such, it can be argued that Nominet’s delivery of the registry is a public function and could be subject, among other things, to the Human Rights Act 1998.

Despite this public function, Nominet is not subject to the Freedom of Information Act 2000. Nevertheless, Nominet acts in many ways as a public interest body, and has a good degree of transparency in its formation of new policies.

Governance

Nominet is a private company limited by guarantee.[1] It owns a for-profit company to manage domain services[2] and currently controls a charity.[3] Nominet has indicated that the charity will move away from Nominet control.[4]

Nominet has around 2,500 members, who pay an annual subscription.[5] Membership is open to anyone, rather than just organisations or persons operating a registry.

Nominet’s voting structure favours the larger registries. 25% of the votes are equally distributed, while the remaining 75% are weighted according to the size of the registries, size being defined by the number of Nominet-registered domains looked after by each registry. Votes per registry are capped at a maximum of 10%.[6]

Public purpose

Transparency

Nominet has generally operated reasonably transparently, setting policies in public and conducting consultation processes. However, it decided in summer 2017 ceased to publish board minutes and reports produced to inform decisions.[7] The Register concludes:

Critics observed that would also mean that conflict-of-interest statements from board members would no longer be published – a critical issue since, due to Nominet's unusual voting structure, several board members represent the largest companies in the domain-name market and those same companies possess an effective veto on board decisions.

The end result is that the finances and decision-making of what is supposed to be a member-friendly organization are largely invisible to anyone but board members and staff.[4]

Governance review 2016

See Nominet/Governance review 2016

In 2015, Nominet’s Board commissioned an independent review by Sir Michael Lyons into its governance.[8] It reported in 2016.[9]

There exists a rather complicated voting system at Nominet. Essentially one quarter of the votes are allocated on a ‘one member, one vote’ basis, and the remaining three quarters calculated by reference to the domains which a member administers as a Nominet registrar. On top of this allocation, any individual member (or associated group of members), has their maximum voting rights capped at 3% of the total votes cast for most votes. With a relatively small number of Nominet’s members participating in votes (12% at the 2015 AGM), and over 90% of the .uk domain registrations administered by less than 25 members, the current arrangements have been subject to criticism.[10]

Strategy 2020

Nominet is running a multi-year strategy to 2020, which includes diversification of its activities. The diversification strategy was raised by Howarth in 2016.[11]

At a high-level, our strategy has three concentric rings. At our core is ‘registry’, the middle ring focuses on ‘new markets’ developed from our DNS expertise, and the outer ring focuses on ‘applied innovation’.[11]

Howarth expands that:

Our work in ‘new markets’ is focused on network analytics. Originally developed to keep .UK safe, (which it continues to do on a daily basis), our turing product already has great potential to help other businesses running a large DNS network. We are investing in supporting the commercial success of what we believe is a unique product.

Within ‘applied innovation’, our R&D team are exploring new technologies and opportunities. Again, our focus is on internet infrastructure, within the context of the internet of things. While we are involved with innovative projects from flood prevention to smart car parking, those projects are under-pinned by a clear logic – finding solutions to the infrastructure problems posed by gathering, securing, accessing and processing information from a large number of devices. While it is inaccurate to say the team are tasked solely with producing products for our channel, we are working hard to identify viable opportunities for our members downstream. In this respect, I hope the upcoming ‘cloud’ version of turing is the shape of things to come. [11]

In practice, this strategy includes work on automated cars in the DRIVEN project[12] and drones, including a call for a centralised drone ownership database.[13]

Law enforcement domain suspensions

Nominet accedes to UK law enforcement requests for suspension of domains. They began accceding to bulk requests in December 2009[14][15] in response to requests from SOCA.[16] They ran a consultation process in 2011 which included ORG alongside various industry partners. [16][17] The consultation process broke down, and no agreement was reached.[18][19]

Nominet formalised its suspension policy in 2014.[20] Nominet altered their Terms and Conditions for domain registration to include the specific commitment:

7.7 that you will not use the domain name for any unlawful purpose.[21]

Nominet argue that this permits them to suspend any domain reported to them by the authorities. Nominet at the time said that the policy meant that:

“Nominet can quickly suspend a domain name when alerted to its use for criminal activity by the police or other law enforcement agencies, such as National Crime Agency, Child Exploitation and Online Protection Centre (CEOP) or the Medicines and Healthcare Products Regulatory Agency (MHRA)[20]

However, their list of authorities making suspensions includes a private company (National Trading Standards) and CTIRU, whose suspension requests relating to extremism could seriously impact free expression.

“Unlawful” is very wide, so could lead to suspension requests for activities including:

  • libel claims
  • helping people to trespass
  • breaching data protection laws
  • minor copyright infringements

Domain suspensions doubled from 3,889 in 2014-15[22] to 8,049 in 2015-16,[22] and doubled again to 16,632 during the year to October 2017.[23][24] Nominet produced reports detailing their suspensions in 2015[25] 2016[22] and 2017.[26] PIPCU’s Operation Ashiko creates around 80% of suspension requests.

Russell Haworth, Nominet’s CEO said in 2017:

“A key part of our role in running the .UK internet infrastructure is to ensure that .UK is a difficult space for criminals to operate in. The upward trend in suspended domains confirms that increasingly criminals seek opportunities online, but also shows how our cooperation with the law enforcement community and our expertise in network analytics helps tackle this problem thanks to the established processes and cyber security tools we have in place.”[26]

Harms to owners and consumers

Unlike a domain seizure, where a domain is in the possession of an authority, and notices can be displayed at the domain’s web address, with a “suspension”, a domain is simply no longer valid and no longer points to any website.

Detective Inspector Nicholas Court, of the Police Intellectual Property Crime Unit (PIPCU), said:

“We work closely with our partners to disrupt the sale of counterfeit goods which put consumers at harm in many ways. Buying fake goods can not only pose as a public safety risk, buying from rogue sites can also put your personal and financial information at risk, meaning that criminals can use your identity for malicious means.

“The dangers of buying fake goods should not be underestimated. As shoppers look for last-minute gifts and bargains online, it is vital that you take extra care and check where you buy from. If an offer looks too good to be true, it probably is.” [27]

Thus, although envisaged as a consumer and public protection measure, domain suspension is open to the obvious criticism that somebody who is the victim of a crime will be unable to find out anything when trying to visit the fraudulent website.

Many victims of fraud would be likely to revisit the website to gain clarity over what precisely has happened, only to find the website unreachable, as if the criminals had deliberately disappeared. Other people may visit to attempt repeat purchases.

Suspension is a considerably more risky approach where a site has been supplying dangerous goods.

Seizure and display of information relating to the seizure would provide opportunities to:

  • warn victims of crime of what has taken place, and any attendant dangers, such as ongoing credit card fraud or potentially dangerous products
  • allow victims a greater chance to report crime and gain redress
  • allow law enforcement to gather evidence from victims
  • allow law enforcement to educate people about online crime, precisely targeted at people who may be victims
  • allow domain seizure errors to be more easily rectified
  • uphold legal accountability

European law

EU law envisages legal powers for consumer protection agencies to seize domains in the Consumer Protection Cooperation Regulation. These processes would have to be compatible with Charter of Fundamental Rights standards, so would be likely to require transparency and appeals at a minimum.

Domain suspensions statistics

See Nominet/Domain suspension statistics

Cyber Assist

In 2014 started a pilot of its Cyber Assist service which appears to consist of sending alerts about computer security, proactively monitoring websites for security issues, and making security support available via phone and email.

See also

Links

References

  1. Nominet UK beta.companieshouse.gov.uk
  2. Nominet Registrar Services, beta.companieshouse.gov.uk
  3. Nominet Charitable Foundation, beta.companieshouse.gov.uk
  4. 4.0 4.1 .UK overseer Nominet abandons its own charitable foundation – and why this matters theregister.co.uk, 19 January 2018
  5. Nominet membership, nominet.uk
  6. Nominet Voting Rights Bye-law, Nominet.uk
  7. 17 Aug 2017 Scrutiny? We've heard of it. Dot-UK supremo Nominet goes dark, thregister.co.uk, 17 August 2017
  8. Nominet new CEO opens giant can of worms, sticks head in, 25 May 2015 thregister.co.uk
  9. Report to the board of Nominet UK on the governance and operating systems of the company, 27 October 2015 nominet.uk
  10. Report to the board of Nominet UK on the governance and operating systems of the company, Page 2. 27 October 2015 nominet.uk
  11. 11.0 11.1 11.2 NOMINET STRATEGY 2016, nominet.uk 6 January 2016
  12. DRIVEN consortium to unveil first self-driving vehicles at LCV 2017, Nominet.uk 5 September 2017
  13. Consumers call for new restrictions and licences on drone use amid safety and privacy fears, Nominet.uk 31 January 2018
  14. Over a thousand scam websites targeting Christmas shoppers shut down after online raid by Scotland Yard's e-crime unit, 4 December 2009, dailymail.co.uk
  15. Why Nominet disconnected 1,000 sites with no court oversight, 8 January 2010, thregister.co.uk
  16. 16.0 16.1 Nominet calls on stakeholders to get involved in policy process nominet.org.uk 09 February 2011 (webarchive)
  17. Police to get greater web censorship powers, theregister.co.uk 25 November 2010; Nominet asks what you think of police domain grab, theregister.co.uk 10 Febuary 2011
  18. ISP outcry halts cybercops' automatic .UK takedown plan, theregister.co.uk 25 November 2011
  19. ISPA, LINX and ORG insist on Court Orders for Nominet's domain suspensions, openrightsgroup.org
  20. 20.0 20.1 Nominet formalises approach to tackling criminal activity on .uk domains Nominet.uk blog, 3 April 2014
  21. Terms and Conditions of Domain Name Registration April 2014, indicating changes
  22. 22.0 22.1 22.2 2016 Domain suspensions report
  23. Suspended .UK Domains Double in a Year, InfoSecurity Magazine 16 November 2017
  24. Collaboration keeps .uk safe with record 16,000 domains suspended 16 November 2017, nominet.uk blog
  25. 2015 Domain suspensions report
  26. 26.0 26.1 Tackling online criminal activity 2016-17 (PDF)
  27. [http://news.cityoflondon.police.uk/r/970/pipcu_urges_consumers_to_shop_savvy_as_they_crack PIPCU urges consumers to shop savvy as they crackdown on counterfeits this Christmas