Note to ICANN: Do You Have a Calculator?
The Privacy Rights Clearinghouse reports that since 2005, 608,945,544 records were compromised in 3,856 data breaches. Interesting, the PRC notes that, “In reality, the number given … should be much larger. For many of the breaches listed, the number of records is unknown. Further, this list is not a comprehensive compilation of all breach data.” In an alarming FAQ, the PRC writes, “If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere.”
So no one really knows how many breaches have occurred. What we do know is millions of records have been compromised. In just a few years, we can expect that number to exceed one billion.
In the Internet Corporation for Assigned Names and Numbers (ICANN) 2012 Annual Report, ICANN reported that with respect to discipinary actions against operators of gTLDs “… 23 escalated compliance notices (i.e. notices of breach, suspension and termination) were issued; a 64 percent increase in the number of escalated compliance notices issued in 2011.” The domains involved in such notices were BIZ, .COM, .INFO, .NAME, .NET, .ORG, .TEL, .AERO, .ASIA, .CAT, .COOP, .JOBS, .MOBI, .MUSEUM, .POST (not operational), .PRO, .TRAVEL and .XXX, eighteen of the gTLDs currently authorized by ICANN.
And now ICANN is poised to authorize nearly 2,000 more gTLDs.
Obviously, they need a new calculator, assuming they even have one.
These numbers compel one critical, unanswered question. How can ICANN justify any new gTLDs before it determines what to do about the epidemic of records being compromised in an Internet ecosphere with only 18 gTLDs?
I suppose one might say, wait! You’re comparing apples to oranges. It’s not the gTLDs that cause data breaches. The cause is the negligence and lack of security of database managers. Really?
At the conclusion of last month’s ICANN confab in Durban, South Africa, the operative committee within ICANN’s byzantine governance agreed with the Government Advisory Committee to enter into a “dialogue” to discuss solutions to the GAC’s following concerns:
1. “Registry operators will include in its acceptable use policy that registrants comply with all applicable laws, including those that relate to privacy, data collection, consumer protection (including in relation to misleading and deceptive conduct), fair lending, debt collection, organic farming, disclosure of data, and financial disclosures.”
2. “Registry operators will require that registrants who collect and maintain sensitive health and financial data implement reasonable and appropriate security measures commensurate with the offering of those services, as defined by applicable law and recognized industry standards.”
So on the eve of victimizing consumers with nearly 2,000 new gTLDs, the governing bodies will have a dialogue on security concerns. One cannot help but wonder how many records will be compromised when 18 gTLDs turn into hundreds or more. Should we all be so naïve to think the result will not be expotentially more breaches?
The bottom line: ICANN needs to start counting the likely risks and losses the past portends to foist on the future with ICANN’s plans to open up the Domain Name System (DNS). It’s time ICANN faced the fact that it needs to fix the problems infecting the current gTLDs before it introduces more and makes a solution far more difficult, if not impossible. All it needs is a calculator.
Or perhaps ICANN should just continue a dialogue and act like Nero when Rome burned.
We Expert Doug Wood