Domain Poisoning

David G. Post                                                                                                         Back to DPost Home Page
American Lawyer, "Plugging In," September 1997

*************************************************
You may freely redistribute this column; please retain author and publication attribution. If you are not currently receiving these columns directly and would like to do so, please send me an e-mail at Postd@erols.com and let me know -- D. Post
*************************************************

Faithful readers of this column (and, I suppose, even unfaithful ones) know that the Internet is a uniquely decentralized entity, an open network that, like Gertrude Stein's Oakland, has "no there there." The early designers of the Internet intentionally created the crucial network communication protocols so that there would be no central server, no on/off switch, so that it would be largely invulnerable to enemy attack.

But in the early morning hours of July 17, 1997, the global network that was designed to withstand the Soviet nuclear arsenal was brought (temporarily) to its knees by a single employee of Network Solutions, Inc. Understanding how this could have happened explains much about how the Internet functions, and also poses what is arguably the most interesting legal and regulatory problem of all: Who runs the Internet? Who is authorized to make its rules?

The story begins with the mysteries of the Internet's domain name system (DNS), the way that Internet addresses (like "ibm.com" or "www.cli.org") are assigned to individual computers so that electronic mail messages (TO: smith@ibm.com) and World Wide Web commands (http://www.cli.org) are routed to the correct machine. The DNS has been at the center of over two dozen of the Internet's thorniest lawsuits, involving claims that individual domain names infringe the trademark rights of some third party. (See "A Domain by any Other Name," May 1996). But as it turns out, the DNS has significance far beyond the narrow confines of trademark law, and its current problems go to the heart of questions of Internet governance.

What is the DNS? For the Internet to function properly, each machine must have a unique address so that messages can find their way to the right place. The same is true for any network: the telephone system would break down if, say, each time you dialed 212-555-1234 you would be connected to a different phone line. On the Internet, each machine is assigned a unique number (e.g., 197.48.01.33) -- its "Internet Protocol Address" -- which is precisely equivalent to a telephone number.

In the early days of the Internet, users had to actually remember and type out these numbers in order to send messages to other machines on the network. This is a fine system for computers, which can deal with numbers more efficiently than they can deal with alphabetical names, but human beings are just the opposite; its just a lot easier to remember "ibm.com" than 197.48.01.33. Enter the DNS. In the early 1980s, it was decided that each Internet machine would henceforth receive both an IP address and an alphabetical name. The network would be divided up into a series of "top-level domains" -- some bearing geographic referents (*.jp for Japan, .fr for France), others with non-geographic orientation (*.gov for government machines, *.edu for educational institutions, *.com for commercial operations, and the like). All Internet machines would get a name within one of these domains. Now, you could address your email to smith@ibm.com; when your Internet Service Provider's computer received this message for transmission, it would simply look in a database containing the list of names and IP addresses for all Internet machines, find the IP address number corresponding to "ibm.com," and send your message merrily on its way.

The passive tense in the above paragraphs, though, is a bit troubling. Who decided a domain name system was required? Who does the assigning of IP Addresses and domain names? Who controls the database linking numbers and names?

These functions have long been the responsibility of the Internet Assigned Number Authority (IANA), an imposing-sounding entity that consists, in reality, of just a few dedicated volunteers, operating with a small amount of U.S. government funding. As the net grew, IANA delegated to an organization known as InterNIC these naming functions for the increasingly popular *.com, *.net, and *.org top-level domains. A private firm, Network Solutions, Inc. (NSI), was subsequently awarded the contract to manage and oversee this operation. All applicants for a name in, say, the *.com domain have to apply to NSI, and NSI is responsible for maintaining the master database matching *.com names with the numerical IP addresses issued by IANA. Each day, they send a copy of this database to a series of 11 computers located around the Internet known as "rootservers." These rootservers, in turn, can be accessed by the many Internet Service Providers whenever they need to translate domain names into IP addresses.

This is the heart of the July 17 Internet "crash," when, without cutting a single wire or blowing up a single machine, the Internet was plunged into chaos. Somehow, software being what it is, the master database of names and addresses became corrupted, filled with nonsense information. The night-shift operator at NSI's computer center apparently disregarded certain warning signs that there was trouble afoot and dutifully passed the corrupted database to the rootservers. The machine formerly known as ibm.com was still out there, humming along happily, but no messages could reach it because its address had vanished (at least until the error was detected and uncorrupted backup versions of the master database passed to the rootservers).

The vulnerability of the Internet to malfunctioning of the DNS is itself troubling; the Internet has become too important for global commerce to be subject to this kind of unpredictable disaster. That part of the problem can presumably be controlled by more effective error-checking and backup procedures. Of more interest, the July 17 crash illustrates, somewhat paradoxically, the very importance of the naming system, the immense value of this database. A domain name is not just the repository of potentially valuable trademark-related reputational information, it is more fundamentally one's passport across the border into cyberspace; without a name (and corresponding number), one is literally invisible on the Net. The naming system is, in effect, the heart of the Internet, and he (or she, or it) who controls it controls the global net.

What gives IANA, or NSI, the authority to control this most valuable resource? Who gave them this power? Who decreed that this database, and these rootservers, would control the routing of messages over the Internet?

The answer, as is so often the case on the Internet, is "no one," or perhaps "everyone." No one has ordered, and no law requires, Internet Service Providers to look to any particular source for names and IP addresses when routing messages over the Internet. The current system has emerged through a kind of unspoken and uncoordinated consensus among the thousands of ISPs world-wide to use one particular set of names and addresses for this critical function.

But that consensus is unraveling. To the extent that NSI's legitimacy derived from its connection to the U.S. government, that link is about to be severed; the National Science Foundation, the original source of the contract under which IANA and NSI have been operating, has announced that it will no longer provide funding for these functions when NSI's contract expires in March 1998. Who will provide the necessary information to the rootservers at that time? NSI, for its part, has announced that it fully intends to keep operating, funded by the registration fees that it has begun charging applicants. A number of competitors (such as AlterNIC, www.alternic.com) have entered the fray, indicating that they, too, are willing to take your money to issue you a domain name (at about half the price that NSI currently charges) and to operate their own rootservers to hold this information.

An even more ambitious plan has been developed by a coalition of Internet organizations known as the Internet Ad Hoc Coalition (IAHC), which envisions creation of seven new top-level domains (*.firm, *.store, *.web, *.arts, *.rec, *.info, and *.nom) and a process under which numerous competing entities (to be chosen by lot) will be authorized to take applications and issue domain names. .

The battle is likely to get increasingly intense as the March cut-over date approaches. NSI is unlikely to relinquish its preferred -- one might even say monopolistic -- control over this process without a fight, and has indicated that it may assert ownership over the existing database of names and numbers as a means of deterring competitors. The federal government, too, is trying to figure out what to do; an interagency task force has held several meetings among the interested parties to try to work out an orderly transition plan, with little success to date (although the Commerce Department has been charged with issuing an Request For Proposal to solicit comments on what, if anything, the government can do to facilitate the continued efficient operation of this system as its financial involvement disappears).

What's at stake here is nothing less than the governance of the Internet. That the domain name system works as well as it does is a remarkable triumph of decentralized self-governance, the emergence, rather than the imposition, of order in the absence of any express central authority. This may not, however, be a stable equilibrium; without a Hobbesian Leviathan to set down authoritative rules, "the Internet" as we know it may soon fragment into a number of different Internets, each with its own addressing system, as different ISPs choose different suppliers for this critical routing information. Not an ideal outcome, perhaps -- but then again, constituting a single central authority to take charge of this critical global resource has enormous risks as well, for how can we be assured that this entity will not behave oppressively, as Leviathans often do? Only one thing is reasonably certain: the Internet we have come to know (and love?) will probably look very different come this time next year than it does today.