First published: 07th April 2009
Allan Dyer prepared the submission, and presented it at the meeting of the Legislative Council's Panel on Information Technology and Broadcasting meeting on 7th April 2009.
Hong Kong Computer Society Submission on the Review on administration of Internet domain names in Hong Kong, 7th April 2009
The Hong Kong Computer Society (HKCS) thanks the Panel on Information Technology and Broadcasting for the opportunity to present some views on the administration of .hk domain names.
1 New Institutional Arrangements
There have been operational problems in the past. Effective institutional arrangements are vital to making sure that they do not reoccur. While it is too early to say how well the new arrangements will work in practice, it was clear that the old arrangements were not satisfactory.
It is difficult to comment on the new institutional arrangements as they have not been in place long enough to see what the effects will be. One issue that needs to be addressed is transparency. The new MOU should be effective in requiring a very high degree of transparency. We look forward to commenting on the draft MOU when it becomes available.
2 Guiding Principle
The guiding principle for domain name administration should be that .hk is managed in the best interests of Hong Kong.
2.1 Apply Hong Kong Laws to .hk Domains
Some countries have decided that their best interests are using their domain name to get foreign currency. Tuvalu has leased the .tv domain for US$4 million a year, about a quarter of its GDP. But Hong Kong is not Tuvalu and the best use of .hk is to support Hong Kong's commerce and industries, not to try to make it an industry itself. To increase trust in .hk domains, they should be made subject to Hong Kong law (i.e., at least for IT and communications -related ordinances), or at a minimum to ensure that .hk domain name holders do not damage the brand of Hong Kong as Asia’s World City. For example, it was a mistake not to include .hk in the "Hong Kong link" provisions of the UEMO. A person or entity buying a .hk domain name is requesting to associate themselves with Hong Kong.
If the .hk domain name holders engage in illegal or antisocial acts, their actions can damage Hong Kong’s brand as Asia’s World City. However, they may operate outside the jurisdiction and it would be hard for our law enforcement agencies to take action against them, even if they were brought within the scope of Hong Kong’s laws. It is important, therefore, that HKDNRC takes effective action to shut down .hk domains that are being abused. The mechanism for doing this must be transparent and open, in order to reassure stakeholders that there is no interference with the free flow of information as guaranteed by law.
2.2 Registry – Registrar Question
The possible adoption of a Registry-Registrar model is a key question, and motivation behind the institutional changes, but the justification of such a change is uncertain. The main argument appears to be that competition between registrars promotes growth in the number of domains. However, is a large number of domains good? It is if, like Tuvalu, your objective is revenue from the fees. The cull of over 8000 .hk domain names in 2007 shows that numbers are not the only consideration. Improvements in the registration process, and lack of restrictions encouraged criminals to use .hk domains for their activities, damaging Hong Kong's reputation in the process. Globally, registrars compete on price and bundled services. Information on the technical competence or reliability of registrars is difficult to obtain. Would adopting a Registry-Registrar model for .hk result in an efficient market that accommodated externalities such as the best interest and reputation of Hong Kong?
This issue should be resolved in the overall interests of Hong Kong. The new Board should engage with the community and take advice from the CAP before resolving this issue. The Government should not dictate the answer.
3 Operational Matters
Whatever the institutional arrangements, it is important that .hk works. In the past, there have been various operational problems, the new Board and CAP should make efforts to ensure .hk is operationally efficient. A few are mentioned here as examples:
3.1 De-Registration of Domain Names of Defunct Companies
The procedures for handling domain names when their owner ceases to exist are inadequate. In one case, a domain name was unused for three years after the company that owned it was dissolved. HKDNR considered the domain to be “active” because a sloppy ISP still hosted it on their Domain Name Server, even though they refused email to it, and there were no active hosts. HKDNR were eventually persuaded that the domain was effectively orphaned, but there should be a clearer, more comprehensive procedure to fairly and efficiently handle similar cases. Regular crosschecks with the Companies Registry could be considered.
3.2 Unclear and Arbitrary Rules on Domain Blackout Period
When a domain is de-registered, there is a blackout period of “up to 90 days” before it can be registered again. While it seems desirable to have a clear break in responsibility between the old and new owners, why 90 days? Under what circumstances would the period be reduced?
3.3 Poor Information Security Management
In 2006, an incident arose around online payment. A link for online payment of domain renewal by credit card led to a Chinese site, a phone call to Customer Service resulted in a confused conversation that raised the suspicion of fraud. In the follow-up to the incident, the following issues were raised:
- The Customer Service staff claim there is no Head of Security, no Security Department, and no IT Security Department.
- They are more concerned with placating the customer than listening to the issues and investigating the problems properly.
- They claim there is a procedure to follow when possible fraud is reported, but they do not follow it.
- Email responses appear to be standardised, and the reply sent out may not be at all relevant to the query received.
While the specific website problems have been addressed, the organisation remains opaque on its Information Security Management. It is also very important that the payment mechanism adheres to the latest best practice recommended by the credit card industry.
3.4 Website Update
The HKDNR website provides "List of Honorary Advisors on the CAP" as being "To be confirmed". The list is given in the Annual Report, but why does the online information lag behind? Although this is probably merely an operational matter, it also has a direct impact on the transparency of the institution.
3.5 Website Management
While preparing and researching this submission, on 28th March 2009, around 13:00, the HKDNR website suddenly became unavailable, replaced by a single image saying “System Maintenance on 28 & 29 March (Sat & Sun) Due to system upgrade from 1300 hrs on 28 March to 0600 hrs on 29 March HKT, new domain application and online domain management will be temporarily suspended during the period. Domain resolution will be operating as usual. We apologise for any inconvenience caused. For enquiries, please contact us on +852 2319 1313 or email@example.com.” and the Chinese equivalent. This raises several issues:
- The message was an image, and therefore inaccessible to people using screen readers. No text alternative was provided. HKIRC and HKDNR need more awareness of the needs of disabled people.
- The text was misleading – it referred only to the domain registration and management applications, but the informational pages on the site were also affected.
- The organisation is responsible for running, arguably, the most important internet servers in Hong Kong, without which every .hk site would quickly disappear, yet they appear unable to plan and execute a simple webserver upgrade in a seamless manner.