It’s all about domains… | Polina Malaja (CENTR)

Policy-making and internet governance are pivotal in the domain industry. They determine how we navigate and ensure a certain level of security and interoperability. At the heart of Europe’s digital space, the Council of European National Top-Level Domain Registries (CENTR) plays a crucial role in influencing policies that resonate across the continent’s online infrastructure.

Today, we’re thrilled to welcome Polina Malaja, the driving force behind CENTR’s policy direction, where her expertise in international human rights and intellectual property law informs her advocacy for the delicate balance between technological progress and fundamental rights.

Join us as Polina delves into the complexities of digital space governance. Don’t miss her profound insights—tune in to the fascinating dialogue ahead.

1What does it mean to be the Policy Director at CENTR? What inspired your path into policy-making within the domain industry?

As the Policy Director at CENTR, my primary responsibility is to spearhead CENTR’s policy initiatives that impact European ccTLDs, both on a European and global scale. This involves pinpointing the issues that hold the most significance for European ccTLDs and representing CENTR’s members in dialogues with policymakers and other stakeholders.

CENTR, the association of European ccTLD registries, such as .de for Germany or .si for Slovenia, aims to foster and contribute to developing high standards and best practices among ccTLD registries. The association comprises 51 full and 8 associate members, accounting for over 80% of all registered domain names globally. CENTR serves as a platform for discussing policy matters affecting ccTLD registries and acts as a liaison to internet governing bodies and other organizations involved in digital policy. It champions the interests of ccTLDs and advocates for them.

My journey in the DNS ecosystem began as a natural progression from my interest in free and open internet and the technologies that support it. As a human rights lawyer, I’m intrigued by the intersection of technology and human rights and the role that critical internet infrastructure, like the DNS, plays in our ability to exercise our fundamental rights. At CENTR, we don’t just represent industry interests: We advocate for the technical community dedicated to preserving a free and open internet, with people’s needs and rights at the heart of the discussion.

2What do you consider to be the most critical challenge we currently face in internet governance?

As we draw closer to the World Summit on the Information Society (WSIS+20) review, an intergovernmental process set to determine in 2025 whether the multistakeholder model for internet governance is still effective, it’s crucial to underscore the achievements of the global multistakeholder model that has made the internet an essential part of our modern information society.

These accomplishments include technical interoperability, infrastructure based on open standards and decentralized solutions, and the ongoing stability and resilience of the global internet amidst wars, geopolitical tensions, and pandemics. The multistakeholder model is often overlooked in these debates. Undeniably, emerging challenges like the rise of gatekeepers and AI have shifted the focus towards other issues that need to be addressed when discussing the future of the internet.

However, it’s vital to remember that the technical operation of the global internet, rooted in multistakeholder processes, enabled the human-facing web to evolve through various stages of its development. At the same time, the technology that powered this transformation remained open, free, scalable, and reliable. Without the support of all stakeholders, including governments, in the multistakeholder model, the future of one open global internet is at risk.

3What changes do you foresee in TLD policies across Europe in the near future?

European ccTLDs are closely rooted in their national countries and are primarily subject to national (and, in the case of the European Union, regional) legislation.

Consequently, policy-making within the realm of TLD administration—covering aspects like domain name registration policy, domain use policy, privacy policy, etc.—is shaped mainly by modifications in national and regional legislation.

Some of the most notable examples that have or will have a significant impact on TLD policies in Europe come from EU legislative initiatives, such as the GDPR, Consumer Protection Cooperation Regulation, Digital Services Act, NIS 2 Directive, e-Evidence Regulation and Geographical Indications protection reform, to name a few. These laws include domain name registries in scope and put forward a set of obligations that influence the domain name registration process and domain name lifecycle.

As a result, operating a domain name registry in Europe or providing domain name services to European internet users is growing more complex and intensely regulated, bringing more compliance efforts.

4How does CENTR’s policy work help tackle issues related to DNS abuse?

CENTR members regard keeping abuse low on the internet as necessary in safeguarding internet user trust and safety within their zones. European ccTLDs are the zones with the minor level of abuse globally. The diversity of approaches towards keeping domain name zones safe and secure across European ccTLDs has multiple advantages, as it avoids the single point of failure for malicious actors to exploit. At the same time, there is a general tendency to equate DNS abuse with cybercrime, as technically, all services on the internet rely on DNS. However, not all cybercrime can be mitigated and addressed at the DNS level.

Consequently, there is a need for a collaborative approach between multiple technical actors within the DNS ecosystem like registries, registrars, internet service providers, hosting service providers, etc, competent authorities, including law enforcement, and cybersecurity experts, such as CSIRTs to tackle different abuses online.

At CENTR, we encourage our members to exchange information and good practices with each other, informing the community about different approaches available for addressing abuse online within the technical limits of a registry. It is essential to remind policymakers that DNS-level action is not a silver bullet to end all cybercrime online and that DNS abuse is a misleading term. Any action towards an abuse online mandated by a technical operator, such as a domain name registry, should be evaluated from the perspective of what is technically possible, proportionate with the level of harm, and most importantly, whether the harm can be mitigated and addressed by an intermediary that is closest to the source of abuse and without a drastic intervention at the infrastructure level.

5With the NIS2 Directive on the horizon and member states soon to release their measures, what challenges do you foresee for ccTLD registries as they navigate this new landscape?

The NIS2 Directive introduces a set of obligations for ccTLD registries, as they are considered essential entities and vitally important for the functioning of society.

The NIS2 Directive aims to provide a minimum set of measures for cybersecurity preparedness of critical sectors, including TLD registries. In addition, the NIS2 Directive introduced domain name registration data accuracy as one of the critical measures to maintain the DNS’s stability, security and resilience. These accuracy measures include an obligation on domain registries and registrars to verify domain name registration data, including the identity of a domain name holder. This verification obligation is one of the most challenging aspects of the NIS2 Directive for the domain industry, as it is unclear how far it is expected to go and which verification tools and measures would be acceptable for compliance with this obligation across the EU. There is also no uniform adoption of electronic identity across the EU that would facilitate verification of domain name holders, especially in a borderless and cross-border domain name market.

Finding the right balance between complying with accuracy obligations under the NIS2 Directive and maintaining a high level of cybersecurity of all registry operations while staying ahead of the curve of malicious actors who will undoubtedly explore new ways to circumvent identity checks is one of the biggest challenges with the expectations set by the NIS2 Directive. In addition, it is also important for Member States to keep the flexibility for ccTLD registries in addressing accuracy obligations, as the zone sizes, risk scenarios and registration processes are unique to each ccTLD.

There is no evidence to suggest that various approaches to registration data accuracy are detrimental to security. On the contrary, European ccTLDs are consistently referred to as the most secure domain zones at a global level despite having no unified approach to accuracy.

6Data privacy is a hot topic these days. How do you foresee the relationship between data privacy policies and internet governance evolving in Europe?

Privacy and data protection have recently received much attention at the global internet governance level, primarily within the ICANN discussions. In Europe, however, European ccTLDs have balanced the need to protect domain name holders’ data and law enforcement access to non-public domain name registration data for decades. To our understanding, there is no inherent conflict between privacy and security. The challenge for Europeans is to ensure that a high level of data protection in Europe is maintained as we go forward and not weakened by voices claiming otherwise. Data confidentiality is also part of the cybersecurity toolbox.

7Are there any emerging trends in digital policy that our registrants and domain experts should be aware of?

In the last ten years, we have seen unprecedented regulatory attention to DNS and domain name registries, from cybersecurity to data and consumer protection, agriculture and financial policy in Europe. We expect this attention from EU policymakers to stay strong as DNS becomes increasingly ingrained in legislative proposals across policy areas beyond the usual digital regulation. This adds complexity not only in keeping up with these developments but also identifies the move towards interventions at the infrastructure level becoming more and more acceptable as an enforcement measure for a myriad of societal problems.

The challenge with these developments is to shed light on the broader repercussions of DNS becoming the vector for enforcement online, both for DNS operators and internet users. These repercussions often need to be included in impact assessments accompanying legislative proposals, which is a concern.

Uncover a deeper understanding of these challenges and the best ways to navigate through them. Polina Malaja is one of the expert voices in our e-paper.

Download our comprehensive guide on the topic “NIS2: Unraveling the Directive. Insight for operators and digital experts”.