Making government domain names recognisable is a big job
A response to the recent interior ministry report
The Dutch Ministry of the Interior recently published a study by Centerdata into the possibility of establishing a uniform second-level domain name extension within .nl, for use by local and national government entities. The rationale for having a dedicated extension is to make government websites and mail more recognisable, in an effort to clamp down on phishing and other forms of abuse. The proposal has won support from the wider IT security community, but domain name specialists have highlighted the operational challenges. Having been asked what I think of the proposal, I've written this blog to set out my views and make a number of recommendations.
1,700 respondents
The study examined the potential of two possible second-level extensions: gov.nl and overheid.nl. About 1,700 people were asked about internet addresses with those and other extensions, and prompted to say which belonged to the Dutch government. Everyone taking part was told a little about the extensions before they were asked for their views.
Uniform second-level extension increases recognition
The researchers found that both possible extensions made government websites more recognisable, and consequently reduced the credibility of lookalike domain names. Respondents generally preferred overheid.nl, but gov.nl actually performed better in the fraudulent site recognition tests. In a nutshell, a uniform second-level extension would help to tackle fraud. In light of the findings, the government announced that it would put forward a proposal before the end of the year.
Consistent registration policy helps
The findings of the government study are in line with one of the main policy recommendations that we make to large organisations about registering domain names: be consistent. At SIDN, we often come across organisations that have lost track of many of the domain names in their portfolios, due to haphazard registrations, failure to keep registrations updated, or irrational name choices. Shortcomings of that kind aren't merely sloppy, they're also risky, because there's a danger that 'forgotten' domain names fall into the hands of crooks, who use them for frauds where they pass themselves off as government agencies and officials. However, a consistent registration policy doesn't necessarily mean all government entities using the same extension. Having a centralised registration office for all government domains could also be effective.
Major operational challenges
It's important to recognise, however, that government domain registrations can't all be standardised overnight. A survey of other governments undertaken in 2019 found that the cost of harmonisation is seen as an insurmountable obstacle in many countries. Over the last 30-plus years, complex systems have been built up around many government domain names. A domain name such as the Tax Service's belastingdienst.nl is very well known and performs well on Google. To make belastingdienst.gov.nl work equally well, the Tax Service would need to invest a lot of time and energy in promoting the findability of its web pages.
Mail clients are often problematic
Where e-mail is concerned, uniformity can certainly help in the fight against phishing and spam. Introduction of a uniform second-level extension for government would involve changing all government e-mail addresses, e.g. from name@ministry.nl to name@ministry.gov.nl or name@ministry.overheid.nl. At the same time, it would be necessary to ensure that all the domains are correctly configured to support modern e-mail security standards. What's more, mail programs and spam filters would need to recognise addresses based on the new second-level domain – and experience with new top-level domains suggests that it would be unwise to assume that they will. It was several years before mail from the new TLDs was just as likely to be delivered as mail from .com addresses.
Beware of lookalikes
Another significant point is that historically no clear distinction has been made in the Netherlands between government domains and non-government domains. That's in contrast to the situation in the UK, for example, where .gov.uk has always been reserved for government, while businesses have had to register names under .co.uk. As a result, it wasn't possible to register a lookalike second-level domain such as .gow.uk. The Netherlands doesn't have a system like that, so second-level domains resembling the new government second-level could be created, especially if the short gov.nl option is chosen. Indeed, gow.nl and got.nl are both currently available to purchase. Overheid.nl is more distinctive, but, even if that option is chosen, the government will need to adopt a policy of intensive monitoring to counter the registration of typo-domains.
Identification of government registrants
A final operational challenge is identifying the applicants that seek to register domain names under the new government second-level domain. It would, of course, be totally unacceptable to have a situation where anyone, even a criminal, could register a name under gov.nl or overheid.nl. A system will therefore be required that allows only authorised personnel to register names or to amend or cancel existing registrations under the new second-level domain. And the system will need to operate around the clock to ensure that government websites don't go down if a name server isn't updated.
Conclusion: proceed cautiously
To sum up, a uniform extension can help to counter abuse, but its adoption has significant implications. The most important piece of advice I would give to the government is therefore: take things step by step. Perform a thorough cost-benefit analysis. Migrate the central government and its ministries to the new second-level domain first. Then migrate the main independent agencies. Focus first on websites, and then on e-mail. Extend the project gradually. It's a good idea, but don't underestimate how much work its realisation will entail.
