The Supreme Court of Victoria has ruled that the Australian Domain Name Administrator (auDA) acted correctly when it decided earlier this year to terminate the registrar accreditation of Nicholas Bolton's registry company Australian Style, trading as Bottle Domains.
Mr Bolton's conduct ... preferred the commercial interests of Australian Style to the legitimate interests of registrants who may have been affected.
auDA decided in April to terminate Bottle's accreditation following a security breach that may have resulted in registrants' credit card details being compromised and its belief that Bottle Domains should have notified it of another security problem back in 2007, but had not. auDA thought that the 2007 breach might have caused or contributed to the 2009 breach.
Bolton didn't notify auDA of the 2007 security incident, since he didn't think it could be considered a breach for many reasons, including that he believed no registrant information had been compromised.
Australian Style had been notified of the problem by another registrar called Aust Domains which was using Australian Style's software. Aust Domains told Bolton that it had engaged a software developer to look at the source code during which he had found a PHP vulnerability that he'd been able to use to download a table structure from Australian Style. Aust Domains developed a patch that it provided to Australian Style, which was then applied.
The court looked at the term "security breach" and decided that what happened in 2007 should be classed as a breach, according to the decision, which auDA released on its site.
"It is not to the point that Mr Bolton was informed that this unauthorised access was engaged in for an innocent purpose (to test the vulnerability of the Australian Style system) without any private information being obtained. The security breach occurred when the unauthorised PHP injection was performed," the judge, Justice Hargrave said.
He decided that Australian Style had therefore gone against the registrar agreement by not notifying auDA of the problem.
Australian Style said that auDA CEO Chris Disspain's decision to terminate the registrar's agreement had been "totally unreasonable". Yet the judge backed Disspain's decision, listing many reasons, some of which related to Bolton's conduct during the 2009 breach.
The judge agreed with Disspain that Bolton had not acted in good faith when he sent an email to notify registrants that their information may have been compromised which differed to what he had drafted with Disspain, in what the judge thought was an attempt to play down the seriousness of the situation. Bolton said his sending of the wrong email had been a "cut and paste" error.
"I find that the defective email was not sent as a result of an innocent cut-and-paste error, but as the result of a deliberate decision by Mr Bolton," Hargrave said.
He also believed Bolton's testimony showed "extraordinary indifference to the effect of credit card fraud upon its victims" since Bolton had said that credit card fraud was "not a time sensitive matter because they can address it retrospectively".
"Viewing the evidence as a whole, Mr Bolton's conduct following the 2009 security breach coming to his attention preferred the commercial interests of Australian Style to the legitimate interests of registrants who may have been affected. Mr Bolton was obviously concerned that any notice to registrants should describe the 2009 security breach, and the extent of the consequent risks to registrants, in moderate terms. Mr Bolton did not dispute that this was his intention. Further, he acknowledged that it was his consistent position that no warning should be given to registrants concerning the possible misuse of their credit card details until further information was received from the AFP as to the likely number of credit cards affected," the judge said.
Hargrave also thought that Bolton's reluctance to provide information on the 2007 breach flagged a risk that a future security breach might not be brought to auDA.
"There was nothing unreasonable about Mr Disspain's decision to terminate the agreement. He acted in good faith in doing so," he said.