In responding to Nominet’s second consultation on the possible release of .uk domain names at the second level (i.e. example.uk) the Information Commissioner’s Office (ICO) warns:
In terms of specific security issues, we are concerned that the addition of second level .uk domains could result in confusion, and potentially lead to security incidents. For example, the possibility of two separate organisations having the same domain but at different levels – which could confuse individuals and result in wrongly directed email, for example. Depending on the type of organisations involved, such a disclosure could result in financial or sensitive information being wrongly disclosed.
This warning has real teeth, since the ICO is responsible for enforcing policy on misdirected emails under the Data Protection Act.
The consequences of misdirected email can be severe. In the last 3 years, the ICO has fined:
- Stoke-on-Trent City Council: £120,000 for misdirecting one sensitive email
- Cheshire East Council: £80,000 for misdirecting email to 180 recipients
- Surrey County Council: £120,000 for 3 cases of misdirected email
- Worcestershire County Council: £80,000 for sending sensitive email to 23 unintended recipients
- North Somerset Council: £60,000 for sending five emails to the wrong recipient
As the ICO’s warning makes clear, the introduction of a confusingly similar second level domain structure has the potential for such cases to spiral out of control, with severe financial and legal consequences for the organisations concerned. Although the fines listed above all happened to be issued to councils, this is a coincidence – the ICO regulates all manner of organisations, including private companies and non profits.
It is important to note that this is an “unfixable” problem in that it will arise automatically should .uk be introduced, regardless of the specific introduction mechanism.