Forum on DNS Abuse Monday, 14 March 2011 ICANN Meeting San Francisco, California >>STEVE CROCKER: Thank you. It is a pleasure to be here. The welcoming speech and the speeches and the address allocation ceremony are tough acts to follow. And I suspect we may have some people coming in. But we have an extraordinary, quite stellar pair of panels today on the subject of DNS abuse. I'm going to try to minimize the amount of time that I take up. You have on the screen the list of people who are currently up here: Richard Boscovich from Microsoft, who asks that we call him Bosco; Joe St. Sauver, I will just call you Joe; Michael Moran from Interpol; Bobby Flaim from FBI, Glenn Watson from US. Food and Drug Administration; and Terri Stumme from U.S. Drug Enforcement Agency. I think I have got everybody here. So with that, I think we're just going to launch right in and let me ask each of you in the interest of courtesy and fairness for the number of people that we have up here to keep your time brisk. I know how to be tough if I have to be, but I am hoping that I don't have to be. So, Bosco, carry on. >>RICHARD BOSCOVICH: First, thank you for having me. It's hard for a lawyer to keep it to a certain amount of minutes, but I will do my best. We tend to keep talking quite a bit. I work at Microsoft and specifically a group called the digital crimes unit. And one of our primary missions and goals in that particular department of the company is to look at threats against our customers, but generally on the Internet, and try to do something about it. We try to look at it aggressively and look at trends. And although I'm an attorney, I'm embedded with a bunch of developers and forensic individuals and engineers that look at malware. During the course of my tenure there, one of the things we really started focusing on is botnets. We've come to the realization over the past several years that botnets really have become the criminal infrastructure being used for all sorts of illegal activity on the Internet, from spam to fake lottery scams, phishing, whatever you think about, the infrastructure by which all of that is accomplished as far as we're concerned is the botnet and the malware that it spreads. Based upon that, about a year ago, my team sat down and decided we wanted to do something aggressive against botnets and do it in such a way that would be both technical and legal. And as a result of that, we ended up filing a case which I believe many people are aware of. And that was not this February but the past February, which was against a botnet called Waledac which we termed Operation b49. Ultimately we actually received an order from a federal judge in the District of Virginia on October 27th of last year in which, in essence, we obtained a default judgment. And that default judgment gave us possession of approximately 277 domains, domains that had been used as command and control domains for this particular botnet. The operation effectively severed up to 90,000 computers from this botnet. And after the actual default judgment, we were able to have all of those domains in our possession. And all of those infected computers were coming towards us, or to our sinkhole, indicating who they were through I.P. addresses. We have now been actively working. We have ISPs and CERTs across the country to notify and clean those computers up. That was the first operation under what we called the MARS operation, which is the Microsoft Active Response for Safety. We learned a lot of lessons during that particular operation, which I think is irrelevant for today's discussion. To do a civil operation in the United States, there are many constraints. One of the biggest ones are the due process rights. In order to really decapitate this particular botnet, we had to literally take those domains away and that's seizing someone's property. Under the U.S. law, of course, for any taking, you need judicial process. The issue really became for us to follow procedure to give notice to the individuals behind those domains, which were only used for C&Cs would alert the defendants, the bot herders, and did move the bots. That was a big problem. So what we did is we fashioned a legal solution under a TRO which, basically, allows a court under extraordinary situations to go ahead and allow plaintiff to take property away from an individual and then follow up with a hearing about 14 days later under the civil rules of procedure. Now, what we were looking at was a situation in which we, in essence, looked at how ICANN's structure was in terms of DNS. This was all new to me when I came to Microsoft. I really had to be educated on this. And we headed the term. And do we go to the UDRP process, for example, to give them notice? In researching the UDRP, it became apparent to me that, although it's workable in many situations amongst commercial disputes, if you could see what happens after the entire time period that you go through the process, it takes 45 days. Granted, generally speaking, that's acceptable. But when you have a particular domain that's only being used for malicious purposes and that any type of notice to that person who registered that domain, that they will move that domain and you will lose control of that bot and you have to start all over again. Obviously, we could not use the UDRP process. Hence, that's why we went ahead and used this extraordinary remedy. So instead of going to the registrant, which we knew was simply unreliable -- at this point in time, we had forensic analysis that the domain was only being used for nefarious purposes, we decided then to look at the registrar. The problem legally from our perspective was we were limited by U.S. jurisdiction. And in this particular case, in the Waledac case, the registrars were overseas so we simply had no jurisdiction. The U.S. courts couldn't impose any kind of jurisdiction there. So we went a step further and looked at the registry. And since the majority, if not all of the domains in this particular case, were actually registered at dot com, we had a jurisdictional angle and that was, of course, that dot com is VeriSign and they are located in the United States. So the court, in fact, allowed us to issue an order directing VeriSign pursuant to court order to go ahead and sever those connections. Now, what were the obstacles? I mentioned a couple. But as we looked at what we learned, is that all of the domains in the Waledac case, they were registered through a China domain registrars and all with fake information. In fact, at one particular point in time, given my newness, I was actually going to list the names of everybody that registered the domains. And it would have been a litany of Chinese names. Obviously, it would have been very uncomfortable doing that, and it would have been wrong because every single one was wrong, was inaccurate and was fake. The registration process for the domain process, they were riddled with fraud, none of the information was accurate and the only accurate information that we determined were two e-mail addresses. And the only way we knew those e-mail addresses were someone's e-mail address is because when we served service of process by e-mail, someone at those two e-mails opened it up and read it. They never responded, but they opened it up. So if we had not severed the domains and they had received notice, logic dictates they would have removed those particular domains and we would have to start from phase 1 all over again. So, basically, if you look at the problems in terms of the registration of domains, from a legal perspective, if you can't accurately identify who's registering the domains, you are going to have a very hard time trying to serve them with legal process or initiate any type of legal process against the company or the individuals behind that. And working through international treaties also pose a very difficult problem because it takes a long time. In fact, in this particular case, we actually did serve process with The Hague Convention through China. But that would have taken months. Luckily CNCERT and others assisted us quickly when we determined there were a couple of domains we missed and they quickly moved in at our request and cooperated with us. That shows you a little bit of the complexity and the issues currently with the abuse of the Domain Name System. And, really, we see a situation where the bot herders are taking advantage of the registration process, of the UDRP process to perpetuate their bots because they know that they have anonymity and the ability, a cushion of time, to shift if need be. Now, that was the first operation. We're currently in the process of doing another operation which, of course, sometime in the future we plan on going forward. And what we've seen is that we've now seen a different type of abuse of the Domain Name System. We've now seen botnets, malware that not only use just standard "let's register a domain" but now they are hard coding a domain name algorithm in the actual malware itself. In a particular case, you could have a malware that registers or it generates 15 or 16 domain names every day. If, for example, this particular bot might be an I.P., Internet protocol-controlled, bot, it may have have a fallback mechanism in which if it can't reach that particular I.P. address in the malware itself, it then shifts to secondary mode and goes ahead and starts using the Domain Name System generator. And logic obviously dictates that in this particular situation, the bot herder knows which domains are going to come up on which day and will register those domains. The domains in a lot of these malware which are coded -- hard coded, these malware algorithms which would generate these domains, are simply alphanumeric strings. And one has to wonder who registers these and for what? Does anybody look at what's being registered carefully? And is there anybody really paying attention as to how these domains are being paid for and where they are originating from? These are just some of the issues that we came across when we did Operation b49. And I think these are just indicative of some of the small things that if they are changed either at the UDRP stage, for example, maybe putting something aside, if there is a malware or a security type of allegation, maybe a 24-hour period in which ICANN or the registrar, rather, would check to see if they actually respond or not or maybe at that point check to see whether the registry or the information on the registration for the domain is accurate. So these are some of the items that I think are crucial as you move forward. As the threat of botnets increases, I think that we really have to be much more aware of how the Domain Name System is being utilized for criminal elements to perpetuate these frauds on the Internet. >>STEVE CROCKER: Thank you very much. That's extraordinary. Let me move rapidly along. Joe? >>JOE ST. SAUVER: Thank you very much. We have slides coming up, too? So from my point of view, one of the most interesting questions is: Where do spammers go ahead and get their infrastructure? So, essentially, they have certain resources that they need to be able to function, and one of those resources obviously is domain names. So which of the registrars are we seeing that are actually being victimized by these individuals? We believe that in most cases, there are going to be a limited number of registrars that receive most of the abuse. And if that's true, we can actually work with those registrars to help them deal with the violations of their policies, the abuse that they are seeing because, actually, I believe that many cases, these registrars are victims as much as those of us who receive spam may be. In other cases, it may be that the registrar for whatever reason is unable or unwilling to take action against the people who are using their services. In that case, knowing what registrars appear to have that issue allows us to go ahead and factor that in to things like our abuse e-mail reputation systems. I first went ahead and looked at this topic for MAAWG back in February 2008. It was a lot longer talk. It was about a 60-slide talk. I was gently nudged by some folks and told, No, you won't have that amount of time this time. So I will go ahead and give you a very simplified and condensed version of some of the material from that talk. MAAWG may be an organization you are not be familiar with. They are one of the or the leading organization fighting spam on the Internet today. They tend to have a lot of ISP members collectively representing a billion mailboxes. That's a billion with a "b." They also go ahead and have things like messaging product vendors and legitimate senders, and they have registrars who are also participating in their activities. And one of the things I wanted to make sure I mention today is that if you are interested in participating, if you are a registrar, it would be great to have you there as well. And I should go ahead and also tell you that I have been working with MAAWG for some years now as a senior technical advisor. So if you are going to go ahead and try and determine what registrars are being abused, one of the first things you really need to know is what domains are showing up. The domains that show up in things like spam are tracked by a number of organizations on the Internet. The one that is perhaps most well-known is the SURBL list. They have typically between 500,000 and 600,000 domains listed at any given time. And to give you some idea of the impact of a listing on their site, if you go ahead and are looking at a mail message and that mail message contains a SURBL-listed domain, you are looking at between about a 10th of a point and almost 4 1/2 points on things like spamassassin. And for context, a score of 5 will usually be enough to get a message blocked. So it is a situation where they are very well regarded by the community. They are highly trusted. They have a lot of impact. The next thing you really need is some way of mapping domain names to registrars. And for the purposes of simplifying this, let's just assume you are only going to use things that are readily available. I mean, you can, basically, look at the registry WHOIS and find out who the registrar for a given domain name might be. Now, I say generally that's true. There are certainly some exceptions. Some ccTLDs do not offer that, for example, or in some cases, they may strictly rate limited or there may be other factors that make it difficult to go ahead and get this information. We will talk about a way this could done more efficiently. But for now, the point is you can get the information you need to do this mapping. One check I like to go ahead and do is sort of a gut-level check in terms of what we see. So before I actually looked at registrars, I wanted to go ahead and see what TLDs I actually saw listed on the SURBL. And you can see the breakdown there. About 40% of the domains were dot infos. And that immediately told me there was some factor I needed to go ahead and understand beyond just superficially looking at this because dot info has a very good reputation for dealing with abuse. The bad guys certainly hit them hard, but they also go ahead and respond quickly and thoroughly. So that was one thing that jumped out to me. Seeing dot com, second, certainly did not seem inconsistent with my experience. And seeing dot ru third seemed like the sort of thing that made a lot of sense. Those three domains collectively -- or three TLDs collectively accounted for 90% of all the SURBL-listed domains. So there is a high degree of concentration present here. Sometimes people say they are going to go ahead and be using some obscure name from Andora or Gibraltar or whatever it might be. They might in the future, but we are not really seeing that right now. Now, these listings don't go ahead and weight the data according to the volume of e-mail sent. So you might have a situation where the spammers are using one domain and spamming the heck out of it while they might have a hundred other domains that they are using but not very much. So you need to go ahead and recognize this data is not weighted. When we begin to look down at the registrars as well, again, there are some interesting things you notice. Go Daddy is at the top, and again, Go Daddy is a very responsive registrar. So the first thing that came to mind me is, is there's probably size- related effects. This is not data that's been weighted according to the relative share of the market that the registrars have. There are also some domains that were listed that are actually gone by the time it came around to go ahead and map these. And when I go ahead and say that, you should understand that I attempted to map these in a very gentle way, so as to not have any operational impact on the WHOIS servers. I went ahead and spread that mapping process out over several days, in fact. So it's a situation where you are seeing some of these domains that are effectively going away quite quickly. There are also some registrars that are associated with particular ccTLDs that you'll notice there. But the point is, we can go ahead and get this sort of data on a per- registrar basis. And it kind of goes down the line. I sort of cut it off at the bottom of two slides just because mind-numbing tables aren't really going to help you if you're sitting in the audience today. So when we think about things like adjusting for registrar market share, I think that's something worth considering, because for example if you go ahead and look at things like Go Daddy, which is huge, or Tucows, which is huge, it just isn't fair to them to go ahead and not do so. There's a couple different approaches you could consider. One approach would be to look at their share of the SURBL, and their share of the total market. And if those are sort of roughly in sync, you'd see a ratio of about 1-to-1. Another approach is just to look to see how much of their total domain portfolio is actually on the SURBL. If two-thirds or three-quarters of it is listed, that's obviously a much different indicator than if only a percent or two is there. At the same time, I don't think that people should go ahead and sort of get a free pass or be told that, you know, for example, 1% is an acceptable number. If you allow even 1% of 200 million or more domains to go ahead and be abusable, that's still a huge number of domains for the Internet to suffer. And I think that much more relevant target might be something that's small but doable. Not zero, certainly, because I think zero is probably impossible, but, for example, .05% is probably a number that would be accomplishable. And as an example, considering Go Daddy is a very large example. That would mean they could go ahead and have perhaps 20,000, 19,000 abusable or abused domains. Tucows, another large example, perhaps 3,000 or so. So, you know, I'm not expecting people to do miracles, but it would certainly be nice to push the sort of numbers down. One of the things that I want to go ahead and make sure folks go ahead and think about is the fact that there's still a lot that can be done. This was just a very simple example of the sort of analysis that could be done. Things like scaling the domains according to the volume of spam actually seen would be one thing that would be tremendously helpful in terms of isolating where the problems actually exist. It would also be a wonderful thing if we could go ahead and actually get -- provide a daily file that maps domains to registrars. It shouldn't be necessary and it's not really desirable for folks to be hitting WHOIS servers to extract this information on the fly. So if we could go ahead and get that information on a daily prepared basis, that would be far better. And it's also important to note that there are some ccTLDs that simply don't provide information of this sort at all. So more transparency is one of those things that I think is also something we need to strive for, as we also should strive for accomplishable targets like that .05 threshold I mentioned. >>STEVE CROCKER: Thank you, Joe. Thanks very much. Michael Moran, from Interpol. >>MICHAEL MORAN: My name is Michael Moran. Or Moran, as you say here in the U.S. I'm a member of An Garda Síochána, which is the Irish national police force, and I'm on secondment to an international organization called Interpol, which is the international criminal police organization. Very quickly, I want to just present Interpol to you as a basis and to kind of try and get away from the Hollywood impression of Interpol and the fact that we can be found abseiling out of helicopters at any time of the day or night. Our four core functions are communications, databases, operational support and training, or skills transference, which is the politically correct way of saying it these days. Comms and communications, a secure global network connecting 188 member countries through what is called a national central bureau. Each of your countries will have a national central bureau, and that national central bureau sets quite -- quite generally the police open hierarchy. Databases such as the international fingerprint database, the international stolen and lost travel documents, the international DNA database, stolen art database, stolen motor vehicles database and indeed, the one which I have responsibility for, the international child sexual exploitation database. As part of the operational support, then you have the subgroups of that is drugs and organized crime, financial high-tech crime, public safety and terrorism, and trafficking in human beings. Under the trafficking in human beings section is the crimes against children section and that's the section that I've worked for now for the last five years. I'm going to give you a very quick overview of a number of two related operations which have gone down in the last four years, all of them Web-based and all of them -- both -- all of them involving DNS abuse. Before I start, I want to make it very clear that I will not be using any words such as "kiddie porn," "child pornography," or anything of that nature. You will hear me referring to what it is. It's child abuse material. None of this -- none of this material can be produced without a child being abused and it's very important that we use the proper language. "Pornography" implies consent, it implies social acceptability, and neither of those two can be applied to child abuse material. So when I refer to child abuse material, I am referring to what's commonly called child pornography. It's very important to remember that as police and as law enforcement, when we're dealing with this early it, we are not dealing with soft focused shots of 16- year-old ladies on the beach staring out to sea and dreaming of future lovers. We are dealing with prepubescent child sexual abuse, often under the age of 10 years of age, often pre-speech, never mind prepubescent, and that's very important to remember, because we're not Puritans who don't want you looking at pornography. We are police officers who are working in an international environment, trying to identify these children and therefore to stop the abuse. Operation Flicker -- Tornado, Myosis, Flicker -- which was an operation which took off in three different locales in the world on the same criminal organized group in 2006 and 2007. In the U.S. here you had the U.S. ICE, you had FBI, you had the COS (phonetic) team at the Department of Justice, you had Interpol who became involved later on, you had the minister of the interior at Belarus in Belarus, and you had the metropolitan police in London. Basically, this was a criminal organization who were running Web sites selling child abuse material on the Internet. They were selling it in the classical way. At first using simple visa cards and Mastercard and whatnot. You go on-line, you go -- you are funneled through a number of advertising sites, you eventually get to the pay site, you pay -- you pay your monies and you take your chances and off you go and you put in all your credit card details and all that sort of stuff, including your postal address, and I can -- I could talk all day about why people do this, but anyway, that's another -- another day's conversation. But you put all this information in and then you get access to the child abuse material in volume. Using the username and password which is sent back to you. That changed later on in the operation but essentially the Operation Flicker component, which was U.S. ICE and FBI, they went a different way about doing it. The operation Tornado, which was the Belarusan operation, that was not a child protection operation. That was a money laundering operation, and basically they discovered a criminal gang operating within their boundaries, within their jurisdiction, who were making an awful lot of money from this -- this operation, essentially. Operation Myosis was London metropolitan police, who somehow came into possession of the list of clients, otherwise known as the idiots, who put in their credit card details, their names, their addresses, their ZIP Codes, their dates of birth, into this Web form and paid for access to this child abuse material. And then operation Flicker was, as would be expected, from a more advanced policing company, like the U.S. It was U.S. ICE and FBI who tracked back through -- made undercover purchases and tracked the payments back through PayPal, mostly. And when I said earlier on, that it was paid by Visa. It later became Paypal and it was classic money laundering techniques used through money mules, et cetera, et cetera. The final outcome of this was that Interpol forwarded to 140 countries 65,000 payment records made by individuals from their safety of their sitting rooms and bedrooms to these countries for whatever action was deemed necessary. Some countries react to this type of information and some of them don't. The Belarusans took out the criminal gang or at least most of the criminal gang in Belarus and they're all serving sentences of up to 9 or 10 years for money laundering. The point about this was, it was a very blatant and obvious organized crime gang. They were selling children. They could have been selling drugs, guns, spam, running botnets, whatever. And that was what was interesting about this. The tail end of this criminal gang were based in Ukraine, which is next door to Belarus, and this gang became the subject of Operation Basket, so basically they took the same out-of- the-box content that was available from a child abuse material point of view, they took that and they put it back on-line. Only this time, they operated a far more sophisticated DNS abuse system. Each of these operations would have had over 2,000 domain names. Each -- at least 2,000 domain names. And many of them in this case, in Operation Basket case, one of the obfuscation methods that they were using was the method that was brought up earlier on by Bosco which is the generation of random DNS, random domain names and registration, random registration. The interesting thing, of course, is that all of these 2000 domain names had extremely accurate WHOIS information attached and wasn't paid for with the credit cards of aforementioned idiots. Okay. I'll try that another way, yeah. Basically all of these domain names were paid with by stolen credit cards using the information that the idiots put in to get access to the child abuse material in the first place, and secondly -- and secondly, the WHOIS information was of zero value. In fact, one name was used to register -- one name was used -- the names are often -- phone numbers are correct, the names are often correct people, but it's just stuff that's been drawn down off the Internet itself. Lots of countermeasures and deceptions. I won't go into it now but if you tried -- for example, if you cut and paste a domain name into the address rather than by coming through the referral mechanism, well then you got a Web page that told you "account terminated." If you were coming from certain locales -- for example, because they were an Ukrainian crime gang that were operating in the same methods -- you wouldn't get any result if you were coming from the Ukraine because obviously if the Ukrainian police were investigating them, then you'd get no results. You'd get either a 404 error or you'd get this, again, "account terminated" message. They were using what's called direct injection methods, often used by hackers, where they were using compromised machines to display, so you would have -- basically when you would go into the domain name that was displayed, it was an innocent domain, and the content was coming from elsewhere. The "elsewhere" then were servers in Central American countries, east European countries and on seizing those servers, we would find only file sitting in the Apache system. That one file was then redirecting to another server and then we would go through the whole process of trying to find that server. And then we would find that one and there would be one file on it and that would be going to another server. In the end we didn't get anything. We did get one server with a lot of information on it but it was encrypted, and again, that's the -- the sort of detail and the experts that we're dealing with in these cases. Child abuse material on the Internet has reduced a huge amount. We don't see the volumes that we saw many years ago. My colleague, Bjorn-Erik Ludvigsen, who is here also from Interpol and from the Norwegian (saying name), the criminal police in Norway, he is -- he is here and he'll talk to you later on about the blocking systems that are in place in some European countries and in -- especially Scandinavia, but the result of it is the reduction of -- the reduction of child abuse material on the Web is robust police action such as I've just described, where you have to actually -- if I just go back to the Operation Basket resulted in the final remnants of this gang that had been initially taken out in operation Tornado were subsequently arrested and are serving sentences in Ukraine. So that gang is more or less all behind bars at the moment. So robust policing action of that nature, blocking that happens a lot in Europe, and increased operational capacity generally in police forces around the world who understand this crime type and who deal with it. That leads to a reduction of -- on the Web. The financial coalition, which some of you may be aware of, which runs out of Washington, D.C., is a coalition of the payment people like PayPal, like visa, Mastercard, American Express. They all sit around the table with the police, involved in the investigation of this crime around the world, and NGOs who have involved such as the National Center for Missing and Exploited Children in Washington, sitting down with them. You know, if they are notified that their payment systems are being used to exploit children, they will immediately kill that merchant account. Immediately. There's no questions asked. It's just once they're notified in the proper agreed manner, immediate cutoff. INHOPE is the hotlines around the world, the different hotlines such as your cybersafety hotline in (saying name) run here in the U.S., the Internet Service Providers associations around the world, they all operate a notice and takedown facility, so combine that with blocking, they are good preventive techniques for getting this stuff and reducing the amount of CAM on the Web. The public response, there's less spam. There's work been done here beside me. There's less spam out there so there's less access to this material. And then there's a big hole at the bottom of our little box square here, and that big hole is DNS. That big hole is ICANN. That big hole is the registrars. That big hole is the lack of effort, the lack of common sense that could be put in place -- I believe could be put in place. I call on ICANN and I call on the registrars to step up to the plate in this, in a similar way to the financial coalition and I would like to see a DNS coalition set up in such a way where procedures can be agreed and that as already called for by both of the speakers here beside me, that there could be a process put in place to immediately sever a domain pending investigation. Or suspend a domain pending investigation. We have a blocking list running out of Interpol which is called the "worst of" blocking list, and that is the criteria for that are quite strict but it's basically material that is definitely illegal in all countries who have law of this nature. Those 400 odd domains and that's all -- we're not talking about a million domains here, we're talking about 400, 500 domains, period, that have really bad -- under -- really young children involved in sex acts, being -- actually being abused. Those -- those domains we would love to see an automatic system where, upon notification, ICANN or whoever has the power to do it can just sever them. So another interesting part is accurate WHOIS. I mean we don't -- accurate WHOIS is a joke. It just doesn't happen. We don't see it. We never get it. Even if we do see something within it that might give us indications, it's -- it's always a dead end and it's a waste of time even trying. And for me, what's the point in having a WHOIS database if it can't be accurate? Somebody has to be responsible for having that accurate. Somebody has to be. I'm sorry. And whoever that "somebody" is, can you please step up to the plate and do your work? As for the gTLDs and the ccTLDs, it's a -- it's an important point to make that we rarely see ccTLDs involved in crimes against children. Perhaps because it's very quickly notified to them and they very quickly get it taken down, but there's an instant reaction when it happens. Now, I know ru shows up a lot in the spam and we also see ru domains, we also see cn domains but I can guarantee you that in the smaller countries where there isn't an out-of-control registry process, it just doesn't exist. And communications. I mean we're here because we want -- we're reaching out to ICANN. ICANN, reach out to us and we still can't communicate. So, you know, let's clear away the chairs and start dancing, would be my thoughts. Okay. Thank you. [ Applause ] >>STEVE CROCKER: Yes. Thank you, Michael. I thank you very much for speaking quite forthrightly and forcefully. And I apologize about mispronouncing your name. Let me mispronounce the next name, Robert Flaim, but I know he goes by Bobby. >>ROBERT FLAIM: Actually, I'm going to let my colleagues here speak before me. Terri Stumme and then Glenn Watson. >>TERRI STUMME: Good afternoon. My name is Terri Stumme and I've been asked to sit on the panel to discuss the issue of domain name system abuse as it relates to the on-line trafficking of pharmaceutical controlled substances. I've been working in the on-line pharmacy area for six years for the Drug Enforcement Administration and in the pharmaceutical and chemical Internet investigation section for four years. Our section is the main point of contact for investigations and operations targeting international, national, state, and local chemical and pharmaceutical cybertrafficking organizations. I would be remiss if I didn't take this opportunity to share with you all the fact that in the United States, prescription drugs continue to kill more people than all illicit drugs combined. More than 6 million Americans abuse prescription drugs. No state is unaffected. And here are a few statistics. In Florida, in 2008 and 2009, over 6,000 people died of a prescription drug overdose death. In North Carolina, from June 2008 to June 2009, one person died a week of a prescription drug overdose. From 2005 to 2009, prescription drug overdoses in Ohio rose 249%. In West Virginia, between 1999 and 2004, prescription drug overdoses rose 550%. From 2001 to 2005, more than 32,000 people died in the United States of a prescription drug overdose. In 2006 alone, 24,000. This is a 100% increase. If you're not drug testing your employees, you might want to consider the fact that from 2005 to 2009, there has been a 40% increase in employees testing positive for prescription narcotics. The volume of controlled pharmaceuticals sold over the Internet is enormous. In May of 2009, 14 individuals were convicted of charges of Internet trafficking of controlled substances. Jog network, Inc., was responsible for approximately 44 million dosage units of prescription drugs being distributed throughout the United States. The company earned over $78 million. All of the drug sales were facilitated by customers placing orders on the Internet through Internet Web sites. In another on-line pharmacy network, U.S. residents received approximately 799,049 packages containing 71,914,410 dosage units of prescription drugs over a 16-month period. As the Internet has become an efficient tool for legitimate commerce, it is also being used to facilitate a vast array of criminal activity. DEA investigations have revealed many corrupt tentacles in the Internet, including, but not limited to, Web site developers, Web host providers, ICANN accredited registrars, and merchant processors. We have encountered spam, malware, Fast Flux hosting, and botnets. Additionally, proxy servers, fraudulent and inaccurate WHOIS information continues to impede our investigations. Even identifying the physical address of a registrar in order to serve a subpoena has proven difficult, at times. Internet pharmaceutical affiliate programs utilize thousands and thousands of domain names, constantly rotating the status of each from active to inactive to parked, changing domain servers, utilizing collocation services, changing WHOIS information, and transferring domain registrar services with little difficulty. In 2009, the United States enacted the Ryan Haight Online Pharmacy Consumer Protection Act. It added two new felony offenses to the controlled substances act. This act involves distribution and dispensing of controlled substances via the Internet. Section 841(h) of the paragraph states, "In general, it shall be unlawful for any person to knowingly or intentionally (a) deliver, distribute or dispense a controlled substance by means of the Internet, except as authorized by the subchapter or (b) aid or abet such a violation." The examples of the activities are (a) delivering, distributing or dispensing a controlled substance by means of the Internet by an on- line pharmacy that is not validly registered with the modification; (b) writing a prescription for a controlled substance for the purpose of delivery, distribution, or dispensation by means of the Internet. And I want to emphasize part (c) is serving as an agent, its intermediary or other entity that causes the Internet to be used to bring together a buyer and seller to engage in the dispensing of a controlled substance. This can potentially expand to otherwise legitimate businesses associated with the Internet. Law enforcement recommendations are made to the ICANN community based upon real-life investigative experiences of both domestic and international law enforcement agencies. The intent of these recommendations is to deter both present and future cybercrime. With the implementation of internationalized domain names, the impending new generic top-level domains in IPv6 protocol lending the potential for the Internet to become a billion times larger, it is imperative that the Internet community take the necessary steps to police itself. While not to appear overly dramatic, but I believe the statistics make it pretty clear: Public health and safety is at risk. Lives depend upon expedited action by this community. Thank you. >>STEVE CROCKER: Thank you very much, Terri. [ Applause ] Glenn, you're next, right? >>GLENN WATSON: Yeah, I believe so. >>STEVE CROCKER: Glenn Watson, U.S. drug enforcement agency. >>GLENN WATSON: My name is Glenn Watson. I work as a special agent for the Food and Drug Administration, office of criminal investigations. We're tasked with conducting criminal investigations involving FDA regulated products. Obviously probably the most well- known of those being pharmaceutical products. In an effort to not repeat what virtually everyone else has said here, I'm just going to tack a couple of other issues onto what Terri said in relation to controlled substances. Even those organizations that, following the implementation of the Ryan Haight Act started to steer away from controlled substances, there's still a huge, huge market for the sale of prescription drugs and other pharmaceutical products via the Internet that are counterfeit or substandard. There was a study that was done by the World Health Organization that indicated that 50% of all the drugs that are sold on-line from Web sites that conceal their address were found to be counterfeit. When you look at that, most people who spend time in this area say, "Well, they're really just selling Viagra and Cialis and other lifestyle drugs, so what's the big deal?" If you dig into that a little bit deeper, it goes well beyond lifestyle-type drugs. We're talking about actual life-saving and health-maintenance drugs, such as Lipitor, Crestor, Plavix, Nexium, Zyprexa, antibiotics, insulin products, and cancer and HIV drugs. When you look at it from that perspective, it's a much bigger problem, I think, than people are aware of or are willing to admit. One of the issues that we've spent some time on lately discussing is whether or not proxy services are really appropriate for organizations that are selling regulated products such as pharmaceuticals. Just like if you were going to go down the street to your pharmacist or to your doctor, when you have a prescription for a drug you want to be able to contact the person that's providing those drugs to you, if you have questions or if you have problems. When you have organizations that are operating on the Internet, criminal organizations, obviously they don't want to be contacted by their customers. They spend quite a bit of time using proxy services and other mechanisms to try to keep law enforcement at bay and the customers that are purchasing those drugs. We've seen other issues over the past years where they've operated Web sites purporting to sell pharmaceutical products where once the consumer actually places an order, they're actually contacted by the crime group and they're told that, "Hey, we know that you're purchasing drugs on-line and we work for the U.S. government either as an agent for the FBI, the Food and Drug Administration, or the DEA, and if you don't pay us $15,000 in the next 24 hours, we're going to come to your house and arrest you." So pharmaceutical products, even from the counterfeit side and the -- the unapproved side is a problem, but it's also being abused by the criminals on the Internet to solicit credit card information and to extort money from individuals who are trying to purchase these products. Thank you. [ Applause ] >>ROBERT FLAIM: Hi. I'm Bobby Flaim. I just wanted to say just a few comments to kind of sum up what we've heard on this panel. We've heard botnets, spam, child exploitation, the sale of illegal and also counterfeit pharmaceuticals. What we have done as a law enforcement community is we've come up with a set of recommendations. Two parts. One part is to get ICANN to ensure that the registrars and registries which they accredit currently and in the future, especially in light of the new gTLD process, are the most accountable and reputable and capable organizations that there are. Secondly, with the registries and registrars, we want to make sure that the domain name registration is accurate, and also that these are not criminals as you have heard today that are obtaining these resources to commit nefarious activities. There are ways to do this. We have pockets of excellence within the registry and the registrar community. It needs to -- it needs to be 100%. Everyone needs to do it. And that's what you've heard today. We have been dealing directly with the registrars and registries to get these law enforcement recommendations. We're kind of retooling them and revising them. The intent, you know, with the registrars and registries was approved. We want to fine-tune it. That's why they're called recommendations, because we want to make sure that they're the best, that they're surgical, and that they actually address the problems that are out there. And the reason why we're doing this is that there are so many problems with the ongoing or the current 22 gTLDs, we don't want it to be on a much more massive scale with the introduction of the new gTLDs. And we feel that time is of the essence at this point. And that's why we're hoping, through these case examples, through our recommendations, through working with ICANN, the registrars and registries and the other members of the community, that we can accomplish this. So I just wanted to end on that note. [ Applause ] >>STEVE CROCKER: Thank you. We're somewhat behind on our schedule but nonetheless this is the portion that we've allocated for Q&A. Let me ask Margie first. Have we gotten anything off of the net? No. Anybody have questions? I think we want you to come to a microphone if you want to address any of the panelists or a generic question. Thank you. >> I will keep it brief. My name is Garth Bruen from Knujon.com. I have a question specifically for the law enforcement community. The registrars are required by the contract to obey the law, and I see on many terms of service agreements and many ISP and registrar Web sites that they will forward knowledge of criminal activity within their services to law enforcement. And I was wondering if this is a model that you see is working and if you have received a lot of this information voluntarily. Thanks. >>ROBERT FLAIM: Well, like I said, we have seen small pockets of cooperation. But unfortunately there is a greater problem. And, you know, reporting it, while we can do it case by case, the problem is so pervasive, law enforcement resources are so small, that that has not been the most effective method. And if anyone else would like to comment as well. >>STEVE CROCKER: Paul? >> PAUL VIXIE: Paul Vixie, Internet Systems Consortium, ARIN board of trustees. I want to thank all of you for saying what needed to be said. It has been said before but never as forcefully or as well. I would call your appearance here timely except that it's perhaps in overtime. We should have been doing what you are describing years ago. I'm not hearing a lot of hope in your voices. I'm hearing an amount of exasperation. I know the ICANN community is large. The industry is large. We are growing. Any time you have an economy that's growing as fast as the DNS economy, there is room for all kinds of experimentation, rule bending, loopholing, that kind of thing. Getting accurate WHOIS around the world looks like an intractable problem to most of us. So I think I will certainly double my efforts to help make happen the things that you're describing. I hope others in the room will do, likewise. I want to just mention briefly in passing that in other technologies spheres, besides DNS itself, we tend to handle these things with reputation systems. Rather than trying to keep the bad allocations from occurring, we handle it by stomping on them, kind of private right of action outside the regulatory system, outside the provisioning system. I am the author of such a system for DNS. I am -- it has just been added to BIND, and it is probably going to be in other products. I think that if the community can't get behind the type of accountability that you're describing, the private right of action and the sort of inevitable chaos from that is going to make the DNS a lot less reliable. I would rather do it your way. Thank you again for speaking so forcefully. >>STEVE CROCKER: Thank you, Paul. Rick? >> RICK WESSON: Thanks, my name is Rick Wesson. And I appreciate all of the comments you have, and I understand that it's -- doing these jobs is very difficult. In 2003, it was around the Beijing ICANN meeting, I launched a service for domain registrars to authenticate or verify WHOIS. And this was a WHOIS verification service that I was trying to sell to registrars so that they could verify every entry before they do a delegation. And the cost was going to be, you know, a few pennies per domain name. And we could cover 209 different countries as far as being able to verify the WHOIS and all of the elements, telephone number, address, e-mail, all that kind of stuff. And it wasn't a viable service. I made the mistake of building it first, and then trying to sell it. And I should have tried to sell it and then build it. And it is not intractable. It can be done. There are services today that you can buy, about 25 cents, to go and verify all this information per transaction. So it can be done. It's -- there is very little willingness to have anything in between the transaction of registering a domain name. And until ICANN essentially legislates that that is required, it won't happen. But we will see the expansion of entirely accurate domain names that have no connection to the real end user. That air gap is very difficult to transit. And so it may not actually be a viable strategy to impact this particular problem that we're having. I do advocate that ICANN make some kind of mechanism that the general population can inform ICANN merely for statistical purposes to understand the voracity and depth of malicious activities whether it is for I.P. addresses or domain names and. And to kick that off, I actually started a project to collect a bunch of university folks to help with that effort. And if ICANN can essentially open the door to let the community try and understand what the problem is and inform this process, I think it would be extremely helpful. Thank you. >>STEVE CROCKER: Thank you. >> DON BLUMENTHAL: Hi, my name is Don Blumenthal. I'm with the Public Interest Registry. Also spent -- retired U.S. fed and spent over a third of my career in Internet law enforcement. And I use that part of the intro because I'm not coming here as somebody who challenges law enforcement at any level. But the example of Finsen (phonetic) was used and a closed group that does do take-downs. Looking at it from a broader perspective, though, addressing one statement, if you were to come -- Mr. Moran I think was talking. If you were to come to me as a registry and say there is a bad actor here, take it down, are you going to tell me you got the evidence or are you going to show me the evidence? >>MICHAEL MORAN: My colleague Bjorn-Erik sitting in the front row, his daily job is to monitor these (inaudible) sites. He has very strict criteria in which he adds a site to that list. He copies everything that's there. It is all available. It is all available to you through your national center bureau. If you are here from -- I don't know -- BFA, as you call it here in the States, or from Botswana, your national center bureau has that list. And that list -- with a proper MOU in place, that list is available to anyone who wants it. And the evidence is there to back it up. Okay, it is based in France, in Leon, France, but you are welcome to come and look at it or you are welcome to get a copy of it through proper channels and in an appropriate way. Certainly it is all there. And when we -- what we are asking for is -- what we are asking for is just, as I said, move the chairs and let's dance. Do we put together a series of protocols where we build trust? I have heard that word "trust" here all day, and I believe in it myself personally. And I believe that we can put process in place that will allow that trust so that you can instantly suspend pending investigation -- further investigation. I believe it is there. I believe it is possible. And then when you are dealing with public safety and when you are dealing with crimes against children, as I do, on a daily basis, all you can ask for and all you can hope for is that people would make that effort. That's all. I mean, we do the work every day. It is there. We're trying not to hide our light under a bushel. We are trying to get out there and show you what we're doing. Yeah, you know. That's all we ask. >> DON BLUMENTHAL: Just real briefly, I'm not sure that all law enforcement works that way. And trust is the issue, and I guess one of the reasons the PR has been so insistent on, "no, we can't just do this and we need judicial order" is at least we know we have a trusted -- to one level or another source in a judge who has at least reviewed the evidence and can authenticate to us, make us comfortable that there is a problem. Having been in the field, I would hope that there might be mechanism down the line, though. >> GLENN WATSON: The only thing I would add to that at least from the Food and Drug Administration's perspective over the past couple years is we have been relatively proactive in reaching out to registrars and providing them with written documentation specifying which laws are being violated by the registrants or the actual Web sites. And some of the allegations that we've received lately regarding registrars who will suspend domains only to later release them for a fee to registrars located outside the United States is very concerning. So if we have a Web site that's operating illegally and selling prescription drugs in violation of U.S. law to U.S.-based consumers and a registrar is willing to release that domain to a registrar that's outside of the U.S., that's a cause for concern for us of why a registrar would allow that to occur. >>STEVE CROCKER: I need to interrupt this excellent exchange at this point because the clock is pressed against. And I apologize, Alex. I'm going to hold off. This is a really excellent exchange, as I said, and the issues of equity and fairness and due process and so forth are not going to get resolved instantly so I think this sets the stage for continuing dialogue on that. In the meantime, I think all of you have done a stellar stage of raising the attention level, awareness and temperature on this subject. And I think all of us are very well served by that. So let me thank you all. Let me ask the audience to thank you and let's bring the next set of people up, Bjorn and Mark. [ Applause ] So while the next set of speakers is getting settled, you can see on the screen, Ram Mohan from Afilias, Christine Jones from GoDaddy, Marc Rotenberg from the At-Large community and Bjorn-Erik Ludvigsen from Interpol. Ram, are you set up? >>RAM MOHAN: I think so. Thank you, and thank you for this panel. I wanted to speak specifically about take-downs and blocking. The session is about take-downs and blocking, and I wanted to provide some practical operational experience that we've had at Afilias. As folks in the previous panel spoke quite clearly and eloquently, the e-crime landscape is quite interconnected. One things leads to another, and there are many parts that are one way but also many of the parts that go two ways. Let me tell you what we've been doing and what some of our experiences have been. So take-downs themselves in our experience, they can work. If you look at dot info as an example, we instituted an anti-abuse policy in collaboration with registrars in October 2009. We went through an ICANN process, a public comment system. In this method, what we have done is the registry is a central point for the analysis and data dissemination. And Afilias has built several relationships within the security community. It already has preexisting relationships at the registrar community. But the fundamental method that we've been using is that the registry reports problems to registrars and the registrars can consider the take-downs of the names we refer to them. And the basis behind that is that the registrar has a primary relationship with the registrant. And the registrar really is in a very good position to set and enforce its registrant contract. In the case of the registries that we operate, there are thick registries -- I don't know what happened here. There are thick registries, but the data that we have is often not as good as the data that the registrars have. So I think that's one of the basis. In terms of actual things that happened from October 2008 till this month, till the present time, over half a million dot info domain names have been reported to registrars. The good news here is that pretty much all of them have been subject to action by registrars and take-downs have actually happened. Now, one last thing to add is that in the anti-abuse policy that Afilias has for dot info, the registry has the opportunity or the ability to act independently, if necessary, but in general, we've not had to do that. So in terms of principles, there were two principles of success. Take-downs work because they address the problem at source and the take-down is a specific, direct response. The one thing that take- downs do have some problems with is that you are often taking action on an atomic level. You are not taking action on a larger scale. So if you have a particular registrant or a set of some criminal element that is registering names using a large variety of tactics and obfuscation, you end up being pushed to take action on a one-by-one basis, on a name-by-name basis which can be both cumbersome and slow. DNS blocking these are some views. One of the things that I wanted to define really is what blocking -- what I mean when I say "blocking." So what I mean is that it's a way to not allow queries -- DNS queries to be fulfilled at some layer of the DNS. And it is different from the action of suspending a domain name by removing it from a zone or by deleting a domain name all together. So in the case of blocking, the names actually exist. They theoretically are valid but there is some methodology to make sure that they don't get fulfilled -- the queries don't get fulfilled. My issues with DNS blocking in general are that blocking can be a disproportionate response to the problem itself. If you look at spam, for example, filtering often ends up happening at both the ISP level and at the local organization level. And as folks in the previous panel spoke, you have blacklists that you can use. But if you look at DNS, virtually everything depends upon it. It's not just Web sites. It's a lot more than that, even though Web sites are often the most visible component. And so there are some questions about whether blocking of the ISP or even the carrier or levels above that really is the right thing to do. In just my own personal opinion, blocking TLDs, ISPs level above could actually be disastrous and could have lots of unintended consequences. Some of those are -- you can clearly create some confusion for Internet users because it is hard to understand who is responsible and how to correct the problem. If you have a real name and you've got blocked, where do you go? Who do you go to get it resolved? It's very unclear. It's also incompatible with DNSSEC. There are some subtleties here. But at the high level, DNSSEC interprets lying, which is what blocking would require, it interprets such lies as intrusion attempts. And it actually undermines efforts to build trust into the entire DNS system. The other thing is that there is some collateral damage that we should be aware of and be very careful about. So those are thoughts on blocking and results on take-downs. Thanks, Steve. >>STEVE CROCKER: Thank you. Christine? >>CHRISTINE JONES: Hi, thanks, Steve. I'm Christine Jones. I'm from GoDaddy. And we deal with DNS abuse on a variety of contexts every day. And I like to say at the outset of these talks that I give that domain names don't commit crimes. Well, they don't. People who register domain names sometimes commit crimes, and we don't like to be a part of their criminal schemes. Does it bother you guys if I put my glasses on? Nah. I broke my glasses yesterday. I'm having a glasses crisis. But we'll go with the blur. You look very lovely. We work with all of those nice guys every single day, the DEA and the FDA and Interpol and the Irish police and people all over the world because there's bad guys everywhere. And whether it's spam or phishing or malware or child pornography or, as our Irish colleague artfully put it child abuse, because that's what it is, we deal with those issues all the time. And we take maybe a somewhat more aggressive approach than some registrars, but you have to consider we register something on the order of 1.6 domain names per second. We have a big universe of domain names under management. And I have got about 100 people that work 24 hours a day, seven days a week to address these issues. And I understand that that's unique in this ecosystem. Not every registrar has 100 people that work 24 hours a day, seven days a week to address these issues. So when you are thinking about how do you address these issues, you have to say what is the scale of that registrar? What are they capable of doing? How does their scale -- how does their size fit addressing the problem? Not that they shouldn't do it. Not that they shouldn't do it. And I think every registrar who's a legitimate corporate citizen who sits in this room or attends these meetings will agree. If you are going to stand up the infrastructure, you have to support the abuse fight. But just keep that in mind because not everybody can respond to you, Bobby, in an hour like we can, right? They just can't do it. That's a little bit of my political agenda coming through on behalf of the other registrars. But what we have found really successful is we have taken the hybrid approach to addressing DNS abuse in a variety of different contexts. And what I mean by that is we have sought and supported targeted legislation to make activities that abuse the DNS system illegal, so law enforcement have a hook to go after bad guys. We have a reason to address issues because they are, per se, illegal and not just a judgment call on behalf of GoDaddy or another registrar. But also we couple that with voluntary cooperation by the industry. And you have to have voluntary cooperation because law enforcement simply don't have the resources to go chase down every spammer who registers a $9.99 domain name to send out spam of one type or another. They just don't have the resources. And you guys can correct me if I'm wrong, but it is much more helpful for you if we affirmatively go take somebody down who we know to be engaged in bad behavior on the mere notice from Interpol or the Irish police agency than to have to jump through a whole bunch of hoops and spend a bunch of money to conduct an investigation. So that approach has been very helpful for us. Here in the United States, we have also worked very successfully with non-law enforcement agencies so the intellectual property enforcement coordinator at the White House, the FTC, the FCC, the enforcement agencies that don't have a badge, so to speak, that don't prosecute criminal activity, we have worked with them as well. But whether it's botnets or spam or child pornography or drugs, whether they are prescription or counterfeit, controlled or not controlled, all the things that that prior panel talked about, we have no interest in our system being used to enable people to commit crimes on the Internet. That's not why we exist. But I will submit to you that unless and until all of the registrars are held to a standard that says you have to take care of the bad guys on your system, no matter how much effort GoDaddy and other good registrars put into this problem, you are never going to solve it because there's always going to be a safe harbor, a bulletproof registrar or a bulletproof hosting provider that those bad guys can seek solace in. And we have to fix that hole in the fence. We have to fix that, guys. I will leave it there. Thank you. [ Applause ] >>STEVE CROCKER: Thank you, Christine. Well said. Mark, I think you're next. >>MARC ROTENBERG: I'm Mark Rotenberg. I'm now with the At-Large Advisory Committee. By day job is as a director of the Electronic Privacy Information Center in Washington. I advise Congress and international organizations on emerging privacy and civil liberties issues. And, obviously, the concerns about DNS abuse are significant for the user community. We've supported DNSSEC, and we've said that it's necessary for law enforcement to go more aggressively after criminal groups and others that are misusing DNS. But I think it is important to understand also that as we pursue this discussion, there are a couple of additional concerns to put on the table. One that's been mentioned several times has to do with due process or fairness when law enforcement goes and tries to take down a Web site. If you are on the receiving end of that or monitoring the DNS for that, you want to know, is this decision justified, is it lawful? Is it correct? And I think we're going to need to address that concern, particularly as governments become more aggressive in prosecuting DNS abuse. Because if we reach an outcome where the good guys are getting swept up along with the bad guys, that's likely to create problems as well. And one of the things that the law does -- and I think this was Christine's point -- is it makes the participants understand what the rules are. It gives them some guidance as to when they're supposed to respond and how they're supposed to respond and also makes clear what the appropriate timelines are for appropriate responses. So I think this is an area actually where the law will provide some clarity as we pursue instances of DNS abuse. I will say a related concern in this field also has to do with a growing push for online attribution. DNSSEC, to the extent we are talking about providing better authentication for domains, I think is a step in the right direction. But there is also a growing sense in the law enforcement community that perhaps we need to think about end user attribution because if it becomes possible to trace activities back to specific users, then there's a new way to go after abuse. And now that we're beginning to open the chapter in IPv6 and the possibility of unique addressing for devices, this becomes a very real prospect. So from the privacy perspective, I think it will be important to consider the interests of the end users, and that we not push so far that we bring attribution to the user level, to the consumer level, because that will introduce some other risks. I'll stop there. >>STEVE CROCKER: Thank you, Marc. And that brings us to Bjorn-Erik. Are you set? >>BJORN-ERIK LUDVIGSEN: I'll do my name myself. It's Bjorn-Erik Ludvigsen and the reason why it sounds so strange is that I'm a Norwegian police officer and I'm seconded to Interpol in France to work on child abuse material issues and blocking in particular. In seven minutes or less, I'll take you through years and years of history when it comes to blocking and why we think it's a good idea, so I'll be disagreeing with the first speaker of this panel. Why do we block in the first place? We do it because we think preventing crime is a good thing. Preventing is cheaper, it's better because you have no victims, but it's very difficult to measure. And the reason why we want to prevent crime is that we want to protect the victims. And this is an analog crime, people. I'm not into cybercrime. I know nothing about spamming or phishing or anything. I know about analog crimes. And when you sexually exploit or abuse a child, that is an analog crime. If you use a digital vessel to bring it to A to B, fine. The crime is still analog and we want to protect the rights of those victims. We want to prevent crime, and having and sending and receiving and seeing child abuse material is crime in most countries. And we want to prevent the exposure of this material for the general population who are either too stupid to know their own best or that are doing borderline pornography surfing and end up on child abuse Web sites. We started this in 2004, so in the Stone Age of the Internet, almost, with IWF in the U.K., together with British Telecom, blocking access to child sexual abuse material called the clean feed system. That same year we started in Norway, in November of 2004, with a list according to Norwegian legislation. And that went on to other Scandinavian countries and some other countries in Europe based on their national law. So what would be illegal in one country would be legal in another, meaning that if material is taken down, it will be inaccessible for everyone, even in the countries where the law says that this is something you can legally access. So that is why we primarily would like to see every country running their own blocking system, their own laws, telling the Internet Service Providers or whoever does it what is accessible in that country. These are the countries that are currently operating police-driven systems. All the first countries are the so called CIRCAMP countries. This is a pan European corporation between European agencies. And we also with any law enforcement anywhere, so that's why we have Switzerland and New Zealand in the list, and we will share all our data with them, and we will download everything that is on the domain that we want to block, so we will have an off-line evidence version of that with traces and lookups and whatnot. So we share it with them and they can look at it according to their law and block it if it is illegal in their country. We thought this was a good idea and thought that everybody would go for this, and that didn't really happen. So then we found, okay, we need to make something that would be illegal everywhere. So we went to Interpol and we suggested to have what we call the "worst of" list. This was presented at the General Assembly in Singapore in 2009, and it was accepted by everyone. There was a hundred percent vote on that. And here is the text, if you can read it. Basically, this means that all the police chiefs that were present at that meeting said that this is a good idea to use technical measures to limit the distribution of child sexual abuse material, including access blocking. So the police chiefs say it's a good idea, and of course we go with that. These are the criteria that Mick spoke about before. Of course we need to find something that would be illegal everywhere, and in most sane countries, a child is anyone that is younger than 18. The problem is that in about half of the countries in the world, child sexual abuse material is not defined in their law. It could be listed under unnatural acts. It could be listed under general pornography issues. It could be listed not at all because it doesn't officially exist in that country. So we needed to find something that would be illegal everywhere. So we say that a child is none that is younger than 13. So we're really going down on age, to be absolutely sure that anyone we include is a child. And we want to make sure that it's a real child, so there will be no cartoons, no computer-generated stuff and no morphed images. There has to be severe abuse. And by that, I mean something that would be defined in a country's penal code as a sexual act of some sort. Or if there's a severe focus on the genitalia or a very sexualized image of a child. So it's not the 16-year-olds running down the street with the soft focus that Mick spoke of before. It has to be double-checked by police of two other countries, so these are the national police agencies that deal specifically with sexual abuse on children that will say that this domain is according to that criteria. And it has to be on-line within the last three months. We keep it on for three months, even if it dies the day after we see it. We keep it on for three months because we see that sometimes they come back. They go down somewhere, they're hosting is taken away. Two months later, they pop up somewhere else because the domain is still working. In 2011, we have added -- well, the list now contains 386 domains, so we're not talking about we're going to take out the Internet here. There's less than 400 domains that fit these criteria that has been on-line within the last three months, but there is an increase now from the latter part of 2010 and so far in 2011. It's been almost a doubling of the number of sites that are coming on, the number of domains that are coming on. We generate this list and we make it available for everyone. If you are an ISP or any sort of service provider that would -- could use this list of domains to try to limit the distribution of child sexual abuse in your network or in your system, you're free to have it. Free of charge. There are no demands for statistical data. You can get it through your NCB, your national central bureau, your Interpol office in your country. Make a simple agreement with them and you will have it. You don't have to give us anything back. We will make a stop page available and I'll show you an example of that in a second that you will show instead of the child sexual abuse material, but there's no obligation. You can put your traffic into a big black hole, for all we care. We just want you to do something to try to prevent the display of the child sexual abuse. These are the type of domains that we have on the list right now, so these are the 386. Some of you may recognize things that you're responsible for, and I'm not saying that someone is worse than others. Com is of course the one that is abused the most because it's probably the biggest. We see them abusing country code domains, top-level domains. Those we can deal with because then we can send messages to their Interpol offices and have the police take down the domain in their country. But we need to do something about the other ones, the ones that are run not as a country top-level domain. I'm not going to show you any child sexual abuse. Actually, I would -- I won't say that I would like to, but I would -- I'm really tired of having to explain what child sexual abuse material is, and Mick did a wonderful job before, I think, explaining how we see it, what we see what it's like. I hear you talking about bad actors, bad content. No. This, that. For us, these bad actors and this bad content are actually children being sexually abused, and distributed on the Internet for money or for the sexual pleasure of someone. And let's not kid ourselves, people use this to fantasize, to masturbate, to groom children into doing sexual acts. These are just a few examples. Of course I've taken out the images so you won't see anything, but I was just going to see -- you get to see the diversity of these sites. These are the sites that would -- these are one we called. These are the ones we took down a week ago. And they're probably on-line now on different domains. So if you go into your computers and you use the ICANN, you know -- you connect to the ICANN network, you can see these in the original form. They're available to you anytime. And this last slide is this child here is a 4-year-old American girl. She's identified -- she was identified last year. Her father abused her. Her sister and her cousin. And any bad person interested in children sexually have her pictures. She's a superstar of sorts. And we try to protect her rights by not being distributed like this again and again. The partial solution is blocking. The ultimate solution is deletion. But what we see is that these sites come back. Same content. You know, when we do a hash on the files, it's the same files again and again and again, year after year. Just new domains, new domains, new domains. So we delete and delete and delete but it doesn't always work. This is the stop page that people will see instead of seeing the sites that you just saw. They will see this site. We redirect our traffic. We poison their -- you know, their ISP DNS or any other system that they choose to have, and we show them this site. We'll explain what happened. There's a link to legislation. There's a link to complain to the police or to Interpol in this case. If you're a domain owner, you can complain to Europol and Europol will take your complaint as a domain owner and goes with the motions with you to have you clean up your domain, if that is your desire. Just very quickly, I'm going to talk a little about the reliability of WHOIS and I've heard this all day now, that WHOIS doesn't really work. I'm just going to show very quickly a couple of examples of the sites that we see, and the WHOIS that we see. So this site was with we found the other day, and this is their registrant. It's, you know, okay, let's check this guy out and see what he is. He's a financial -- financial -- he's running a financial company of some sort here in California. This is his house, so it's a real house, it's a real address. His telephone number goes to a medical center in California. The fax actually. And if you try his e-mail, it has never been seen on the Internet ever. And for us, that means that there is no usable information. And I -- the thing I find really surprising is that people will say, "Well, you will actually give this person a service, whoever registered this domain, you will give them a service and you have no idea who they are? They will give you bogus information and you will let them have access to the Internet in your name, so to speak, without checking anything?" You know, there must be a way to have this automated, to check the systems -- you know, if you call the telephone number, are you reaching a fax or are you reaching a hole in the ground. You know, easy stuff like that. It should be possible to check. And checking all the other domains we found containing child sexual abuse material, they're all bogus. These are just some things that I kind of thought of myself, and a lot of it has been discussed. What I think you perhaps need to consider, at least, you know, when people are registering a domain in the bulk or with a credit card that's stolen or, you know, one person has a thousand domains, you know, your alarm bell should go off and say, "Let's have a look at this guy." The banks do it. If you transfer money over a certain amount, an alarm goes off and they start checking that transaction. You can do the same for domains. You should use suspension of domains much more. Having a domain on the Internet is not a human right. You know, if you're -- if you don't run your business within the rules that you set, you just suspend them. And if they don't fix it, you just delete them. That just shouldn't really be a problem. If they don't have a working e-mail address that they're registered with, well, I almost -- I almost said "screw them" but -- oh, no, you probably can't say that. You should just delete it and if they have a problem, they should come back to you and you can work it out and fix it. There should be more demands on people that have domains, that have top-level domains that -- because they're farming them out to sub- domains that are really distributing child abuse material on a large scale. If you have such a top-level domain that does that, you should be suspended. There should be higher demands on hosts. You know, this whole thing we don't know what we're hosting, we're kind of just like storage, that shouldn't be -- you shouldn't be allowed to get away with that anymore. And by baseline filers, meaning that we're toying with the idea of actually making -- going through all our child abuse material and actually making a lists of hashes or some sort of list that we can provide to people that do hosting, so they can actually check if they are hosting any of that material so they can actually very quickly suspend whoever -- a user who has files like that. We think that on-line content should be following the same rules as off-line content. If you wouldn't accept it in real life, why would you accept it on the Internet? And the Internet is really just a part of life, isn't it? It's like electricity or water or whatever? No, you have to abide by rules, working in the real world. Thank you very much for your attention. [ Applause ] >>STEVE CROCKER: Thank you very much. We have a little bit of time available for more questions and answers if people want to come to the microphones. Is there anything on the net? >>RAM MOHAN: Steve, if I could ask a quick clarifying question to Bjorn-Erik. >>STEVE CROCKER: Please. >>RAM MOHAN: On your previous points to consider slide, you had said suspension of TLD on the worst of list. I hope you meant suspension of second-level domain names, not the top-level domain itself. >>BJORN-ERIK LUDVIGSEN: Well, I -- well, no, I'm just -- I'm a mere mortal policeman, so if I used the wrong terminology, you have to forgive me. What I mean if you're having a domain that says screwinglolitas24.com and it is used to distribute child sexual abuse material, why shouldn't you suspend that. >>STEVE CROCKER: But you didn't want to take down all of com. >>BJORN-ERIK LUDVIGSEN: Oh, okay. Sorry, no. No, I don't want to take out of dot com. I use some of those dot com sites, actually. >>STEVE CROCKER: All right. Let me start over here. >>BEN WILSON: My name is Ben Wilson. I have a question. I've been told that there were old registrar contracts with ICANN that sort of grandfather registrars in so that there's no way that you can really police them or change the framework under which registrars operate. Is that true? >>MARGIE MILAM: I can answer that. They operate under a registrar accreditation agreement. It's a standard agreement that all registrars sign but it does get updated from time to time and the GNSO Council is currently looking at how to update it and there's a lot of dialogue that Bobby Flaim had mentioned earlier regarding updating that, so there is a way to change it but it is a difficult process. >>STEVE CROCKER: Steve? >>STEVE METALITZ: Thank you. Steve Metalitz, with the Coalition for Online Accountability. I just wanted to say thank you for this panel and the previous panel. I thought they were both excellent and I thought in particular what Christine Jones said about a hybrid approach was very important. There's a role for national law here and national law enforcement as well as international. There's a role for voluntary action in the private sector, and I think the tough question is going to be: What's the role for ICANN? And I think, again, picking up on one thing that Christine said, if you don't get everybody on board on this, you're going to continue to have a problem. And the vehicle for doing that is through ICANN's registrar accreditation process and their agreement, their registrar accreditation agreement with the registrars. So we need strong accreditation guidelines, as Bobby Flaim mentioned, we need a good -- a better registrar accreditation agreement in many of these areas, and we need very active enforcement and compliance from ICANN. Those are all going to be tough things to achieve, but perhaps that's the contribution that ICANN could make to this hybrid process. Thank you. >>STEVE CROCKER: Thank you. I'm going to focus on this queue over here, which is very much longer for a bit. >>MALCOLM HUTTY: Thank you. I'm Malcolm Hutty. I'm with EuroISPA that represents Internet Service Providers and hosting providers across Europe. And though there are separate organizations representing registries and registrars, I do perceive a -- some common issues here, in that we're both intermediaries and when there are law enforcement agents that see bad action and want the intermediaries to take action against the bad actors, we both have some of the same issues that we need to consider. This session -- this session's been a very good session and the previous session has been an extremely good session as well and I would like to pay tribute to the people that were on it. But -- and in that -- both sessions we've heard some powerful arguments as to why actions by intermediaries against bad actors need to be both expedited and ex parte. At the same time, intermediaries are commonly -- are routinely faced with charges from those representing consumer interests, civil society interests, and indeed business and corporate interests, that there need to be strong and powerful safeguards against the removal of services that -- that -- where the removal would cause harm to the person who is the registrant or the -- in our case, the access customer or the hosting customer or so forth. So my question to the panel is how we balance this. How -- what comments would you have as to how the need for speed and the need for confidentiality in the relationship between the intermediary and the -- and the law enforcement agency can be balanced with the need to ensure that there is some oversight of the request, so as to ensure that the registrant's interest or the other -- and customer, depending on the service involved, interest, is probably safeguarded? What kind of safeguards, what kind of processes do you believe should be put in place to guard the interests of the registrants against erroneous or unjust denial of service? >>STEVE CROCKER: Thank you. You want to take that, Christine? >>CHRISTINE JONES: Let me take a shot at that. We're a large registrar but we're also a large provider of Web site hosting as well, so we see both buckets, right? The infringements and issues around the domain name itself and the issues around the content. I would be happy to send you a copy of our standard operating procedure that answers that exact question, and I wish that every single registrar and every single hosting provider would follow it, okay? Just to wave our little flag a little bit. But I think the answer to your question is: You have to have -- and your member owners have to have -- a set of procedures that answer the question before the problem gets to you, sort of like -- I won't use that as an example. You have to be able to know what the answer is before you get to the question. Now, there are some things that are, per se, illegal, right? You can look at some of the images that he put on the screen when they're not obscured and you know there's something wrong with it, okay? There's not a -- an issue there. But again, the balance is the default position is leave the content up, right? That's always the default position. So we have to have something that says, "Take it down" if we're going to take it down. Particularly if you're talking about redirecting a domain when you don't have control of the hosting content, right? I mean that's a pretty extreme situation, right? We're actually redirecting the DNS. It's a big deal. So you have to have a balance. Come to me with some cover, particularly if I'm a small registrar, tell me that you are who you say you are, tell me that the rule is being broken in the jurisdiction in which it's operating, and give me a reason to take it down. Now, come on, you guys know, I'm pretty -- I'm pretty straightforward. I'm a little bit more of a risk-taker. I can bear the brunt of the risk of taking stuff down or redirecting domains that other registrars can't. But for the guys that don't have gigantic abuse staffs and gigantic domain services staffs and the people that do this analysis on a day-to-day basis, give them some cover. Help them help you. That's what I would say. >>STEVE CROCKER: Marc? >>MARC ROTENBERG: Well, I just wanted to toss out an idea. I notice that you've had quite a few sessions on this topic on DNS abuse, and as I suggested, I think we may be hearing a lot more about this in the next couple of years. It would seem to me that this might be an area where some data could actually be very helpful. In other words, if there was some reporting by the registrars over a fixed period of time, let's say annually, the number of takedown notices that were received, just a brief grouping, you know, were those copyright-related, were they child abuse-related, how were the requests resolved, and if the registrars were to provide that information, I don't think it would jeopardize any investigation because we're just talking about statistical data here. I actually think it would be very useful to the community, because you'd begin to get a sense geographically of how registrars are responding. You'd also get some sense over time if you could collect the data and see what -- what the trends are. I'm very familiar with this practice in the wiretap field, for example, where we've actually had good data going back 30 years that actually tell us a bit about how private organizations respond to similar requests. And that model might actually work pretty well here. It wouldn't be very burdensome and I think it would be helpful for the registrars and the community to get a better handle on the number of requests and how they're resolved. >>STEVE CROCKER: Let me ask you a question. That data include not only the number of requests and the trends and so forth, but any assessment as to whether there were Type 1 versus type 2 errors? Well, type 2 errors I guess are false. Where there were incorrect take-downs? >>MARC ROTENBERG: Well, I would try at the outset to be as objective as possible. In other words, just to think in terms of how many requests were received and how were they processed and then -- >>STEVE CROCKER: Right. But I'm thinking about how do you close the loop? Because if there's an objection afterwards and then it's later found that there's -- that that was an error, that would be an important thing. >>MARC ROTENBERG: Right. >>STEVE CROCKER: I don't want to take up too much your time here and I want to keep going. Paul? I'm sorry. Ram? >>RAM MOHAN: I just wanted to add one thing that I -- you would think is very easy, and ought to be basic in running a business or providing service, but that -- it just slays me that it doesn't happen on a regular basis. In cases where we want to, you know, go talk to providers and ask them to do take-downs or investigate, it's -- you would be shocked at how many times we cannot find a phone number, we cannot find e-mails that are actually responding or that just bounce on a consistent basis, and sometimes we'll send messages across and what we'll get back is a generic, you know, "I'm on vacation" message. This is abuse! You have to staff it and you have to do a proper job of it, and, you know, there has to be basic measures because these are service providers providing, you know -- there's real harm being done, and so effective services have to be provided on the side, and that basic thing does not exist in the ecosystem today. I think that's really broken. >> (Speaker is off microphone). >>STEVE CROCKER: Now, now. Paul. >>PAUL VIXIE: Thank you, Steve. As the operator of a reputation system for e-mail back in the day called "maps," a lot of the people who later sued me began by telling me that it was too expensive for them to check for opt-in permission certainty, it was too expensive for them to suspend customers at first complaint, it was too expensive for them to check the records or the reputations of customers when signing them up. And so basically it was a way of externalizing their compliance costs onto the community. This is natural. I don't fault them for it. I want to say the community has a fairly natural response also. I agree with Ram, blocking is terrible and should not be done. I'm here to tell you that it is being done and it's going to be done much more widely. If the Internet really is going to multiply by a million in size because of v6 and a lot of new TLDs, then it will happen even faster. There is probably only one thing that could be done, and that would be some pretty Draconian changes by ICANN at the regulatory level. Let me close by saying I was, for a while, the CTO of AboveNet and the president of PAIX, and when somebody was doing the wrong thing, I personally unplugged them and then called them. It did not hurt profitability at all. [ Applause ] >>STEVE CROCKER: Thank you. >>BILL SMITH: Hi. I'm Bill Smith with PayPal. I'm also a member of the WHOIS review team. I wanted to echo comments I've heard earlier about the quality of the panels, both of them. I think they're excellent. With respect to blocking, you know, we're -- PayPal is very strongly in support of not doing blocking. We are concerned about the 10 years it's taken us to get to DNSSEC and the extremely negative impact that blocking, if used in any form, really, might have on the trust in the overall system, so we think it's -- you know, it's important to be very cautious about blocking. I wanted to comment on the child abuse, child pornography as well. Shame on us, as a community -- right? -- that we allow this material to continue to be out there. And worse, that we have systems that we have deployed and implemented and we write policies on them -- okay? -- and they are so ineffectual as to make it literally impossible, or close to impossible, to contact the responsible parties. I was very glad to hear Go Daddy talking about the desire to, you know, not be part of the -- that they don't want the criminal element. I think that's -- you know, that's laudable. The question I have is: What is Go Daddy and the other white-hat registrars doing at this moment to change the system, to improve the system, so that we improve the accuracy of WHOIS information and we deal and address with the issues that have been presented here. >>CHRISTINE JONES: That sounds like it might have been a question for me. Just a hunch. >>STEVE CROCKER: Go ahead. >>CHRISTINE JONES: We might want to take it off-line, Bill, because I could go for an hour about what Go Daddy is doing, and I didn't set him up for this to make a commercial about what Go Daddy's doing, but I can tell you I spend more money than any other registrar in the world on the Hill -- even more than Paypal -- lobbying Congress to make good laws on this. I spend more time than any other registrar with those members of law enforcement trying to help them investigate and prosecute and catch bad guys. I work with your people -- and I don't mean to personalize this. Go Daddy works with your people and the other payment card industry providers to get voluntary cooperation to try to stop some of the bad acts. We did it in child pornography. As you know, it's very difficult to pay for child pornography with a PayPal account today. Took us a while to get you to go, but you finally did it, and it works. So there are a lot of things we're doing. Specifically, on WHOIS, you guys in this room have been talking about bad WHOIS data for 10 or maybe 11 years. Every time I give a talk at a university, at a business seminar, anything that's not an ICANN seminar, I tell them, "If you can come up with a way for us to legitimately verify WHOIS data, you will become a gazillionaire, because everybody in this room will buy it and they'll use it." The gentlemen from Interpol gave you a perfect example of why verifying WHOIS data in the manner in which it was verified in that case is a bad idea. Because what it did to him was made him chase down good data that was somebody else's information. That's not the right answer. I wish I was smart enough to tell you what it is. I wish this collective group of really, extremely smart people had come up with the answer in the last ten years. But we will leave it to the WHOIS task force to tell us. I think you are the guy to answer that question. >> BILL SMITH: That is not our job as the review team. Our job is to review the existing policy and how it is implemented and its efficacy. That is our job. If you are asking us to make policy, that's not our job. I might be happy as an individual to make the policy or make suggestions. But as a review team member, that is not my job. So the question actually I was asking is: What are you individually and collectively as registrants doing? Okay. Because what I'm seeing is registrants as a group, not as individuals, but collectively, resisting many of the changes that would improve the accuracy of WHOIS. >>STEVE CROCKER: I'm going to -- this is unquestionably one of the more contentious issues that has been in this environment for a long time. I've just stepped down as chair of the Security and Stability Advisory Committee, and we have been watching this somewhat from the sidelines for a long time. And it has been frustrating to see the lack of progress in that whole combination of things, not just the accuracy but also the application of it and the issues of the quality of registration. We're not going to solve that here and now, so I'm going to express extreme empathy. I really care a lot about this and, nonetheless, move us on. We need to schedule time. We need to schedule the right forums and venues to bring this to a head and make something happen. And if there a stalemate or a logjam in this environment, we need to break it. Who's next? Everybody sat down. I can take a queue. We are over time by quite a bit. Thank you very much. Let me have an applause for the entire set of panels. This is excellent. And a particular round of applause from Margie here, Margie Milam from ICANN staff, who really put together a stellar panel. Super. Thank you. [ Applause ]