Forum on DNS Abuse Thursday, 24 June 2010 ICANN Meeting Brussels, Belgium ***Live scribing by Brewer & Darrenougue - www.quicktext.com*** >>MARC van WESEMAEL: Okay. Ladies and gentlemen, welcome to this open discussion on DNS abuse. This is a topic that interests a lot of people. It's quite difficult to make a good definition of what DNS abuse is. There are many kinds of abuse on the Internet and -- but we decided that the topics for today would be limited to those abuses that have something to do with the DNS. But even that is not so clear what that means. We have a number of distinguished people and experts here on the panel. Most of them will attack the subject from an angle of the -- or nontechnical angle. They will be introducing the topics, and then we will have a discussion on what can be done about it and what else might be there in the Internet that we didn't cover. So our first speaker is -- we have -- sorry. We have two parts. The first part is about the latest developments in the fight against DNS abuse, and from the angle of the governments, we have Michael Busch from the European Commission, DG Information Society and Media. Michael. >>MICHAEL BUSCH: Thank you and good morning, ladies and gentlemen. Could we have the slides? >>MARC van WESEMAEL: They're up there. You can look there. >>MICHAEL BUSCH: Okay. I would like to present to you a very specific way of abusing the DNS. This is from the point of view of child protection of children using Internet. The European Commission has been running for more than 10 years a child protection program linked to the use of new media, and the overall aim of that is to promote the safe use of the Internet and other online technologies, particularly by children, and to fight illegal and harmful content ranging from child abusive images to racism. I would like to give you a very brief introduction into that, so that you understand a bit of framework. From there, I will start with the question of abusing the system. The program is running a bunch of different activities and actions. It concentrates very much on awareness raising that includes all actors from the children themselves to the parents, teachers, the public, the media, politicians, et cetera. We try to do self-regulation agreements with the most important actors in that field. For example, we have a self-regulation agreement with the mobile phone sectors about introducing youth protection measures for children using mobile phones. We try to understand better what is going on. That is increasing the knowledge base. That's basically research. For example, we do the biggest research on European level on child grooming. Child grooming is a process where an adult -- normally adult tries to get into sexual contact with a child, normally pre-sending to be a child him- or herself. Then we also work in international cooperation. I would like to give you the most prominent example of our activities. You may have heard of that. Every day in February we celebrate the Safer Internet Day, and this year we had as a topic the idea of protecting images from yourself and personal information, and we called this campaign "Think Before You Post." And as you can see, this is something which is not only happening in the European Union, it has gone far beyond our borders. This time, 65 countries all over the world participated in that, and contributed with their own activities in their countries. I will now go to the more unpleasant side of the subject I would like to address today. That is, the illegal content and more specifically the content showing sexually abused children. In order to fight against this phenomenon, we have created a network of hotlines. Hotlines are civic organizations where citizens who have discovered illegal content -- namely child sexual abuse images, but not only -- can report this to a civic organization. The hotlines would then get into contact with the police who are competent for that. As you can see, the roof organization which is called INHOPE the organization of all the networks. It also covers several hotlines which are not in the European Union. We are currently having hotlines as members of INHOPE in 31 countries all around the world. Just that you understand better what the hotlines actually do, the hotlines do a prescreening of the content which has been reported to them. They identify or distinguish between legal and illegal content, and if there is illegal content, they are either sent directly to the police forces in the country where they are located if the content is hosted in their own country. If it is not the case, they send it to the hotline in the partner country, where the content has been identified to be hosted and the partner hotline would then contact the police forces. This helps significantly to accelerate police work and police cooperation. In order to give you an idea about the size of the problem we are talking about last year the member hotlines processed 96,300 reports on child sexual abuse. More than those, because there are other sources, like Usenet, for example. More than 100,000 reports were forwarded to police agencies and we will start now also to systematically take care within the network of hotlines of such content to be taken down at the level of the Internet Service Providers quickly. Apart from the hotlines, the European Commission is supporting police investigation in online child sexual abuse in different areas. I will only briefly mention the European Financial Coalition against child sexual abuse. That is a coalition where the payment systems like credit cards, like PayPal, and the banking system cooperates with the police force in order to identify payment processes which are necessary to buy these images, so a consumer of child sexual abuse images would normally pay for that and get access to a Web site or whatever. We also organize law enforcement conferences like the one which we did last year. We also support the police investigations with specific tools they would need. Just to give you an example, there was a recent case in Austria where three persons had gathered 1 million pictures of abused children on their computers. In order to facilitate the analysis of these pictures, we offer software tools to the police which would allow to do that relatively quickly and not manually picture by picture. Now coming to the subject of the misuse of the domain name system, I would like to refer to a report of the Internet Watch Foundation in the United Kingdom, which is one of the leading organizations in fighting child sexual abuse images on the Internet. If you look at their annual report of last year, you will see that they had 8,844 reports on child sexual abuse content. At the same time, these are 8,844 individual URLs, Web sites, but if you look at the number of domains, you will see that the number of domains is much lower. It was 1,316. By the way, those images of children which were hosted in the U.K., there were only 40 out of those 8,844 showed mainly pictures of children younger than 11 years being misused, and nearly half of them showed how the child was raped. I will not show you any pictures of that type because I want you to sleep tonight. From October on, with Internet -- INHOPE network, we will be able to give you more precise picture of the size of the problem and the link of those Web sites to the domain name system. We have created a database which will be fed by all the member hotlines which I showed to you in one of the previous slides. They will be fed by all the member hotlines so that we can have a clear picture of how many Web pages there are out there, and to how many domain names they would correspond. The question which I would like to post here is whether we should allow the domain name system to be misused for spreading child sexual abuse images in the way in which I have just explained. We also would like to make a proposal to you and to ICANN and all the organizations involved, and we would like to invite you to reflect on a possible procedure or an instrument which would allow revoking misused domain names. We thought that a possible model for that could be the UDRP, the uniform domain name dispute resolution policy, where disputes about ownership of domain names are dealt with, and this is a procedure which has been established by ICANN. You will probably know that. And it is done with the support of organizations which do an arbitration procedure and then report it back to ICANN and registries and registrars. We would like to suggest that we establish a task force or a working group for this end, which could involve the European Commission, ICANN certainly, law enforcement, and other organizations which could have a say in that. In order to study possible solutions for the problem which I have just explained to you. Finally, if you are interested to read more about this INHOPE program, you will find information on our Web site and all aspects which I have not been able to present you in this moment. Thank you for your kind attention. >>MARC van WESEMAEL: Thank you very much, Michael. I think there might be already some questions in the room, but I propose to not treat them now because during the preparation yesterday, we found out that we started discussing immediately and it went on and on, and I want to keep the questions together in -- at the end of the session. So then our next speaker will be Bill Smith from PayPal, who has certainly some other abuses to reveal to us. >>BILL SMITH: Thank you. First, I'd like to thank EURID for a fabulous evening last night. I think any of us that were there experienced just a wonderful night. It was great to be there. [Applause] >>BILL SMITH: I'm going to talk about DNS abuse, or ask questions. You know, are these things that are listed here. Domain spoofing, DNS filtering, homograph attacks, cache poisoning, Conficker, something as simple as, you know, a phishing attempt or inaccurate or unavailable WHOIS data for whatever reason, whether or not it's DNS abuse. I will argue that it just depends on your point of view and that in all cases, from the list before, from some perspective it is abusive. At minimum, it is not in the public interest. You know, is it DNS? Is it TCP? Is it IP? Is it IPSec? We use lots of acronyms here and in lots of the other fora that I participate in, and does it matter, is really the question I'm going to ask. To the end user, whether it be a child, an adult, they don't understand the difference between IP, DNS, TCP, HTML, XML, right? SMTP. It's all the same thing to them. And for them, when something bad happens, something unexpected happens -- so as an example, you know, when you click on the link that says to you in your browser "PayPal" and it takes you to an alternate site, you know, where you've been phished, they contact us, if they contact anyone, right? They don't go anywhere else. They saw "PayPal." They're going to come to us. They're going to believe that somehow we had something to do with it. I'm not suggesting that we can cure that problem specifically, but I think there are things that we can do if we work together to make the system overall better. It's only the people in this room and similar rooms around the world who understand these issues. The average user does not. My parents do not. My daughter does not. She's a political scientist, but she uses the Internet every day. So we have the responsibility, I believe, here and elsewhere to enhance the overall security, stability, and resiliency of the Internet, and we have to do it at all layers, wherever appropriate, whether in this room or not, and I would suggest that a way for us to help make the decisions is that when you're making choices and decisions, whether they be policies, technical or business, keep in mind or ask the question, "Is it in the public benefit?" And if you do that, I think we will -- we'll all come to a better place. Thank you. >>MARC van WESEMAEL: Thank you, Bill. Just a small question. As I've been not a victim but I see regularly e-mails where I am asked to update my PayPal account. Can you share with us some numbers of how many times or -- a day that happens? >>BILL SMITH: I can't share specific numbers, but I can tell you that PayPal is high on the list. Let's put it that way. It is a significant issue for us. We're doing things in e-mail groups, DKIM, other things, attempting to -- to resolve the problem. We have some agreements with other bodies to block such mail messages, and we're going to continue our efforts there. One thing we're doing, or in the process of doing, is signing all of our mail going out, and that, we believe, will help. We're encouraging others to do the same. >>MARC van WESEMAEL: Okay. Thank you. Now it's -- we have Peter Jenssen on the list. Peter is working for EURID, and as I'm also working for EURID. We have done something, too, in the area of phishing and Peter will explain what we have tried to do. >>PETER JENSSEN: Thank you, Marc. Also good morning from me, and I'm glad to see my presentation up, because I sent it in like two minutes before the start of this session, so that's quite efficient, I would say. What I would like to do today is to show you some of the things we have been doing with EURID to actually try to prevent any sort of abuse on a purely DNS or domain name basis. I'm a technical manager with EURID, but I'll try to make this as high-level as possible, so all the non-techies that would be in the room can -- should be able to follow this. To tell you what the -- or to explain to you what the real issues are, I first have to take one step back, what actually happens when a domain name gets registered. When a domain name gets registered somewhere some data in a database, but in the end somehow something gets done and actually what gets done is there is a zone file generation. What that means is, all the data is taken from the database and is pushed out on the DNS system and actually the domain name comes to life. A lot of registries do that regularly, once a day, once an hour, you name it, and that's what all registries in the world have been doing till now. So if you do that in a graphical manner, on the right you have the registrar with the registration client that actually talks to something at the registry. That saves it in the database. There is something called a zone file generator. The data is taken out of the database, it's given to something called typically a hidden master, which is a DNS server that pushes it out to the public slaves and the same thing happens on the registrar side at a very high-level way. There's nothing wrong with that. A lot of registries have been doing that, they're still doing it, and will keep on doing it. The advantage here is that there is a difference between the time of registration of a domain name and the actual being able to use the domain name. Now, if you take it one step further, what dot EU has been doing from the very beginning is something similar, only we have replaced the -- I'm going to go directly to the graphical representation. We have replaced that little block on the left which was called zone generator on the previous slide by somebody called dynamic updater. What actually happens is when a domain name gets registered, it immediately goes live. Obviously, there is a big advantage there. Somebody trying to use a domain name or registering it and wanting to send e-mail or going to a Web site or whatever will immediately be able to do that. The big disadvantage, of course, is, if some phisher or something, some other malicious person would try to register the domain name, he also would be able to immediately use that domain name. So what we have been doing with -- within the dot EU registration system is we have put something in place which we call an admin interface, where we actually can talk to the production database, and what we can do is maybe revoke a domain name for whatever reason. Typically because there is an abuse. Typically because the eligibility criteria are not okay. That command is immediately translated in something called "remove" and that's pushed out live to the system as well. That's the first step that we have been doing, where we have been quite successful in the last months where we actually are actively looking for all sorts of abuse of domain name registrations. We're using partners where some of them are around the table here to get our input from. But what we want to do in the near future is go one step further and actually what I call the inference engine. This is something that we want to build that actually gets all sorts of data from anywhere in the world, be it registrant data, be it historical data, and actually looks at each and every registration attempt or successful attempt, I would say, and tries to look if this domain name is actually abusive, yes or no. Obviously, an automated process will never get it 100% correct, but what we're trying to do is make it as good as possible, and when it actually finds something that says, "Well, probably that is something wrong here," that that domain name gets flagged for further, I would say, manual treatment in the sense that our legal department would actually look at the domain name and see if there is actually something wrong, yes or no. So the way you have to envisage this is we have the registration process, and now there is something -- that inference engine -- that actually defines a risk level, and I'm going to go further in how it will do that on the next slide. If the risk is sufficiently high -- if it's sufficiently low, sorry, the domain name will just go into the zone as usual, within a few seconds it's live. Nothing is happening at all which is bad, I would say. On the other hand, if the risk level is determined to be sufficiently high, what happens is the domain name technically is registered, sits in the database, is owned as it were by the registrant. The only difference is, it's not in DNS so the domain name can't be used and can't be abused in certain cases. What we do is we're going to put it in a legal queue. The legal team will actually look at the domain name and try to determine why was it flagged as being of a high risk level. And indeed, is it an abusive registration, yes or no. If it's in breach of whatever terms and conditions, whatever eligibility criteria, whatever laws that there might be -- if it's not then we just let it go through and no harm done. If so, we revoke the domain name. The big advantage here is that initial window of opportunity that a cybersquatter or a phisher or whatever you want to call them, has from registration and the initial hour after the registration, which is -- some tell us -- the most important part that we try to take that away from that phisher and actually prevent it from actually having that one hour or two hours of active use, I would say. So what I want to do is compare this with something like a spam detection engine. We have some rules in place. All those rules are matched against all the inputs, and if the total score is above a certain threshold, then that action is triggered. So what rules are we actually talking about? Actually, anything we get our hands on. Why? The more data that we get about a certain registration, the more chances there are that we will get it right and actually flag something that's abusive and don't flag anything that's not abusive. Typical information will obviously be the address of the registrant, all data there, but also potentially, for instance, some historical or statistical data like which registrar is actually registering this domain name, is there some pattern that we can recognize there, some regular expressions on a domain name. And a lot of combinational rules that we get from both inside the company as well as external companies. So what we're looking at is what parties could we talk to get actually something more on inputs to actually determine if a domain name registration is abusive, yes or no. One of the possibilities, for instance, would be to go cross-TLD, cross-registry and actually try to make this work on a global scale where all registries would have some sort of a central something -- will I don't know what -- where we actually get the input from, and actually try to see if we get the same thing that's happening in another TLD. So anybody that is actually doing some work in this field, we're actually quite interested to talk to them to see how we can work together in this area. Thank you. >>MARC van WESEMAEL: Thank you very much, Peter. Let's move up the chain now and look for more tools that will help us in the fight against DNS abuse from Richard Cox, and Carel van Straaten from SpamHaus. >>RICHARD COX: Greetings, whatever time zone you're in. I know we have a lot of remote participants today. Now, this written was written for 40 minutes. We originally had 10. We just cut it down to 8. This means that we're going to have to go through it fairly quickly. The slides will go through. We're on the Web site, and if you miss something, please go to the Web site. If you haven't grasped something, please come back in questions or over the lunch period. Now, apart from that, please remain seated and fasten your seat belts. Here we go. We've been going longer than ICANN. We've built the trust of the community world wide, well apart from the bad guys, obviously and even some of them know we're getting it right. Our objective is to provide information to ISPs to protect their networks. It's as simple as that. And we provide the data free of charge. We're a nonprofit organization. Getting bulk data shipped to you may cost but that's not the key point. The point is the data itself is free, as the point we deliver it. We publish information that researchers could use. We have a drop list of really bad areas of the Internet, for example, which could be used a lot better than it is to keep some of the real harm out of the way. We also do a lot with law enforcement, and in that context, I would just mention not just the arrest of Ralsky in the United States which -- where we did quite a lot to help the FBI with background work, but there was two major arrests in London yesterday on which the metropolitan police are to be congratulated on a first-class job. Again, we work with them on a regular basis. This is not normally something we ever talk about. Fast Flux is probably the biggest threat to the Internet today, because it is the ability to host a domain or its name service via proxies in a way that it cannot easily be found. It will appear to be on a whole load of sites all over the world. It isn't. It's on a single site, and that is hidden from typical use. We know that bulletproof hosting exists in the world. These are people who are in the business of selling hosting to criminals. We know where they are. Unfortunately we can't do that much apart from put up a big red flag. They don't like the big red flag. They've most to Fast Flux hosting so people can't find them. The Fast Flux approach can be shown on a slide which is coming up shortly, and it's used for things like counterfeit medicines, phishing, malware downloads probably the most significant today because malware is what facilitates the whole rest of the abuse food chain. So if you're distributing malware, you're actually causing more harm even than child abuse, and that takes some doing. So you see the idea you have at this point the five or so sites that are actually proxying to the hidden host. A few minutes later, it's moved to that. And now, you can see they've moved again. They're still all talking to the same static back end which takes quite a bit of finding. So we've introduced the domain block list. And today we have with us Carel Van Straaten who, with his brother, co-invented it. And I believe it is the one thing we can give the community to help protect their networks. Carel? >>CAREL van STRAATEN: Thank you, Richard. The domain block list is a dynamic list of domains we consider abusive in any way. Most, of course, relate to spam issues but there may be other issues. It is presented to the public in the form of the DNSBL, so you can query it by doing a DNS query for any domain name. And you will get a response if it is listed or not. The main goals are to provide additional protection and shorten the life span of spammer-controlled domains. To make this life span even shorter, we publish the data very often. We do updates every few minutes and use very huge inputs to make sure that we get every domain that has possible badness related to it. So what ends up in the zone, we mainly list domains that are fully under control of cybercriminals or spammers used in spam, phishing, malware and related stuff. So it can be domain name servers mentioned in URLs in an e-mail. It can be domains that are being used for nameservers, for bad activity or reverse DNS or redirection purposes. E-mail filtering, you can easily expect the domain name from mailbody or headers. Look it up and if it is listed, depending on what your policies, discard or score or place the e-mail in a spam folder. So while doing this, we've learned some -- made some interesting observations. One is that the big spam operations use new domain names every minute. So that's quite contrary to what normal users would do. Normal users are businesses who register a domain name for a long time and they want to gain a reputation, and most cybercriminals consider a domain to be a throw-away resource. Some spammers age domains. They -- instead of using them directly once, they let them age on a shelf for months or weeks or sometimes even over a year. And this is only done to gain reputation because, of course, a domain that has been around for a longer time must be a better domain than one that's just been registered. We see some very strange domain names around. Just put one sample on this slide. I can't even pronounce it. Apparently, with domain names like this, there's -- the cybercriminals have no reason to hide. They just use a script that generates random names for domain names and they use that in their malicious process. Speaking of hiding, WHOIS privacy is still a big issue. Most of the domains we see with any WHOIS cloaking or privacy protection on it, a lot of these domains are being used in bad things. Back to Richard. >>RICHARD COX: Thank you, Carel. That's a very, very brief overview of what it does. It's there because it is the only tool that can fix the problem. Look, in the Russian Federation, it is impossible to get a registrar to shut a domain down without a court order, no matter how bad it is. But to make things worse in the Russian Federation, they do not understand the concept of fast-flux hosting. I'll agree it was never the intention of the Internet that a domain registrar should be the chokepoint for badness. They just register names, right? Yeah. But when the criminals introduce fast flux, it moves the point of control from the hosting company -- and, remember, these are on consumer IPs that have been compromised. They aren't hiring any hosting service for this, not ones you can see anyway. Therefore, there is no chokepoint there. The registrar taking down the domain is the only valid chokepoint. Now, to me that is something we have got to tackle. And that's why we produced the DBL. I remind you briefly of the food chain here for a lot of these machines. They have malware on a machine. It grabs credentials. It uses those credentials to go and register domains automatically at a registry where they know the protocols. They use the stolen credit card information of the person involved. They use that person's name and address on the WHOIS. It all looks so authentic. It is very difficult to pick up. We have methods that will pick it up, and that's the only way we can determine there is a problem. Now, let's look at the future very briefly without going over my time limit too much. We produce this and SpamAssassin already uses it to block mail. That's only a small part of the solution. We believe that two other things are needed. We believe that a browser hook is needed, and that will allow FireFox or other consumer-friendly browsers to warn the user if they are going to a domain that is going to cause them a problem. And last, but not least, the information we provide is available to the registrars. The registrars, like EURID, can automatically suspend a domain if it hits the characteristics of DBL. We believe this is one of the greatest things we can give to the community because registrars are taking quite a bashing this week. They probably don't deserve all they got. Here is an opportunity for them to come back and help the community by taking the worse domains out of the system. Of course, the most important thing is they put in the contracts the ability to do that. If they don't do that, what we predict may happen is that a resolver may get produced that will fail to resolve domains and host names that are in the DBL. Now, we don't believe in tampering with DNS. I was very glad to be in the DNSSEC session yesterday, and we know that the security of the DNS is important. But the ability for the end user to decide he doesn't want to resolve bad domains is now available if somebody wants to write the code. We just produce the data. Thank you very much for listening. >>MARC van WESEMAEL: Thank you, Richard and Carel. Before going to the questions for this panel, I would like to ask you one question. How long does it take before a name gets into the block list? And what are the criteria for getting you there? And have you had any -- blocked any domain names that later on seem to be genuine ones? >>CAREL van STRAATEN: Okay. That's an easy one to answer. Yeah, of course, we make mistakes as well. To counter that, we have made it very easy to remove a domain. You can just go to the Web site, enter the domain and it gets removed. No questions asked. The removal always goes through. If it is bad, it will get relisted. The time it takes for a domain to get listed is within minutes after first usage. And within minutes, it's available all over the world for people to query. What was the other question? >>MARC van WESEMAEL: I think you answered both. >>RICHARD COX: The zone is rebroadcast every minute. I think we are the only organization in the world to do that. That's fast. Remember, we didn't let this out of (saying name) until we were completely sure that the level of false positives was so low as not even to be visible. Anything that does show up as a possible false positive now, we investigate what's caused that. We investigate what in our rules allowed that to get triggered, assuming it is really a false positive and not a spammer trying to get his domain delisted, et cetera. So we always learn. You can't do what we do by just sending out data. You have got to sit back and listen to what's coming back in to refine the systems. If we didn't do that, we wouldn't have gotten the SBL and the XBL as accurate as they are today. >>MARC van WESEMAEL: Thank you. Now to the people in the room. Are there any questions to the panelists or any experiences you want to share with us or something we can learn from? We have questions from online as well. >>MARGIE MILAM: Sure. The first question is from Doug Barton. He asks -- the question for PayPal, for Bill Smith. His question is: Signing with what technology? P, I hope? >>BILL SMITH: I'm not sure I understood the question. >>MARGIE MILAM: I think it relates to signing the e-mail. >>BILL SMITH: What's the question? What are we doing? I believe it is DKIM and perhaps ADSP. If he sends me an e-mail at Bill.Smith@PayPal.com, I will be sure to get him the accurate information from the person that's doing it. >>MARC van WESEMAEL: Okay. Question from the room? >>DEMI GETSCHKO: Demi Getschko from Brazil. For the people from SpamHaus, you stated some names of countries in your presentation. I'm reading your own page, the ten worst spam countries. The number one is United States. Almost four times the second which is China, then the Russian Federation, Argentina, United Kingdom, Germany and Brazil. You stated Brazil, China and Russian Federation. There is some mistake here, I suppose. >>RICHARD COX: I'm not quite sure where those figures come from. >>DEMI GETSCHKO: SpamHaus.org. >>RICHARD COX: It is not part of our presentation. You are talking about our Web site. There are many different ways to measuring badness. You can measure it through the number of hosted site, the number of compromised machines, the number of criminals. We try to present each set of information fairly. We do know a lot of cybercrime originates in the Russian Federation and that's of great concern to us because of the legal problems of dealing with it in the Russian Federation. Other countries have different aspects of badness. We publish as much information as we can to give people in those countries the ability to address the problem and see where it's actually arising. >>MARC van WESEMAEL: Okay, thank you. Another question from the online platform? >>MARGIE MILAM: This question is from John McCormac. His question is for Peter. Cross-TLD analysis with gTLDs is quite easy, but ccTLDs are the main problem as there is no access to ccTLD zones. Has EURID considered a realtime cross-ccTLD check using DNS rather than zone files for the new domains? >> PETER JENSSEN: We are in the process of considering what options are open to us. One of the things we are looking at is actually, indeed, trying to see how we can work together with other ccTLDs, the exact protocol -- technical protocol that would be used, be it a zone file, be it a live lookup or whatever. I think it is not that important as long as we get the information that we need to get in a timely matter. But we haven't really talked to any of the TLDs yet to see how we can do this. So we will be looking into that and see where we can go from there. >>MARC van WESEMAEL: Thank you, Peter. Any other -- Question from the room, yes? >> RUDI VANSNICK: I'm Rudi Vansnick from ISOC Belgium. I'm representing consumer and user interests and part of the at-large community. I have two comments and a question. First, I would congratulate the European Commission with the Safe Internet Project. It shows it is possible to tackle the abuse of the domain name space across borders because that's very often one of the issues that are not handled. And second is I would like to point to what happened in Mexico last year. We had the first time an e-crime panel, and I would suggest that ICANN would take this on again and create a permanent e-crime panel that could handle all this stuff and concentrate on how to solve. And I would really like that ICANN is not forgetting the consumer and user community to participate in this panel. My question I would like to have answered by those who can answer it because it is something that I think is going to be difficult: What about the resellers of registrars? Very often they are at the basis of a lot of abuse of registration. Actually, they are not bounded by any rule or any contract. And I think that's one of the issues that in the near future is going to be a very big question when we are going to open new gTLD window. If you are not prepared to tackle the fact that resellers are a growing world of abuse, we will not stop the abuse. I think this is something which in the Safe Internet Project has been tried to be tackled because we are close to the communities. But I would like to know which steps are going to be taken and especially from the ccTLD and also from -- for instance, SpamHaus, are you going to try to help us do doing this? Thank you. >>RICHARD COX: You are almost exactly right. The only point in which I disagree with you is your word "near future." No, it is now. We are here. The resellers are not the problem. It is the resellers of the resellers that are the real problem. We are seeing far too much of this worldwide. Large registries are using resellers as their main channel to market. Those resellers are subselling to other resellers. Now, at the registrar-to-reseller level, there is a contract. Whether that contract is consistent with delivery of their obligations under the RAA is questionable. I believe these contracts should be visible to ICANN who can check and point out any deficiencies. What happens between the reseller and their reseller is a totally unregulated arena. And this needs dealing with. We do know of particular registrars who are very poor at regulating their resellers. We also know one or two which are quite good. As I have said on a couple of previous occasions, this is not rocket science. It can be done. It has been done. We just need to get down and do it. I would say as far as resellers are concerned, the problem for the registrar is he has got a large batch income coming, as he sees it, from one party. If he annoys that party, they can move all their domains unblocked to a different registrar because they have the contract with their customers and their resellers that allows them to do that. That arbitrage would have quite a financial impact on the registrars. The registrars are not running on great margins at the moment. They are more afraid of that than anything else. That may be why some of them are so reluctant to deal with cybercrime usage in domains. >>MARC van WESEMAEL: Okay, thank you. >>RICHARD COX: Very briefly, I entirely support the view that there should be an e-crime panel at these meetings. >>MARC van WESEMAEL: Thank you, Richard. Another question from the online platform? >>MARGIE MILAM: This one is from Wendy Seltzer. Her question is: How often are domains put in the SpamHaus blacklist by a third party's malicious abuse of a legitimately used name? For example, throwing someone else's real URL into a spam. >> CAREL van STRAATEN: At the moment, the only published domain names that are completely controlled -- if I understand the question correctly, she is referring to compromised Web sites that host a redirecting file that redirects to a malicious Web site. At the moment, we are not listing those yet. However, in the future we will. >>MARC van WESEMAEL: Thank you. Question from the room? >> RICHARD WILHELM: Yes, Rick Wilhelm, Network Solutions. This is on dot eu. You have the scoring mechanism that you described where you look at incoming registrations and flight. When a registration is kicked over into the queue and legal review essentially at some point is going to say thumbs down, what happens to that registration? And how is that communicated back to the registrars? And how does that work with the eventual perspective registrant? >>PETER JENSSEN: This is something that's more legal than anything else. But I'll try to -- as a techie, I will try to answer it anyway. That's what techies do. What I would envision happening there is that there will be some sort of rule that is broken, legibility criteria, the contract or something like that. Then it just passes into the standard revocation procedure where the domain name gets revoked. Obviously, the registrar will be informed of that, and that's the end of it. What we do now also with domain names -- it is not new -- that we will do something like that. And in another time frame, I would say, in between the registration and the delegation where now we deal with all these post factum, after the delegation. It is not something completely new there. >>RICHARD WILHELM: And fully refunded, I presume? >>PETER JENSSEN: Sorry, that I can't answer. I might look into -- I see nodding faces as in no. >>RICHARD WILHELM: No? >>PETER JENSSEN: No. In a second, I'm going to call up somebody because I -- >>MARC van WESEMAEL: Sorry. I missed the question. Can you -- >>PETER JENSSEN: Reaffirming if the domain name gets revoked, that's essentially the question. >>MARC van WESEMAEL: Well, I think registrars, but that's off the top of my head. That can then be open for debate, but I think registrars have a responsibility to take as well. If they didn't block it at the beginning, they have some responsibility to take. In this case, my feeling would be that they lose the money on the registration. >>RICHARD WILHELM: So that would presume, then, that you're planning on articulating what the scoring mechanism should be; or as a registrar, are we just supposed to be psychic? >>MARC van WESEMAEL: No, no. And there is another question on that on the online platform. It says: Does this mean -- and it was sent to EURID. Does this mean that the registry now takes responsibility for the domain abuse rather than the registrar? Well, I think we have joint responsibilities. As the registry, and there may be others, but we think that where we can help, we will do it. But there is still -- the registrars have a responsibility as well. For instance, they have -- and you have if you are one. You have data we don't have. You have credit card information which we don't have. And using that credit card information, you might be earlier in the chain than we are even to block a domain name before you register it. This is part of responsibility sharing. How we are going to do this, I think we need to set up a platform to discuss it, how we can do that together. I think in one of the key points of all this abuse fighting is working together, collaborating in very different areas. I don't want to give registrars the responsibility, the total responsibility. We want to take our share, but we should work together. I think that's my message. >>RICHARD WILHELM: Very good. I don't certainly presume to speak for the registrar constituency as a whole at this point. But as Network Solutions, we would look forward to that sort of dialogue with EURID. >>MARC van WESEMAEL: We thank you -- >>BILL SMITH: If I could, I would like to second that. We all have a responsibility in this, whether it is business, technical, policy. We have to find solutions to these problems, and these problems aren't going to go away. But the bad actors will find new ways to act badly. And we will have to counter that. It is an ongoing, never-ending problem for us. >>MARC van WESEMAEL: Thank you very much to the panelists. I think we have reached the our time is over. I want to thank everybody here on the panel for their contribution. There will be some closing remarks at the end. But one of the closing remarks is we need to -- already is we need to collaborate, and we would be happy if ICANN would start something around this to start up this collaboration. Thank you. So can I ask the other -- the next panel to come up. And this is on -- the second part is on the adoption of industry-led practices to protect consumers from DNS abuses. And that is merely the code of conduct kind of initiatives that are going on in different registries and registrars. Okay. So we're ready for the second part. We have one person who is -- one panelist who is joining us remotely. That is Jeremy Malcolm from the Consumers International. He will speak second. But, first, we will have Wout De Natris on the Onafhankeliijke Post En Telecommunicatie Autoriteit from Poland, I suppose. >>WOUT de NATRIS: Good morning. That means the Independent Post and Telecommunications Authority, which is the anti-spam and malware enforcement authority in the Netherlands. Next to that I'm very active in the London Action Plan, which is a worldwide organization of anti-spam and malware forces. And I'm currently chair of the Cybercrime Working Party, which was established in May of this year in Prague, which is a public/private initiative, which I will stay a little bit more about in a few minutes. What I would like to first tell you is that, of course, you have seen a lot of law enforcement agencies in the past couple of days. And I won't repeat who was here because many of you will have seen them, and many of you will have heard the topics my colleagues gave. I would like to approach this from a slightly different angle and just try to explain to you what Richard already did from SpamHaus. Spam is slightly slow because if we start with a simple spam message, it may just be of your local butcher. Say, we have three hamburgers for the price of two or the other way around. Three for the price of two. And that could be very simple because his name is there, his address is there, and even still it might be unsolicited. But what happens when someone is misleading, for example, just spoofing the address it came from or something in the text which may not be completely correct? And what happens when there's fraud involved, for 19 scams that involve a lot of money or it may be products which are not exactly the right thing that you think you're ordering or it may be illegal drugs you're ordering from whoever in the world and you don't know what you're getting. And what is the message on phishing? You can already see that there are a lot of different sort of agencies involved who will have to corporate and try to find the perpetrators. I'm not even talking about the role of industry yet. Then there comes a message that asks you to click on something. And, oh, this is a virus and your PC is compromised and that means that the whole circle can start again. And even in a way much faster with fast flux, et cetera, as Richard has more than ably explained to us just now. That means that there's a possibility to create bots, and bots make sure that it even goes faster and there is more spam. There's more misleading, more et cetera, et cetera, et cetera. And you recognize this guy. You might think he died somewhere in the 1940s. I think he lives on the Internet. He can probably live forever because Al Capone is there still saying to companies, "You need protection. If you don't, that means probably the end of your business." In the '20s, he had to drive around in a car and throw molotov cocktails in shops. Nowadays he can do that much easier and make a lot more money on the side also. In the end, as we know, it is being used by governments to spy on other countries but even to incite war. Are we waiting for the billion-dollar event? Maybe you should ask Estonia or Georgia, what happened to their countries and see what happened there. That's something that could happen to everybody maybe just by the assistance of a few students in their room at night working on a computer, which controls a bot which they rent out for 200, 300 Euros or dollars an hour and cripple a country that way. So, in other words, where does all this come in, and where can law enforcement do something about this? I think that the OECD study of 2006 on the anti-spam, more or less, says the same for everybody here, that we all have to do certain things. Industry will have to build filters and (inaudible). Governments have to create a good spam law, set an enforcement in place. The law enforcement has to enforce it. Law enforcement has to have the right tools to enforce, et cetera, et cetera. But even what we've been proven in the past five, four years, is that even if we all do individually our utmost, it only seems to get worse anyway. So no matter how good an enforcement agency enforces in one country, if his neighbor country isn't enforcing, then most cases will already stop. You can have an excellent spam law. If you don't allocate resources to an enforcer, nothing's going to happen. Individual filtering doesn't happen, make much of a difference also because it just goes on and bad guys get smarter. So what we came up recently in Prague is the Cybercrime Working Party, and I'm going to stop on this very fast. We came up with some topics within the RIPE community with the help of the RIPE NCC and a lot of law enforcement agencies within the RIPE region. It would be just fine topics if we could actually discuss and agree about instead of disagreeing. Because what I've been noticing in the past two years is that there was a lot of friction as soon as law enforcement came into the room at RIPE or at MAAWG meetings and even ICANN a couple of years when I was there for the first time. You could see a lot of friction and mistrust and, I don't know, probably also a lot of misunderstandings about each other's intentions, and it became quite obvious to me what we cannot do. Quite obvious, because we were hearing it all across the room what we can't do. So I asked myself, "what is it that we can do?" And from there, we started discussions and within a couple of months there was a working party in place with these topics. We're going to try and build a contact list, and the EU DG JLS -- justice, liberty, and security -- has offered that they are building a database which may just be used for that, and the study is going to start pretty soon where that could be usable. We're going to have technical meetings between the RIPE NCC and law enforcement digital investigators. Industry is building a lot of tools which could be of use for enforcement agencies, and the other way around. So let's try and see are these the right tools, do they need a little tweaking or do we need an extra tool or another tool. Let's talk about that and try to understand each other's needs and each other's possibilities. What I think is very important is that there becomes a template for information requests that would make it possible to do everything much more efficient because you know exactly what is being asked of you as a company or in this case the RIPE NCC. And the law enforcement agency, on the other hand, knows exactly what he can ask for and what -- what he can't ask for. Then let's look at perceived problems, and identify solutions for them. Do we agree on certain topics, that it is a problem, and what are the major problems out there. Do we get the right problems to us as a law enforcement agency, because we are working on complaints or on everything that's being brought to us by the public or companies, but are they the right problems, are they the biggest problems out there. So let's try and see if we can discuss that and go further from that. And so now I have to bend over but what we're also going to do is organizing liaising with other bodies, to try and get the message as good as possible. Go to other meetings of, for example, Eurojust or Europol, Interpol, the London Action Plan, ISPAN span, et cetera, et cetera, and also to industry meetings like ICANN. So that we can bring our message better. And as a last one, we can have a tabletop conference where we are going to try to identify the whole chain on the Internet so that we can look at all the different parties that are involved and do we know each other, do we even meet regularly. Maybe not, maybe we do, but we're going to try and find out if we do. So so much for my slides. What I would like to give as a message to ICANN, having heard what happened in the past four days, is that let's go and have a look first at what we already have in place. What do you have in place as an organization, as regulations, as possible enforcement tools, et cetera before you start working on new ones. So what do you have at this moment that you could actually use, and how is it -- is it possible for you to start using them? And if so, what does it take to do so? And as a last one, I would like to offer you that we are of course more than willing, as law enforcement community, to discuss it with you and go forward. I think that as a message is that whatever these criminals do -- and everybody's always saying "It's in the Internet" or "It's in the cloud and nobody knows anything" and "It's international, I can't do anything" -- well, that is definitely changing. The bad guys has to surface somewhere in the real world. That means that they have to do something to get into the digital world. And those are the points that we can make a difference on, and a lot of people in this room are at those points where they have to surface, whether it's Bill Smith like PayPal, which was just sitting here, whether it's registrars or registries. Somewhere these guys are surfacing, and let's make sure that when they surface, that we recognize them for what they are, and let's have a look at what that is, and I'm going to end with a little characterization of the U.S. President Obama, so I'm going to ask: What are we -- can we do something? I think yes, I can. [Laughter] >>MARC van WESEMAEL: Very nice. Thank you, Wout. Now we have somebody on the remote -- participating remote that is joining us, Jeremy Malcolm from Consumers International. He is joining us from Kuala Lumpur. Do we have him on line? >>JEREMY MALCOLM: Yes. >>MARC van WESEMAEL: Hello, Jeremy. Yes, go ahead. >>JEREMY MALCOLM: Hello there. Yes. Well, thanks for the introduction. I'm pleased to be on this panel. Sorry that I can't be there in person and I don't even have some slides for you to use, so -- oh, the audio is echoing. Let me see if I can put my hand over the earpiece. So we'll see how this works out. I'm going to be talking in a fairly general way about this issue at a level of principle. I will be going on to talk about the private sector initiatives by way of voluntary codes of conduct, but I am going to start off stepping back and looking at what are the types of DNS abuse from a consumer protection standpoint, because I do come from a consumer organization, Consumers International, which is a federation of consumer groups around the world. So from our perspective, I think there are three classes of DNS abuse. The first one, which is probably the most obvious, is attacks on the domain name system itself or ways in which the DNS system can be either broken or made to misfunction, such as DNS filtering, cache poisoning, nxdomain hijacking and viruses that target the operation of the DNS system. So for this class of DNS abuses, there's generally no legitimate excuse. They're generally designed to make the DNS system do something that it isn't meant to do. The second of the three types of DNS abuse is spoofed domains. Registering domains that appear to be in relation to an organization or a product or service that they're not. This can be phishing, but it can often be other registrations where the intent of the registration is to harm consumer interests, to fool consumers in some way. It is a bit narrower than what trademark owners want to protect, though, so I'm not talking about the case where you might type in "CocaCola.tld" and end up at a Pepsi Web site. That's not a case of DNS abuse that affects consumers, in a sense, because when they get to the Pepsi Web site, they are fully aware of what's going on, but if they go to a Web site and think it is something else, that's the second class of DNS abuses. And the third is the misuse of features of the DNS system that are intended features, but they're used in a way that harms consumer interests. So I would say that Fast Flux hosting is an example of this, and the deliberate omission of WHOIS information to stop consumers from finding the operator of a Web site. Now, the reason why I've outlined those three classes of DNS abuses is because from the consumer's perspective, only one of them is always objectionable and always subject to -- and could be dealt with by an inflexible rule and that's the first one. The attacks on the domain name system itself. That's the kind of abuse that can always be dealt with by a blanket policy that prohibits that sort of conduct. For the others, it's not quite so simple, and to deal with those sorts of abuses, there's going to be some discretion involved and some exercise of independent human evaluation. So you need to -- for example, in the case of a domain -- like a spoofed domain that's registered, you have to decide, well, is this per se abusive or is it -- you know, is it a case of phishing or rather, is it a case of criticism of the trademark owner or comparative advertising or something like that. So you can't say that any spoofed domain registration is, per se, abusive. And likewise, the use of DNS privacy features, is this an attempt to invade the law that protects consumers or is it rather a way to emphasize freedom of expression and privacy rights? Are you hiding your identity as the owner of a domain for legitimate reasons such as you're wishing to escape political persecution or censorship? So my point is that certain DNS abuses in -- to deal with them involves the exercise of discretion, and the question is: Who is going to exercise this discretion to determine whether the registrations or the uses of the DNS system are abusive or not. And I think there are three possible -- possibilities. The first is to have some kind of tribunal system within ICANN such as an UDRP equivalent system. The second way would be to deal with it outside of the DNS system altogether and to allow national regulators, national courts, national arbitration systems to deal with these abuses. And the third option is to deal with it through registrars or registries, applying a code of conduct. And that is the option that's been suggested for discussion in the second part of the panel. So there are problems with each of these three alternative ways of dealing with DNS abuse. The option of a tribunal system, like the UDRP, is problematic because in many cases the alleged abuser would not be represented. For example, if you've registered a domain and hidden your details or obfuscated your location because of fears of persecution or censorship, then you're not going to appear before a tribunal to argue your case, so that would limit the effectiveness of a tribunal that would look into the allegations of abuse. What about dealing with it on a national level? Well, the problem there is that there are, you know, almost 200 countries in the world and you're going to have close to 200 legal systems dealing with the same issues, and that's the very reason why the UDRP exists: To provide some certainty across jurisdictions, because of course the Internet really crosses national boundaries in a way that other communications mechanisms don't. So what about that third option, which is applying a code of conduct and having registrars or registries to deal with abuses? I think that this can be the best option if there is adequate public interest representation in its -- in the development of such a code, in the implementation of the code, and in review of decisions made under the code. So subject to those other important conditions, I think this can be the best option for industry and consumers alike. And Consumers International has had some experience in voluntary industry codes of conduct of this kind and I have to say the experience is mixed. It doesn't always work, and usually it doesn't work very well for consumers when the process is dominated by industry. So I could give a raft of examples, but just to give a couple, our Australian member, a consumer association called "Choice" has been critical of the environmental claims in advertising and marketing code which exists in Australia because not only are there loopholes in the code itself, but because institutionally, it is the responsibility of an industry-only body, and self-regulated advertising standards bureau, and this means that the code is really not responsive to the needs of consumers. What we want is something that consumers actually have a say in the drafting and the implementation of. Another example is the food marketing -- the code on food marketing to children in Europe, and this is (inaudible) small problems. Like it only applies to children under 12, it only applies to marketing in TV programs which have a viewership of more than (inaudible) percent children, and industry decides on the nutritional criteria that are included in that program. So both of these are examples of codes that have been developed through a self-regulatory process and that haven't been that successful. On the other hand, a code can be developed through a (inaudible) regulatory process and an example of that is the Internet industry spam code in Australia. I have to give a disclosure here because I am -- or I've just completed my term as the chair of the task force that developed that code. It's more successful model, in the sense that its government, industry, and consumers came together to codevelop this code, and it would not be registered by -- it would not be approved by the stakeholders until everyone had signed off on it. All of the relevant stakeholders had to sign a certificate of consultation to say we're satisfied that our interests have been taken into account. >>MARC van WESEMAEL: Jeremy. >>JEREMY MALCOLM: So I could go into much more detail but I think I've run out of time so I'll just summarize by saying that yes -- by saying that -- >>MARC van WESEMAEL: Hello, Jeremy. Can we interrupt you? Can you please wrap up because we are running out of time. >>JEREMY MALCOLM: It is important that the method that we adopt around all of the stakeholders adequate input into the practices that are codified, and so I think if this is going to be a way forward for dealing with DNS abuse, we just have to make sure that it's not an industry-dominated process, that consumer voices are heard at an early and an adequate stage of the process, and the input consumers give is fully taken into account. I'd be very happy to expand if -- during question time if there are any questions. Thank you very much. >>MARC van WESEMAEL: Okay. Thank you, Jeremy. I hope you can hear me. Thank you for your intervention from Kuala Lumpur. We appreciated that. I took away that code of conduct is for -- is for your very -- the best option, but consumer organizations should be involved to have to make the best of it. But we can hear from some experiences now that -- what -- how it worked in Australia, for instance, and Chris will help us through that. >>CHRIS DISSPAIN: Thank you, Marc. I have no slides and I actually deliberately didn't prepare a presentation because I wanted to listen and just see where that led to. I'm going to be very brief and I'm just going to make a few points and ask a few questions. The explanation of this panel says, "Panel will explore voluntary adoption of codes of conduct in lieu of mandatory requirements. Can that work?" And the answer to that is, I think, probably no. It may be as well as but not in lieu of. The -- as Jeremy has said, it's a judgment call or a discretion call a lot of the time. The point about spam is -- is, I think, quite an interesting one. At the top of your tree, you had just spam. Your butcher sends you an e-mail. If you ignore everything else below that and say that everything below that is -- that has malware in it or something that you should do that is wrong, that is malicious, you could argue that the simple spam is just annoying and a nuisance. But society decided at some point that they didn't like it very much, and that it was bad. Even at that level. And so some countries like Australia have a spam act and it's not a -- it's not allowed. Now, could you have done that with a voluntary code of practice? Well, no, not really, because who would you be using that voluntary code of practice for? The key, I think, is to use what works, and in order to figure out what works, you've got to first figure out what your goal is. And what it is that you want to achieve. Neighborhood watch, most countries probably have a neighborhood watch scheme, where the people in the neighborhood watch out for people's houses when they're away, et cetera as a kind of voluntary code of practice, and you join it and you stick a sticker on your window and people know that this is a neighborhood watch area. Does it stop your house being broken into? No. But it makes you feel a bit safer, and it might -- it might reduce the risk of your house being broken into, but it certainly doesn't reduce the risk of your house being broken into as much as an alarm does, or a large Alsatian. So it's about what's -- you know, what's your goal and what -- and what works. I want to just give one very quick example of what we do in Australia. It's on spoofed domains, and it's taking the -- the bit that Jeremy talked about that probably isn't a thing that you should be legislating on, which I don't agree with. We have a misspellings policy in Australia which does not allow you to register misspellings of names of companies or brand names, et cetera, and we run a list of misspellings. And what used to happen was that -- so let me take an example. The Australian major telco is Telstra, T-e-l-s-t-r-a, and of course there are numerous ways that you can misspell that, so that you -- people will type it by mistake. If you ended up at a place that -- at a Web site that was for the sale of shoes, you probably wouldn't be worried too much, but of course the main reason these misspellings are registered is to capture traffic and to take people to a site that they might think is Telstra or might take them away from Telstra. Our original policy that you're not allowed to have misspellings. If you registered a misspelling, you warrant when you registered the name that you're entitled to it, if it's a misspelling we will ask you to explain why you're entitled to it. Unless you can tell us a reason, then we'll take it away from you. And what happened was that people just kept on registering them time after time after time. So they'd register, we'd take it away, it would get registered again. So in the end, what we decided to do was have a list of the names that had been taken away once, and if the name was on that list, then when someone else registers it, it's automatically assumed to be a misspelling and it's put into pending delete and then you have seven days to tell us why it is not. Now, I can't see -- we choose to have that as a policy. I can't see any way that something like that could be dealt with with some sort of code of practice, unless you said to registrars, "What you need to do is examine every application you get for a domain name, have a look at it, see whether it's a mis- -- you think it's a misspelling or not, and then if you do, don't register it. It ain't going to work." And sometimes, you know, there might be a good reason. Lufthansa -- Lufthansa.com.au was registered, and when we asked why, the answer we got was that it was registered on behalf of a psychologist whose name was Dr. Luf T. Hansa and that he worked in western Australia, but bizarrely, the Web site had airline tickets for sale on it. This is supposed to be a discussion, so I'm going to stop now, and hopefully we can have some questions at the end. >>MARC van WESEMAEL: Thank you, Chris. Last one in the row is -- now we have heard the view of a registry. Now the last one is the registrar to talk, and that's Stéphane Van Gelder from INDOM. >>STÉPHANE VAN GELDER: Thank you very much. Just to give you a little bit of background of where I come from in terms of my view on this, INDOM is a registrar in France. We service corporate brands, so we have a specific business model, and as you know and as you've probably heard this week, there are several business models in the registrar industry. Ours is to work with customers that are generally constantly under attack from cybersquatting and abuse of every kind, so we are constantly up against that problem and in the unique position of both being a registrar and helping these people defend themselves against other registration abuses. So part of that, as previous speakers have said -- one of the ways that we try to deal with that is by voluntarily taking action when we're told -- notified of an abuse. So for example, if we get a letter or if we get an e-mail from someone telling us that a registration that has been carried out through INDOM is abusive, we will contact the registrant and ask him if he has any rights on the name and if it becomes clear that he doesn't, then we will take action and at least suspend the name or try and work it out with the registrant. We will take proactive action because we believe that the quality of the service that we offer to our clients -- once again, brands and corporations -- is so important that if we don't take action in this regard, then it's detrimental to our business model. So there is a strong incentive for us, as a company, to take action in this respect. And when we do, every time we have done this, we've obviously never had a complaint from the registrant, and we do include that in our terms of service so that people know that if you do come to INDOM to register abusive names and we're told about it, that's a very important proviso to make, because if -- we have automatic registration systems. We don't necessarily know what's going on. But if we're told, we don't stick our heads in the ground and we do act. So that's one way we -- we take action. Another way that we've tried to act is by getting involved in voluntary code of conducts. I was a registrar representative on the board of AfNIC, the French registry, for six years and we worked on a code of conduct there. We did so hand in hand with the registry. We've also done so with EURID. EURID has a code of -- well, EURID -- dot EU registrars have a code of conduct, and that has been evolved with the registrars and the registry working together to try and provide some kind of incentive for the good actor registrars to show that they are just that, and that they are willing to adhere to a certain level of professional courtesy, shall we say. So we -- that is something that can work, that can be successful. I agree with what Chris has just said, it can't -- that is not the only way that you can combat this. I firmly believe -- and I'll stop there, to make it brief and give you all an opportunity for questions -- but I firmly believe that part of the solution is the registry/registrar cooperation model. Chris has just described a system whereby his registry will act, and presumably that has been done talking with the registrars and saying, you know, "What do you think about this? Would this be a good system? Would it be a bad system?" We've done similar things in France and I can tell you that when one of my customers is targeted and has a domain name that is registered that is a cybersquatting domain name, and they take action -- be it UDRP, legal action, or whatever -- it will cost them money and they feel that they've been hit on the head twice. The name, the in-fridging name is registered against them and then they have to pay to take action and Chris said earlier, once they have taken action, either they keep the name in their own portfolio and it costs them money every year or they let it go and someone else comes back and reregisters it. So those types of problems, they need to be worked out with the people that are, you know, actually on the front lines and those are the registrars, obviously, and the registry. Thank you. >>MARC van WESEMAEL: Thank you very much, Stéphane. I think Chris had a question for Stéphane. >>CHRIS DISSPAIN: Yeah. I just wanted to ask you, Stéphane, a couple of things actually. You were talking initially about some stuff that you do that would be specifically to do with abuse, which is what you do as a registrar. Do you view that as a sort of marketing thing, in the sense that you would -- you want to be able to give that as part of your unique selling proposition, rather than perhaps having it mandated on you by some sort of a code of practice? >>STÉPHANE VAN GELDER: Yes, absolutely. I mean, I started off by saying that there are many registrar models and I don't think that my -- my company's model is necessarily -- things that can work for us may not work for everyone, but certainly we do it on a voluntary basis and we do it because we feel it's a commercial edge, it's a business incentive for people to work with INDOM because they know we'll take action in that regard. >>MARC van WESEMAEL: Thank you. Are there questions from the room? Yes. >>JAIME WAGNER: I just would like to report an experience that we have in Brazil of a code of conduct on spam, and it works like that. It's above the sliding. Because we don't want to fight the bad spam, the bandits. We -- we wanted to orient the bad informant spam. I called it the ingenuity spam. And we worked with 15 organizations from ISPs, mail marketing agencies, consumer side, and we ended up with a technical -- the first -- one year it took to -- the conversation to -- it was a multistakeholder experiment, and it took one year to come up with a technical orientation for everybody. It is working. It already worked and it produced good results. And another year, we have instituted a way of judgment, and also there is a black list that is in place and there is a way to -- to get out of the -- it's a very complex system to be explained here, but it worked, and it is still working, and it is not -- it's not intended to be something that precludes legislation. It adds some action or prompt action that sometimes the enforcement, law enforcement has not the same agility that we have. >>MARC van WESEMAEL: Thank you very much for that sharing that experience with us. We have a question from online. >>MARGIE MILAM: Yes. This question is from Don Blumenthal. His question is to OPTA. There has been a lot of talk about law enforcement agencies over the last few days with no definition. How are you defining it specifically for your effort? National? Local? Are there any limits on substantive jurisdiction or something else? How are you limiting what you're doing? >>WOUT de NATRIS: The way that we approach the problem or the complaints we get? >>MARC van WESEMAEL: I understand it as: What is the definition of law enforcement? What should they do? Is that the question? >>MARGIE MILAM: I guess. I'm sorry. I'm just reading from his question. A lot of talk about law enforcement agencies with no definition. So I guess the question is: What is a law enforcement agency? >>WOUT de NATRIS: Okay. I think that most of the law enforcement agencies present here were all police-type organizations, whether more general or cybercrime units. And I think that we are -- as OPTA, we are an administrative body, an independent body from the government. But at the same time, we are a law enforcement agency because we uphold and enforce the Post Telecommunications Act in the Netherlands, of which spam is part of the Post Telecommunications Act. So in such a way we are a law enforcement agency but at the same time a regulator. >>CHRIS DISSPAIN: If the question is about what is a law enforcement agency, I think that's a really interesting question. The cc's spoke the other day to the police people who were here, and we had a great discussion. And one of the things we talked about was they said, you know, we need to widen -- basically, questions from "law enforcement," which would include government bodies that have a statutory right to information should be able to be dealt with quickly, et cetera. And part of the problem is that, you know, if they have to get some information from the states, they have to go through this whole process to get that information. It takes a very long time, et cetera, et cetera, et cetera. And the question we asked them was: Okay, so is that everywhere? Is that every country? Or are you making a judgment that the law enforcement of one particular country is acceptable but the law enforcement of another particular country is not acceptable? Because you can't actually -- it is either all or nothing with this. You can't say, "We don't like you, Cayman Islands" -- sorry, Dave -- "so we're not going to acknowledge your law enforcement." That's really part of the challenge. >>MARC van WESEMAEL: Another question online. >>MARGIE MILAM: Yes. This is from John McCormac. And his question is: Is there a possibility of a domain block list beyond the reserved domains list that could be circulated to the registrars by the registry? >>MARC van WESEMAEL: I wonder who that question is aimed at? >>CHRIS DISSPAIN: I'll start and then perhaps Stéphane. A block list that could be circulated from the registry to the registrars happens in cc land a lot already. In some countries, there is a thing called a reserved list. Our reserved list, just as an example, is very short but it has words on it like "university" that's not allowed to be used except under certain circumstances. The word "Olympic" is reserved. Some countries choose to have a list of rude words that they reserve. So it exists already, certainly in the ccTLD world. >>MARC van WESEMAEL: Yes, I thought we were rather referring to the block list that SpamHaus was talking about in the earlier panel. But if it is about registries, then I guess, yes. I can only speak for EURID. But there is a reserved list of words that cannot be used as well. It was even published in the official publication of the European Commission. So, of course, we can make that available. >>STÉPHANE VAN GELDER: Just to say that block lists are fine, if you know -- if you can prove why the names are blocked, if you know the reason for blocking the names. You have to be careful because some people have legitimate reasons for wanting to register names. And if you just block them arbitrarily, you don't really know why. So it's -- it really is a kind of -- how do you find that balance between on the one hand obvious names that you want to block and, on the other, allowing people to register names? One of the ways of doing that is the reserved names list, as long as that's kept short obviously. And reserved names, you will see reserved name lists in almost all registries now, including gTLD registries. ICANN has a reserved name list for the new gTLD program, so... >>MARC van WESEMAEL: Okay, thanks. I see no more questions. We've -- oh, there's still one in the room. >>PAUL FOODY: Hi, Paul Foody. This is actually a massive philosophical debate. I mean, I've got this camera here. This is a Canon camera, C-A-N-O-N. >>MARC van WESEMAEL: Are you working for them? >>PAUL FOODY: No, I'm not. But I'm very grateful to them. Canon has become the first company to actually express an interest in a gTLD. They say, "We want dot canon." The thing is every legal law that we have is going to support their application. And, yet, the word canon is very clearly a word that belongs to the church. Canon is the collection of laws that has to do with Christian church. So even though the Canon will be acting legally, they are actually cybersquatting on something that belongs to the church. So we have got to be very careful here because it is a philosophical debate. You know, we're talking about cybersquatters. Yet, at the same time, Google sold Gordon Brown to the conservatives. And, you know, let's forget about Google and what they did, whether that's right or wrong. But, you know, when you've got the lives of the conservatives who are now the British governing party buying a term that they know is deceptive for their own gain, what is the message that we're sending out here? So we've got to be very, very careful. The economic survey quoted a report by Adelman which listed, I think, 280 examples of cybersquatting -- or, sorry, typosquatting per name. So if we work on that basis, if a company registers a dot TLD, are we going to give them 280 similar-sounding dot TLDs? If a suspect -- if people are misspelling company names 280 times, surely there's something wrong with the company's advertising. Would it not be easier to put in some sort of mechanism where you put in the name of a company, a list of the most popular -- the most frequently viewed sites were shown so people can then make a decision on that basis? >>MARC van WESEMAEL: Okay. Thank you. Thank you for making your point. I would like to wrap up. We have run out of time. We are over time even. Just a few words just to -- of what I have heard during this meeting. I think we have -- we all feel that collaboration is needed to fight cybercrime on different levels in different situations. There are -- timing is an important issue. The earlier we can intervene the better. We can intervene -- or the reseller can intervene at the level of the reseller. The registrar is the next one in line. The registry is the following one. We have groups like APWG, the anti-phishing working group, or the anti-spam -- groups of SpamHaus we have heard this morning, law enforcements. And the later you get in the queue, the more harm is done. So it's important we all work together at the earliest stage of the registration of a domain name before at the earliest it is being used. There is, of course, a tradeoff in flexibility of what can be done. You can, of course, try to find out if people who are registering a domain name are -- have given their genuine information. But that would take a long time to get a registration done, and people want to have domain names active as soon as possible. That's the balance we have to find. So second keyword is "collaboration" between the different stakeholders. Since I've been in this industry, I've seen a huge evolution where in the beginning registries and registrars were working completely independently. I see more and more collaboration in that area. So I think we're going in the right direction. But there is still a long way to go and for safer systems, there will be -- this should also be part of the design and not just a work-around afterwards. I think that is my conclusion of this meeting today. I hope we can continue these discussions and start working groups, whatever, to get really actions done. Thank you. And thanks, Margie, for hosting this session. [Applause] ***Live scribing by Brewer & Darrenougue - www.quicktext.com***