DNS Abuse Forum Thursday, 29 October 2009 ICANN Meeting Seoul, Korea >>MARGIE MILAM: Good afternoon, everyone. We're going to get started with the DNS abuse forum. And I'd like to welcome the chair of ISOC Hong Kong, Charles Mok. He will be the moderator for this session. Charles. >>CHARLES MOK: Well, thank you. Thank you for being here, right after lunch. I'm happy to be the moderator of this session. I just want to start by saying that the DNS abuse forum is actually a very important part of our proceeding at the ICANN meeting, especially because as we all know, the DNS abuse issues have affected so many of our different stakeholders, from the users, the consumers, the businesses, as well as, obviously, companies involved in the registration process, from registry, registrars, and all other companies that might be providing solutions and so on. So today we are going to take a look at this issue from both the technical as well as the business, operational, even some of the legal issues that is involved in the situation. Now, I myself was a board member in one of the CC -- in the ccTLD in Hong Kong. And I understand that, actually, a few years ago, we also, actually, ran into an issue with DNS abuse. And to us at that time, it was really an issue that caused great damage to us in terms of our business, our operation, as well as our reputation. So it's an issue that I think really affects everybody in the ICANN stakeholder group. Now, I look forward, actually, to hearing and learning a lot from our speakers today. And -- right. So we have two sessions. The first session -- and for both sessions, we're actually going to ask our speakers to give a short presentation of about eight minutes. And then after that, we'll have Q&A, and you can line up at the two microphones up here to get your questions asked. Now, in the first session, we're going to have these speakers. And they're going to be Mr. Jinhyun Cho, from the Korean Internet and security agency. And then Ihab Shraim, from MarkMonitor. And then James Bladel from Go Daddy; Dave Piscitello, from ICANN; Adam Palmer, from PIR; and Edmon Chung, who will be joining us soon, from dot Asia. Now, without further ado, I think we will go right ahead to Mr. Cho. Mr. Cho. >>JINHYUN CHO: Thank you. Well, I'm from KR CERT, Korea Computer Emergency Response Team, though I'm working at their many -- some prospective Internet. And I would like to share some perspective from the Korean side about this DNS abuse. First of all, we -- Korea is one of the famous (inaudible) countries for the broadband Internet. Korea also has many problems with phishing. In Korea, we are using some Digital search key and other technology for Internet banking or ebanking. So we don't see many phishing cases in Korea, but there were many other cases from some -- the United States and other countries. So last year, we handled more than 1,000 phishing sites in Korea to take down. That is one issue to share. And the next one, maybe we are operating some monitoring system for a Web site where there are some malicious links buried in their site. Well, without any antivaccine program, you cannot know whether -- you may think that while you visited some usual sites, but there were -- in case without antivirus protection, you will be contact some malware. So we are operating some monitoring system called MC Find, Malicious Code Find. We visit the sites, and, well, we download the contents and verify there is some malicious things in there. Now we are monitoring around 100,000 Web sites in Korea. And we are planning to -- moving more than one million sites in Korea, probably most of the dot KR sites will be under some monitoring or some MC Find monitoring systems. And that will be happening in the next year. And there will be -- in Korea, we had, in July, some DDOS attacks, you may know. Well, so we are planning to -- some -- pushing some anti-DDOS defense for these dot KR new to DNS servers. It will be done in the next year, again. And another point may be, we are operating the black hole systems, DNS black-holing. Well, the interesting, maybe most local or domestic Internet service provides churning in that DNS sinkholing systems. So while there is some malicious sites in foreign countries, most Korean users will not allow to connect there. From the ISP (inaudible) service, the DNS (inaudible) will be the site of DNS sinkhole systems. There is -- changing the associated I.P. to our system, not the malicious site in the foreign countries. Well, this is some perspective from Korea. Thank you. >>CHARLES MOK: Okay. And we move right along to Ihab, who's the chief security officer at MarkMonitor. >>IHAB SHRAIM: Hello. My name is Ihab Shraim. I'm the chief security officer of MarkMonitor, also the founder of the fraud division within MarkMonitor. We are a registrar, and we deal with the malware and phishing phenomenon on a daily basis for the past five years. What I will walk you through is a few slides. Please ask as many questions as possible. And, initially, I want to just walk you through the evolution of credential theft from its inception. Between 2002 to 2004, we've dealt with what we call URL obfuscation techniques. Now, the most important thing is that domain names were the central focus of the attack vector. Now, of course, I.P. addresses were used heavily at that time. In 2004 through 2006, we've noticed a major move toward domain name typos, which is basically cybersquatting. The most important thing is that what we've noticed in 2007 through 2008, new tool kits that were used in botnets and Fast Flux networks. And a good example of that is rock phish attacks. And currently, we -- I'm sure you've heard about the Avalanche Group or the avalanche attacks and so forth. Now, the most important thing to notice here with these attacks, specifically on -- between 2007 and up, is that they -- the phishers or the hacking world have used multiple vectors, from layer 7 through layer 2. This is very important to note, because multiple techniques were used within the same attack. Now, in 2008, malware distribution became the main phenomenon. And as you know, probably in every article you read, you will notice that everything is about malware. 2010, God knows what would be the new vector. We have some predictions. But we'll keep that for now until next year. Let me walk you through just a simple statistic here. Domain name-based phish and malware attacks continue to grow. This is our statistics, basically. It all is dependent on unique identifiers, meaning a unique vector -- I'm sorry, a unique malware or a unique phishing incident. Now, this is mainly geared toward the FI vertical. And most importantly, it has a phishing phenomenon. Now, remember, this is not all the malware in the industry. This is the malware that has a phishing backend to it. As you can see, it's quite healthy and it's growing well. We're doing well financially, so that's a good thing. All right. Malware is becoming the new battleground. While we kind of practically -- we all know that. But the most important thing to note here is how this battleground is being deployed nowadays. This statistic that I have in front of you is from Symantec. So I just wanted to show you the growth of the malware phenomenon. And this is not to keep drawing the same point, but this is the vehicle by which most of the attacks are being launched recently. Okay. So let's talk about how domain names are being used from a statistical point of view and how these are affecting the sectors within the industry. Now, this is very important, 'cause we track that on a yearly basis. And as you can see, payment industry services increased from 49% from 42. Financial and auctions have decreased about 4% from the previous year this time. If you look at this pie chart, you would notice that we have this 8% slice, which we call "Other." "Other" is becoming a growing slice. And it's quite alarming, because most of the phish and malware attacks are targeted to the other nowadays, because it's quite interesting to phishers and hackers and malware lovers, I would say. The gaming industry, e commerce sites, social networks, job sites, registrars, will you see tons of white papers describing that. The most important thing to note here, we produce what we call a brand-jacking index, which looks at the brands being affected in the industry. We have notice from last year, and, in fact, we supported that with our last report in Q1, a 24% increase as an attack against brands. What's notable here is the next statistic that I would like to share with you, which is 93% of these brands -- I'm sorry, 93 brands were phished for the first time. Now, this is high. If you were to look at -- if you were to track this problem from the inception of the phishing problem in the very early, I would say, 2003 until now, you would notice that this is a high number. And the number is growing. Why is that? Because they can do that now. The critical part about, I would say, two thousand -- toward the end of 2008 and 2009 is what we refer to as "spear phishing." Now, this is quite targeted. It's geared toward a specific set of victims to be phished. And that's also applied to malware. Thereby, they can bypass all the triggers and detection systems and allow that phishing campaign to stay online. Now, I want to share here with you. Now, I want to share here with you something that is quite unique. And this is -- we've done that about two weeks ago. We have -- one of the most interesting things that I came across, which is a domain name with a video associated with it with a phisher who is selling on YouTube on their database. They have 280,000 accounts, which were compromised. And, in fact, we couldn't name this thing. We came up with -- if you were to look at, you know, the analogy of domain tasting, we call it "credential tasting." This gentleman -- you would view the video. It's about 20 minutes long. The interesting part is that he came across as a "he," because we communicated with him. He will share with you some of the compromised accounts. And you can select which bank you would like to get the accounts that are compromised, et cetera. Now, that shows you that there is no rules. I mean, I've never expected that somebody would come in this format. And, by the way, the same individual who we shut down the site for, he built the same video about eight times within the same week. So the interesting part is that they're going, in my opinion, you know, live with video. So.... Let me walk you through some of the industries that I've referred to, which are part of slice -- of 8% slice that I showed you in the pie chart. Now, here you see gaming. And you would wonder why would somebody want to be in the gaming world? I mean, you know, gamers, they play and they enjoy their games. But why would somebody want to go and phish them? Well, remember, there are two parts of this: One, to build illegal gaming, which is highly profitable. They can put their ads, et cetera. But the most important is on these game sites you can download malware on that particular machine, use it for other advantages. Key loggers. I'm sure all of you have heard about key logging. It's a big phenomenon. So, of course, the most important thing is that the gaming industry now is being hit hard with these type of attacks. Look at e-commerce sites. E-commerce sites are also being hit hard. And, of course, they're trying to -- you know, gain credential thefts, et cetera. So I didn't know -- didn't realize how much time I have consumed so far. Social networks -- I'm ahead of you in my slide. Social networks. Social networks is a grooming ground for phishers to go and steal that thing. Again, remember all these phishing attacks are today being launched via domain names. I mean, domain names are used as a focal point as part of their toolkit. In the old days, still in some cases, we see some I.P.-based attacks. But they all are now domain name based, I would say. Now, remember, this applied the same as with game sites. Malware is the essence of what they would like to download. And, most importantly, if a key logger or a piece of malware has been loaded on that machine, they start searching for credentials or anything that they may have with online either banking or anything else that they can profile or social engineer toward their gains. Now, job sites are not immune either. Job sites are an area by which a lot of private data or personal data being used there and shared; therefore, it's an area for phishers or hackers to go and remove -- I'm sorry -- download that data for their own use. Now, you may think what do I have there? Now, remember, if you have a resume, you'll have your own address, your name, your full name, your background, everything about yourself within that resume. Now, they can tie that with some data that they can take out of your PC. And then they have most of what they want to have on you. And the rest is, I guess, their business. Now, registrars are not even immune from that particular attack. Why would you want to do that? Well, rather than buying a domain name, why don't you just hack, you know, the credentials of some log- in and repoint that -- or reDNS domain name at its legitimate domain name? We've seen that over and over again. And, by the way, we are a registrar, too; so this is no shot at registrars. Now, the critical part here to note is spear phishing or targeted attacks. That's the essence of what we're talking about today. It's "man in the browser" or "chat in the middle." This is probably new terminology for all of you. But I have a slide next, which will describe the latest attacks that we are seeing today, which go a little bit beyond Zeus and the Avalanche Group. These are recent attacks, and they're critical. Not too many people are talking about them. You're not going to find a white paper, because no one had written that so far. Now, the most important thing it's all about credential theft, and it's the essence of the attack vector. The interesting part here when I said, "Chat in the middle," phishers today produce a chat session with the victim on their own PC so they can solicit additional data. This is a chat client. We're not talking about the normal IM and other chat clients. We're talking about through the session that they conduct as they conduct their online banking. This is critical, because this is an upper move from the previous attacks that we have seen on the attack vectors. And, most importantly, "man in the browser" is very, very critical today. In the past it was" man in the middle." Now it's man in the browser. Basically, they reside on your machine. And they try to intercept the communication between you, as the person who is conducting either online banking or using online credentials with the online site. Here is an example of, basically, what -- on the left-hand side, basically, what you'll get with an online banking, one of the banks. And on the right side the modified version of that. Am I doing okay on time? Two more slides. Okay. What's the latest? Well, it all boils down to credential theft. I want to share with you a couple things. Now, click fraud is heavy or high on the agenda. If you notice what is being done lately, this is not limited to stealing credentials. This is also -- it's all about how much money they can make. So what they found out is that they can increase their -- if they were to park a few domain names out there and then, if you were to go to them and they repoint you to the fraudulent sites. And then they increase the number of clicks to the sites that they are conducting their -- or sharing through AdSense or any of these programs, they can generate revenue. Now, this is important, because there was a recent attack. It's called the -- was used by the Bahama botnet. And it was discovered in December 2009. Now, on the credential theft side, I'd like to note two things of what we're seeing today. We're seeing a huge influx of URL redirection. This is important because these redirections are not your normal just you go from point A to point B to point C. They're tracking and profiling or social engineering their victims. And, not only that, they are conducting traffic- blocking techniques, which means they're excellent network guys, which means also, if you are coming, let's say -- if the attack is geared toward bank A and somewhere, let's say, in -- without, you know, naming a country, somewhere in Latin America. If your traffic is coming from the United States, they'll block it. How do they know that? It's very easy. Look at the I.P. scheme. It's so easy to block. They block traffic by I.P. and by ISP now. In the past it was spam the masses. And, whoever falls victim in that campaign, basically, they'll just log them. However, now, it's more targeted. And that's the key. And the central element of the phishing attack or the malware attack is a domain name. Now, new malware attack vectors, I wanted to share with you here what we are seeing is the "man in the browser" attack, which I referred to earlier. But it defeats one-time passwords. This is important. This is very, very, very important. Because we've heard in the past about authentication techniques, and now they're being beat. I can walk you through that attack in detail, if you wish, after I finish. Because I've only got eight minutes, and I've surpassed it. Lastly, what do we need to do? I'll go through it quickly. We need to produce better procedures to handle phishing attacks. Yeah, I'm ahead of you, you know? We need to accelerate the disablement of the domain name -- of domain names shutdowns. This is very important. Because the only way you can mitigate the attack now is to disable or remove the domain names, specifically, with malware incidents or anything that we classify as rock phish attacks or avalanche attacks. Stronger verification and authentication. And to have, basically, the registrars and the ccTLD operators to be a little bit more current with these latest phishing attacks as well as malware attacks. I call the tier cybercrime attacks and support any new ideas. I heard a great idea here, and then I heard that we have that. Something like a DNS CERT. Please provide some support to some of these ideas. ICANN is behind it, and I hope this will work. I'm sorry for taking longer than what I -- >>CHARLES MOK: Thank you, Ihab. Actually, I think we should put this presentation of yours on YouTube. And it will serve as a great education tool for all kinds of users and network managers alike. Now, next let us move on to Mr. James Bladel, who is the director of policy planning for Go Daddy. >>JAMES BLADEL: Thank you, Charles. Thank you. And, as Charles indicated, I am with GoDaddy.com but today will be speaking in the capacity of the former chair of the fast flux PDP working group. And I see some fellow fast flux veterans up here on the stage as well as in the audience. So just a timeline of the fast flux PDP. It was kicked off with an SSAC advisory in January of last year. Issues report was filed shortly thereafter. The PDP was initiated in May of 2008. And, after a lengthy process of deliberation and review of public comments, the final report of this group was published and submitted to the GNSO Council in August of this year. That didn't work out. So the charter questions, which are kind of smeared together up here, but this is the overview of what the group was tasked to discuss and investigate was who benefits from fast flux and who is harmed? Are registries involved or registrars and how? How are registrants and general Internet users affected by fast flux? What technical or policy remedies could be implemented to mitigate the problem? And what would be the impact of restrictions on registrants or on general innovation? And then, finally, we tried to collect and catalog some examples of best practices. This was a challenging PDP. The issue became more and more complex as we started to peel away the layers. Our first hurdle that had to be overcome was finding a robust and sustainable definition for what fast flux is. I think that we came up with a fairly robust list of characteristics of a fast flux network. But I think that we still had some fringe cases that were difficult to characterize. One of the conclusions was that Fast Flux is a networking technique. In and of itself, it is not abuse, but it certainly aids in abusive activities, but it does have a role as well as a tool for conducting legitimate activities. Many types of organizations are involved in this issue, not just registries and registrars but also ISPs, Web hosting companies, general firms that are sometimes considered outside of the ICANN community. Currently, there's no centralized repository of data on the subject that would have aided this deliberation. So it would be difficult to conduct policies -- a lot of policy development in the absence of quantifiable research of the problem. But ICANN and all of its members in the community can be a catalyst for collecting data and exchanging of best practices. So just to provide a synopsis of what the next steps are for the Fast Flux final report. These are the recommendations and next steps that were included in that report. The first would be to highlight those areas which are best addressed most effectively through policy versus best practices or industry-led initiatives. There is another ongoing effort relative to registration abuse, and one of the recommendations of the Fast Flux working group was to see if that group could pick up the ball a little bit after the conclusion of this PDP and see if it could be categorized into some of its abuse types. There was a proposal for a Fast Flux data reporting system which would be similar to -- as a model, would be similar to the WHOIS data problem reporting system, and that would be used to collect incidents of Fast Flux and the various characteristics and exchange them amongst registries and registrars, and then hopefully build that repository of data that was missing at the outset of this group. And while ICANN may not be the ideal forum to address this policy head on, it can certainly play a significant role in bringing all of the interested parties together and facilitating a dialogue where best practices can be developed and shared, including those types of stakeholders that are not normally associated with ICANN meetings, such as law enforcement and I think the report even mentions victim of -- cybercrime victim groups. So that is an overview. The group, as far as what's current, this was submitted to council in August of 2009 and it was approved. As far as those conclusions, I believe there has been some work towards further discussions, certainly within the second bullet point relative to the RAP, but also in terms of putting together some initial studies or drafting teams to examine some of these other questions. Thank you. >>CHARLES MOK: Thank you, James. Let's move right along to Dave Piscitello, who is the senior security technologist at ICANN. >>DAVE PISCITELLO: Thank you. Before I start, I'd just like to point out that James was the chairperson for the final mile of the Fast Flux PDP working group, and he did a marvelous job of helping us come to close on that project. I'm going to talk a little bit about some work that was nearly completed in Sydney and, with some cooperation from the registrar constituency and other registrars in the community, was published shortly after Sydney. This is a document that the Security and Stability Advisory Committee published called "Measures to Protect Domain Registration Services Against Exploitation and Misuse." I think I'll just briefly give a background here. People typically ask what instigates work that SSAC undertakes. In this particular case, there were two actual reasons why SSAC studied this problem. The first was a set of attacks against domain registrant accounts and registrars over the course of about 14 months. They were large registrars and small. They attacked major gTLDs as well as ccTLDs. The public and security community reactions were fairly strong and fairly critical. And the major points that they made were we need to prevent malicious registrations. We need to protect legitimate registrations, and that the access to domain portfolios, especially for those organizations that valued their domains as if they were other corporate assets, from account compromises. And then one of the final comments that was made very often to me, especially when I went to anti-phishing working group or other groups where security and law enforcement were present, was that we really need to try to get domain account access to be as secure as e- merchant transactions and financial transactions. I quickly want to give a set of characteristics of the attacks against the registration accounts so you get a picture of where some of the problem points lie. Typically, the attackers attempt to gain control of an entire domain portfolio by compromising a user account and stealing a password. In some cases they brute force or guess the password. In other cases they impersonated a registrar through an email that was essentially a spear phish, similar to what Ihab had talked about. And in other cases, they socially engineered some point of contact in the organization. Another vector that has appeared recently, especially among ccTLDs and is becoming increasingly worrisome, is the willingness of the attackers to scan registrar Web sites for Web application vulnerabilities and exploit these vulnerabilities. So I am speaking about SQL insertion attacks and other forms of data injection. Once they have compromised the account, the attackers change the contact information and the DNS information. The reason why these accounts are so valuable is because when you own a legitimate domain, it is much harder for law enforcement and for responders to brand intrusions, intellectual property intrusions, and cybersquatting to get the domain taken down. Attackers also know that registrars rely very heavily on electronic mail as a means of correspondence with their registrants. And so one of the ways that they can sustain the sort of blackout for the attack is to alter the DNS configuration information so that the registrant doesn't receive any e-mail notifications. Most registrants are very good about sending notifications saying, "You have changed your DNS information." Well, if I have already changed your DNS information so that you can't receive mail, you are not going to receive that notification. The other aspect of the attacks that is very worrisome is that the attacks will last as long as information sticks around in the Domain Name System. And since the DNS is very largely reliant on caching locally, information can persist for as long as the time-to-live value is set in the particular information that has been downloaded by a resolver. And this can be hours and days. It's very important to step back a second and realize that what is going on in the world of attacks against registration services is not unique to this particular industry. And that's actually a very valuable insight that we tried to carry forward. Financial institutions, electronic merchants, corporate Internets and extranets have the same threat models. You will also find the same diversity and scale of organizations from small and medium business to large enterprise as you will in the registrar community. We have small registrars and we have very large registrars. The same benefits, however, are derived by educating the customers and allowing them to see that there are distinguishing characteristics among the providers of registration services, and that there is competition, not only in pricing but in other ways to measure registrars; in particular, security measures. Looking at this, SSAC realized that we could probably take a look at how other online businesses try to counter these threats. And so we studied the financial industries, we studied other e-merchants, we talked with major online merchants like eBay and Amazon, and we asked what they were doing. And we looked at some of the measures they were implementing. As sort of a short list of the things that we recommend registrars study, in SAC 40 we consider multifactor authentication, end-point verification, granular access controls, and diversity in customer correspondence as being very important. The latter is very interesting because the main mechanism that hijacks relied on was the fact that registrars use e-mail very heavily. So a diversity in the way that you communicate with the registrant may actually help us considerably. So hour message in SAC 40 is that registrars can, to a certain extent, follow suit, and we encourage them to study the measures that we enumerated. There are two ways that they can do this. Some of those measures actually will improve the security baseline for all registrants. And we encourage that registrars all consider some of the measures. Other measures offer an opportunity, in our minds -- and we're not businessmen, so we can't tell registrars what to do and how to make -- how to profit by their service, but it seems to us, as security wonks, that differentiating in the security space by offering a better-than-baseline security offering may actually attract customers. Another thing that we found that was very lacking is many customers we talked to and many of the security community felt that registrars didn't do an adequate job, or could do a better job of informing customers what services they offered so that customers could make informed choices. And so our message was use security to attract customers. We actually attempted to make recommendations to three different groups. One of the things that we want to make certain we do is impress upon registrars that improving protection against registration account misuse is very important. We already talked about underlining that offering a better-than-baseline service is an opportunity, not an obligation. And we believe that there might be an opportunity for the registrars and ICANN to consider some sort of security audit, some sort of a trusted seal that says, "Here are a set of criteria that ICANN and the registrars have agreed provide a very, very good baseline, and we believe that this particular registrar, who has undergone an independent audit, satisfies these criteria." It's also very important that registrants understand that, to a certain extent, they have to step up and be responsible for some aspect of their security. Nothing that a registrar does is going to save a registrant who puts his user name and password on a Post-It. And these are the things that people laugh about all the time, but all you have to do is dig under the technology and security section at "dig" and you will find incident after incident where people just use silly passwords or easily guessed passwords. And as long as we are going to use user names and passwords for accounts, we really need to impress upon registrants that they have an obligation to protect those and to create complex, nonguessable passwords. The other thing that we want registrants to do is choose wisely. There are differentiation in the market today, and registrars ought to be out and take a look at the registrar that they are currently with and consider whether there are other registrars who are doing a better job of security, or at least have achieved a level of security that meets their needs. And to ICANN, we recommended that ICANN study jointly with registrars some model for a trusted security mark program. I wanted to give a little bit of a progress report -- last slide -- just to point out again that SAC 40 actually has a broader context than just the registrars. There's something in here for registrants, and there's something in here for registries. Some of the issues that are discussed in SAC 40 and the measures that are considered had been considered and incorporated into the Draft Applicant Guidebook for new TLDs. They are also mentioned in the explanatory memoranda for malicious conduct and the high-security zone verification. My last message is if you haven't read SAC 40 and you are interested in security, please read it. And also please read it in conjunction with the three documents I just mentioned and publicly comment on it. Thank you. >>CHARLES MOK: Thank you, David. I just thought there was a little bit of calculation, arithmetic mistake. It shouldn't be eight minutes, but a little bit more like five minutes per speaker. Otherwise, we will be running over like we are for the 40 minutes for the speakers. So in order to leave, really, a bit of time for questions, I would hope that maybe Adam and Edmund can help us by Kurting it shorter by five to six minutes. Adam Palmer is our next speaker, the law and public policy counsel for Public Interest Registry. . >>ADAM PALMER: Thank you. And good afternoon, to everyone. What I'm doing today is a follow-up to a fulfillment of a promise and a success story based on what I described at the last ICANN meeting. At the last ICANN meeting, I was on a panel similar to this where PIR promised that we were going to implement an abuse policy that would protect registrants, not create any harm, but serve the Internet community, provide information to registrars, and protect registrants. And what I'm here today to tell is that you we have done that, and it has been a great success in the early stages. In fact, what I'd like to draw your attention to, what we're very proud of, is if you look at the Anti-Phishing Working Group, an independent parties' evaluation of the state of cybercrime across the Internet, on page 17, if you look at that report for the first half of 2009, dot org is singled out among all TLDs with half a page and quoted as being referred to as a major success of 2009 from the implementation of our abuse policy. Why did we do this and what and what do we believe is domain security? We believe that domain security is a responsibility. It's a fulfillment of a commitment of responsibility that we have the capability and should have a response to protect our TLD and to protect the registrants who register dot org domains, that they can believe and trust that their name is safe and secure and we have made every effort to protect them and to protect their free speech. What were the goals of the dot org abuse policy as we implemented it? As you can see, in the interest of time, I won't read the slide, but reducing the uptime of phishing, reducing overall phish, eliminating Fast Flux domains. One content thereby we felts very strongly was an inherent evil against innocent victims that we could make a difference on as long as we did it in a responsible way was to address child pornography, if it appeared on a dot org domain, to reduce spam, and to fight malware. We did this according to section 3.6.5 of our RRA with our registrars. And I have cited two sections of that which you'll see, section 1, which provides us broad authority to protect the integrity and stability of our registry, and to comply with any applicable laws, which we interpreted to be very strong language that we could use to accomplish our goals of making the dot org domain safer. Ultimately -- I'm sorry -- ultimately, this slide illustrates the harms that we identified in how we define abuse on dot org. How do we protect innocent registrants? This was, again, very critical to us. We wanted to eliminate abuse, but it was also equally important to us that dot org registrants' freedom of speech was protected. And we believe we've done that again. How did we do this? Again, without going into a lot of detail, through a system of double verification. We work with security vendors. We work with our backend service provider, and we ensure that any domain name that we identify as abusive has been double-confirmed to be abusive. And we believe our abuse policy's really an information policy for our registrars. It's a service to them where we provide them with information and allowed them an opportunity to take action. And the registry would, hopefully, never have to take action, only in those situations in which it was a serious risk to the security and stability of the dot org TLD and there was a failure for some reason by the registrar to take appropriate action. Again, just in the interests of time, I'll -- I'd be happy also for anyone who wants, afterwards, to talk in more detail about some of these issues. This policy, just to ensure you, is not a replacement for the UDRP. We were not addressing civil wrongs, but purely looking at preventing criminal activity across the TLD. One of the efforts we made, one issue, because I know it's a sensitive issue -- I talked about child pornography -- is, we formed a relationship with law enforcement and with the National Center for Missing and Exploited Children in the United States, which receives reports from global law enforcement and maintains lists of children that they've identified for decades now, in the case of some of them, who are under the age of 14 years old. We felt if it was double-confirmed by both global law enforcement and NCMEC, per their lists, that we felt reasonably secure, again, that we were taking appropriate action. What about a mistake? And, of course, this is a concern. We're human. As much as we can implement safeguards that we hope will prevent a false positive from ever occurring or providing misinformation to one of our registrars, despite our double verification process, we understand that there could be a mistake. All domains suspected of abuse are merely put on hold and not deleted. And in what I believe will be the extremely rare case where there is a false positive, the domain can quickly be restored, with, hopefully, as little, if no, harm to that registrant. And here's the success. Remember when you look at this chart, taken from the APWG study that was released, that dot org is one of the largest TLDs, with almost seven and a half, almost 8 million domain names. And we implemented our abuse policy in February. And you can see, for three months, it was among the top least-abused domains on the Internet. And we're very proud of it. The June bump you see is largely a result, we wanted to see what would happen for a while if we were less aggressive in some of our abuse policies. And you see a return immediately back to the norm. But almost overnight, within one month, we reduced our phishing uptimes by a third. I think that's very powerful proof that we were successful without any false positives or harm from registrants. If anything, we've gotten encouragement to go even further. But, again, this is an issue of restraint and protection of registrants. These are just some quick statistics. Again, with over seven and a half million domains, on a typical day, less than 100 dot org domains are involved in spamming. And since February, on major issues, we've suspended approximately 55 Conficker domains a day, which for 2009 could be close to 20,000 domains that we've worked to suspend and prevent abuse. And since July, we've worked with our registrar community to successfully mitigate over 3100 abusive domains. So, again, this is my contact information. If you'd like to talk in more detail after this, I'd refer you to the APWG study. But we believe this is a fulfillment of dot org's commitment to our registrars, a commitment to the safety of our strands, and a responsibility that we have succeeded as a registry and, hopefully, encourage others to follow our best practices for safety in the operation of a registry. Thank you. >>CHARLES MOK: Thank you, Adam. From one registry to another, back to Asia, with Edmon Chung, dot Asia organization. >>EDMON CHUNG: Thank you, Charles. I guess before I start, one of the things is, we hope that some of the things that dot Asia has done could show a little bit of the way of new gTLDs and, you know, perhaps some of the things that -- policies that we put in place could address some of the DNS abuse issues. It's interesting when I look bat a few years when dot Asia was still in the ICANN process, there were a lot of questions about whether dot Asia might become a culprit of, you know, copyright infringement, all this piracy, all -- you know, a lot of abusive issues. And -- which forced us, in many senses, to really pay a lot of attention as we bring out dot Asia as a new gTLD. So I want to talk about some of the things that we have been doing, or I should say some of the things we have done or have not done yet. Or keep doing. A couple of expedited suspension policies that we have been discussing all along. One focused on phishing and one focused on copyright infringement. Also talk a little bit about our recent work with the APCERT, Asia- Pacific Computer Emergency Response Team, and also some law enforcement agencies. So there were two expedited suspension policies that dot Asia has started talking about even before we launched. Neither of them -- unfortunately, neither of them has been put in place yet. I'm shameful to say that. But, however, what -- I'll talk a little bit more about that later. But, anyway, one of them is working with APWG on antiphishing issues. That discussion started in 2007, more than two years ago. And I'm glad to say that that is moving ahead and moving into beta stage very soon. And then the other one is, we worked with the MPA, the Motion Picture Association, on a similar framework, but focused on gross copyright infringement. An MOU was entered in May of 2008. And it's a similar framework. And a few things that were sort of tricky for us, and I think for a lot of TLDs, would be, as Adam actually mentioned as well as, is the issue of false positive. So our approach is to not be -- I shouldn't say too protective -- too far-reaching, if you will, and create false positives. So there is a delicate balance that needs to be made. And there are issues -- there are situations for penalties of abuse on the other side, you know, complainants putting through complaints too often, or, you know, ungrounded complaints. So there are -- The reason why it takes time for these -- these policies to be put in place is because of those type of balances and the due diligence and the process behind which to determine a suspension of a domain. So these are some of the issues that we are ironing out. And we're happy, in one side, to see that there's been -- some of the discussions that we have had has been put into the URS discussion, the Uniform Rapid Suspension policy that has been discussed for the new gTLD. On one hand, we're happy about it. On the other hand, it also created an additional consequence for us, which, as we continue our discussion, because of the discussion of URS, in fact, we are now, on some of the things, we have to put ourselves in a wait-and-see mode, because it takes -- it does take resources and efforts to -- from the registry to put these -- and registrars -- to put these policies in place. So we'd like to, you know, take -- understand what ICANN is -- recommendation would eventually be on the URS before we move forward. Or if that doesn't come soon enough, we will, obviously, still move forward, as we originally planned. We may be one of the first registries that did have a particular clause in our registry/registrar agreement for such sort of suspension policies. So inside our registry/registrar agreement, we already have one particular clause that specifies the -- potentially adding these type of rapid suspension policies. So a couple more slides. One is our recent work. We have engaged with APCERT. APCERT is the Asia-Pacific sort of -- how should I say? -- it's a consortium of CERT teams around Asia. And they became a member of dot Asia in -- last year. And we continue to work with them. And we have done multiple drills with them, incident response drills, issues such as Fast Flux and compromised domains, Conficker type of drills. So we are somewhat prepared. Another area that we've been doing, we've worked with our law enforcement agencies, for example, the Hong Kong Police, during -- like, during last year's Beijing Olympics, during the upcoming East Asian Games, and during the Asian Games next year, we will be having additional cooperation with the police to have sort of a watch list of domains that are being registered, a watch list, as well as special escalation procedures that, you know, if certain activity is being -- is undertaken under a dot Asia domain, we would take special action on it. So I think, while we haven't quite put some of those policies in place, we believe that they have been useful -- at least that we have sent a message to the community about dot Asia's commitment to fighting DNS abuse. And that's why I think we are seeing a solid foundation of adoption of the dot Asia domain by small/medium sized companies around Asia. These are not phishing sites, by the way. These are not abuse sites. These are real sites, real small/medium sized companies using dot Asia and we hope that will continue and we'll -- we would show our continued commitment to preventing DNS abuse and more and more brands and businesses can start utilizing dot Asia. Thank you. >>CHARLES MOK: Thank you, Edmon. Let's move right along and see if we have any questions. Please come up to the microphones. If anyone wants to ask any questions, state who you are and who you're with and who you want to direct the questions to. We have someone? Anyone? No? No questions? >>IHAB SHRAIM: Excellent. >>CHARLES MOK: Excellent. You know that makes us own time, actually. Thank you for your cooperation. Do -- do the panelists have any questions for each other? We can take a couple minutes to do that. Ihab? >>IHAB SHRAIM: I have a couple questions for the audience. >>CHARLES MOK: Let's try it. >>IHAB SHRAIM: Did we put you to sleep? [Laughter] >>IHAB SHRAIM: We did not? We were trying -- >>CHARLES MOK: I see this gentleman. Okay, we got two. >> We paid him to do that. >>CHARLES MOK: You got a price, too. >>MIKE RODENBAUGH: Mike Rodenbaugh. Certainly didn't put me to sleep. Thank you, gentlemen. It's very interesting stuff. Particularly Adam. I was very interested in your slides and statistics there. Question for you is: When you implemented that policy, I remember when Afilias did similar, they had to go through -- I don't know if they had to, but they chose to go through the funnel. You guys did not do that, did you? And if so, why? >>ADAM PALMER: We chose not to. And our belief also, again, was that this was not a policy change in any respect that we were making. This is, in fact, if anything, more a careful enforcement of an existing contractual requirement that had been in place for years within dot org and that there was no mandatory suspension requirement on the registrar. We don't place any additional burden on them, a requirement that they will suspend a domain. Again, all we do is we provide them information and make a recommendation to them. We leave it to their discretion. Obviously, we hope -- we have hopes for what they will do with that information. If they fail to do that, we'll take steps. But that was largely the basis for why. Because we believed our policy didn't create any additional duties, and it was enforcement of a long-standing provision that was in our RRA. >>CHARLES MOK: Please. >>JAMES BLADEL: Just to follow up on that question, Adam, can you talk a little bit -- you mentioned your collaboration with law enforcement. But can you talk a little bit about how you engaged the dot org registrars to hit some of those milestones and, you know, how receptive were they to those changes? >>ADAM PALMER: As far as milestones, I don't know. Can you clarify, I guess, that? >>JAMES BLADEL: Just the statistics and especially some of the success you had in suppressing, let's say, fast flux uptime in your zone. >>ADAM PALMER: Again, one of our goals in this was to hope for the best with the information that we were providing, not to place any burden or additional requirements on the registrars. I'm not aware of any negative feedback that we've received from any registrar. And, if anything, all I have -- all that I've been made aware of is a positive flow of information from the registrars. It's because of our design of the policy being one of providing them the discretion to act and, I think, proving also that that -- that the registrar community is fundamentally responsible. And that they have -- we provided them the information. We pointed out to them abuse. And they have gotten rid of it. So, in some ways, I think this is proof that we have a largely responsible registrar community that, when provided with the right information, will do the right thing. >>CHARLES MOK: Okay. Thank you, Adam. Back to you, Tim. I thought James was answering, but he was asking a question. So back to you, Tim. >>TIM RUIZ: No, that's fine. Thank you. I just wanted to echo what Mike said. Tim Ruiz with Go Daddy, by the way. Far from putting me to sleep, I found it very informative and interesting, even more so than I expected when I came in. Thank you very much. >>CHARLES MOK: Well, thank you. >>MARGIE MILAM: We have a question from the chat. Let me go to the chat question first, and then we'll go to you. This is from Barry Cobb. His question is to Adam. "In dot org five and the policy you implemented, did you make any changes to any of your agreements or your contracts?" >>ADAM PALMER: Very easy question to answer. No. >>CHARLES MOK: Thank you, Margie. >>RUDI VANSNICK: I'm Rudi Vansnick from ISOC Belgium and ALS part of the ALAC. I have a question for Ihab. You have shown us a lot of information. And I think it's a good educational stuff. Could you reach this out to the ALSs so we can go to our community or Internet users and help them to understand the dangers that they're going to be in front of when they are on the Internet? I think it's a good program that we can eventually use in our outreach and communication program. >>IHAB SHRAIM: We'll be more than glad to help out. In fact, the more we share, we found out, based on experience, the more we share, the better the response. So we'll be -- in fact, what I showed you is just the tip of the iceberg of what we go through. In fact, we'll show you a slide deck of 80 slides, which will walk you through every attack probably, potential attack that could go against your consumer base. >>CHARLES MOK: That was exactly what I had in mind when I said this should be on YouTube for everybody to see. >>IHAB SHRAIM: Only thing is you can't share it with my competitors. I'm just joking. >>CHARLES MOK: I think we're pretty much done for this half of the panel. So let's give a round of applause to all of our speakers, panelists for this session. And we move right along to our panelists who are actually sitting behind in the back row. And let's give them a few minutes to move to the front row. And then you guys are free to, hopefully, you know, stay in the back and watch over the backs of the other -- you know, this group of panelists. And while they are, you know, switching seats and pulling plugs out of their computers and so on, let me introduce the second session. The topic of the second session is going to be the role of contracts and compliance in protecting consumers from abuse of the DNS. Now, obviously, even though in the first part of the panel most of the panelists are introducing various programs and even some of the technology trials and programs to try to handle the issues of DNS abuse, there were some questions that came up in the first panel talking about the roles of contracts, actually, and some of the legal or compliance issues already. So in this session we will focus more on the -- those issues relating to, especially -- especially on the aspects of protecting consumers and so on. Now, let's give them a few minutes to get seated. And -- yes, let me introduce the speakers first. And, hopefully, they can -- they can sit in the order that they are -- that is on their -- on the list of speakers. The first one -- and the only one that is moving to her seat right now -- is Rosemary Sinclair, who is the chairman of INTUG, International Telecom Users Group. And then also on the panel we have Hong Xue, who is a member of the At Large@China and Chinese Domain Name Alliance, and also Mr. Michele Neylon, the managing director of Blacknight; Paul Hoare, the senior manager of the UK Serious Organized Crime Agency, the e-crime deputy directorate of the UK Serious Organized Crime Agency; and Adrian Koster, the analyst and legal advisor for the e-crime agency for the Swiss Federal Department of Defense. And, finally, at the very end we'll have David Giza, the senior director of the contractual compliance of ICANN. And I will try not to make the last mistake I did by saying that you get eight minutes and actually you only have five minutes or 5 1/2 minutes. Okay? So we'll start at Rosemary, please. >>ROSEMARY SINCLAIR: Thank you. And we'll just have to see how we go, I think. So welcome to the session, and thank you very much for the opportunity to speak with you. I'm only very, very new to ICANN. And I'm one of the new appointments to the GNSO Council. So I guess I'm taking very seriously the Affirmation of Commitments. And I've used that as a background to my contribution to this afternoon. And I'm thinking, in particular, of words like "public interest," "Security, stability and resilience," "consumer trust," and "international cooperation." And I think there's a key message that I want to leave with you this afternoon that what we need to do is to take those words out of the policy arena, and start really putting it into practical effect. What I want to look at is very much the noncommercial stakeholders perspective on this complicated issue. I'm going to talk about how many consumers there are. So I'm -- actually the discussion here is about domain names and registrants. I want us to think more widely than those groupings to people who are really end users, if you like, of these services. I want to look at where they are. I want to look at what they're doing, the things that they're concerned at. I want to do a bit of a check on whether we think they really understand who does what about this particular issue and what lies ahead. And I'm going to use pictures, because I know we're all very tired and our brains are full of heavy ideas and serious concerns. So one aspect of how many consumers are there is just this picture, which tells us that of all the households in the world now, one third are connected to and using the Internet. But, if we go beyond households to people, the numbers, of course, get much, much larger. So we're really talking at the moment about 1.9 billion people who are affected by what we're able to do to improve the security of the DNS, to encourage confidence and trust and to really inform people. Another interesting picture is where are they? And it's -- this one, I think, is a slightly different take. What I've done is I've just looked at Internet traffic growth as a proxy for where people are. And this growth, I think, is starting to paint an interesting and different picture of where people are coming on board now from where they might have been. So here we see the biggest growth in South Asia, the Middle East, Latin America, Eastern Europe. And, of course, this growth pattern is reflecting in many of the pressures that we feel here at ICANN and, in particular, in the GNSO discussions about internationalized domain names and generic top- level domains. What are they doing? And the answer is more and more and more. And I was reflecting on this with Rod Beckstrom's opening where he talked about the arc of the Internet. And it was a very technical arc that he painted. What I think we're seeing is the arc of the Internet, if you like, from the point of view of the users using the Internet for many, many more uses. And they are moving from information to interaction to innovation, and then beyond that to real integration in every part of life, whether it's personal or professional. The Internet is affecting everyone and everything we do. So the opportunities for bad things are only increasing. Now I want to look at the concerns that people have with the Internet very, very briefly. Just to make the point that there is a significant and growing amount of research about consumers' behavior towards the Internet that I would like to see really included in discussions here at ICANN. As much as we're now starting to look at economic studies, I think these studies of behavior are also important. So this is just one such study, it's an Australian study. Quite a recent study. It's saying, "I find the technology is changing fast and it's difficult to keep up with. I'm worried about my privacy. I'm worried about some content in relation to my family. I don't really feel very comfortable giving my credit card details over the Internet." So the economic benefits of those activities are lessened. And "I'll consider doing some of my shopping," but not many of me will consider this. So this tells me that there's not much confidence and trust in this way of doing things. Let's have a quick look at what these users are doing to help themselves, because it is an important part of the puzzle here what people do to take care of themselves. And we have to face the fact that only 50% of people using the Internet now in this study have an antivirus program. Only 20% have a firewall. And only 15% say that their computer came with some sort of protective software. So we're working from a pretty low base in terms of what people are able to do for themselves. And my next question is where do they go to find out? If they want to do something, where do they go? And what we find is this varies very much by often people use the Internet. So the folks that use it more frequently are less likely to say that they don't know where to go and find out about security than the folks who use the Internet less frequently. Of those folks, more than 50% tell us in this study that they don't know or can't say where they would go to find out about security information. And maybe this is why. When you stand in the consumer shoes, what you see is what -- a term I have borrowed from other places, a "confusopoly." What we see is national actors and global actors and some means of trying to coordinate that. When we look at industry, we see ISPs, we see registrars, we see registries, we see ICANN, we see codes, conduct, compliance tools. There are regulators that we look at. The Australian examples are the communications regulator and the consumer regulator. They have got a whole bunch of rules and enforcement practices. We see law enforcement agencies. We're starting understand what CERTs are about, that they send out alarms and advise people. And then we often, often look to other end users to inform and educate. Let me finish with a couple of questions -- I have since added one more -- which is where I think the focus of these discussions might be. The first one for me is how can the ICANN community and your undoubted expertise be brought to the task of supporting the work of others? The second one, it relates to the examples we were hearing before, is how can individual company or registry best practice become widespread industry norm? And the third one, which I have added subsequently is how can ICANN explain in what I am going to call "plain English," but it's not confined, of course, to English, but I think we understand simple language, so that people outside the community can understand. How can we help other people who are trying to inform consumers about this issue so that we all can become stakeholders in a secure Internet? Thank you. >>CHARLES MOK: Thank you, Rosemary. Put that on very solid ground from the perspective of the consumers. Let us move on to Hong, Hong Xue with the At Large@China. >>HONG XUE: Thank you. Internet users are direct victims of all forms of abusing activities, no matter the abuse is in the form of spreading malwares or crimewares or in the form of phishing or pharming or in the form of Fast Flux. They are very vulnerable parties. From our friend Rosemary's presentation we are aware that it is difficult for the user to acquire the information on abuse. It is even difficult to acquire the information, but it is even more difficult for users to acquire remedies. Of course they can seek legal remedies from law enforcement department. But we heard from the last panel, from the very learned panelists, that there are limits and there are difficulties in law enforcement against abusing activities for protection of users. In the case of Fast Flux, it's really difficult for law enforcement to react very swiftly to attack those offenders. And from another perspective, we can see that registries and registrars are really at the front line in the fight against abusers. They have capacity and also they have resources. If they have the will and there could be a good way to protect users. Now, as a forum of ICANN, we should see what role ICANN can play to protect users from abuse of DNS. ICANN is not a law enforcement body. That is very clear. But ICANN has its own weapon; that is, agreement with registries or registrars. If ICANN can really mobilize the registries and registrars to honor the contractual agreement to effectively fight against abuse, then, of course, the users' interests would be secured. But the issue here is that in most cases, we can see there is a long distance between abusing activity and ICANN enforcement. Think about the scenario, especially in facing of the launch of new gTLD program. There will be 1,000 new gTLDs, hypothetically. Then ICANN will have to be running all day to check what kind of abuse is happening in you what domain. Is it feasible for ICANN to do this daily due diligence? It seems it's really out of the control of ICANN. Then we are thinking whether user who is the direct victim of the abusing activity can be helping of ICANN to do the enforcement. There have been several proposals raised from user community. One is relatively old. It's been raised many times and in different circumstances. The second one is relatively new but is not a stranger to ICANN. The first one, that is, it is possible to introduce the sort of third-party beneficiary clause into the registry delegation agreement, or the Registrar Accreditation Agreements. The third-party beneficiary clause proposal has been raised by user community for many years. But there is a lot of concerns over this proposal, and it's not short of criticism. Especially the third- party beneficiary clause is different to interpretate, and given the different legal tradition and the legal systems in the world -- we have two major legal systems in the world: common law and civil system. They have different understanding and different interpretation to the legal consequence of third-party beneficiary clause. If that is a difficult approach for ICANN, then could ICANN think about another proposal, this is a relatively new proposal. That is, it is possible for ICANN to introduce a kind of a complaining mechanism to enable users to complain the systematic large scale and repeated abuse occurring in a certain TLD. This approach is sort of inspired by the post-delegate DRP that is the component of trademark mechanism in the new gTLD program. We heard from yesterday's presentation about the special protection of trademark. There are several mechanisms. Post-delegate dispute resolution is one of the mechanisms. And unfortunately, cybersquatting or abuse against trademark is one form of abuse of DNS. If it's possible to introduce a specific mechanism specifically for trademark protection, for trademark right protection, it is also possible to expand this mechanism to cover the other abuse, to protect the other rights of users. To protect the users' rights over the laptops, the users' rights over the data, the users' rights of their own business. And think about the very serious consequence of being phished or pharmed or suffered from malware or crimeware. They are, indeed, the victims, but they are also the proprietor of their property. They have independent standing in any legal system. Could ICANN think about receiving their complaint and to enforce the contractual obligation of the relevant registry and registrars? Of course, there should be clear conditions defined in such a complaining system. In my understanding, this should be in at least two scenarios. One is kind of intentional abuse. Say if a registry or registrar is intentionally participating in abusing activity and is knowingly profiting from the abusing activity, of course a registry or registrar should be disciplined by ICANN and sanctions should be imposed, and accreditation or delegation should be terminated or canceled in due course. In the second circumstances, registry/registrars are not intentionally involved in abusing, but they are in gross negligence, which means they are really not care about the abuse occurring in the system systematically and repeatedly. In that case, they should also be disciplined by ICANN. Today we heard from a couple presentations from the registries and the registrars. We know they are very responsible parties and very responsible contractual parties. They are taking various measures to fight against abuse and to protect the interests of users. I guess user community are well aware of that. But we are talking about the new gTLD. The potential 1,000 new operators who are going into the field of play, we don't know what will happen after this new program is really launched. Given the interest of protection -- Given the protection of the interests of users, we do hope that ICANN would seriously think about to introduce this complaining system to protect the interests of user. And finally, I want to address is that we have heard that, presently, different registry and registrars are implementing the different measures against abusing. Some of them are very effective. I do suggest ICANN to seriously study these various measures and develop a systematic best practice for all the registries and the registrars to learn from this useful experience. The current initiative such as Fast Flux PDP or WHOIS series studies are very useful and valuable beginning of these kind of actions from ICANN. We hope ICANN could expand this kind of action to cover all the potential applicants for new gTLD domains. And the last point is that hopefully ICANN could have the annual audit of the source of anti-abuse activity of all the registries and registrars. >>CHARLES MOK: Thank you, Hong. Very specific and useful recommendations to ICANN. And maybe David can prepare for some answers later on to Hong's suggestions. So before that, we'll move on to Michele Neylon, who is with Blacknight. And Michele. >>MICHELE NEYLON: Hi. Good afternoon. I don't have any slides. Since I'm absolutely hopeless when it comes to presentations, I usually just throw up some random slide and then talk about something totally different anyway. [ Laughter ] >>MICHELE NEYLON: So I thought, well, you know, I could do that, but it was just going to cause more confusion than anything else. So I just decided to go with the "no slide" approach. I suppose just before I say anything of -- anything meaningful -- whether I say anything meaningful or not, of course, is questionable - - I thought it best to explain exactly why I ended up sitting up here. We are a registrar, which means that we are responsible for registering domains for third parties. We're also a hosting company, which means that we provide facilities to enable people to use those domains, be that for e-mail, Web sites, or other services. And, of course, a domain name is not always a Web site, though I wish some people in the ICANN process would get that through their skulls. We also are an ISP in a certain sense, as we provide bandwidth to certain companies. Although we don't provide any other services to them. So we're kind of in there in that mix, and we're a contracted party with ICANN. But we're also a contracted party in that we -- I have contracts with end users. Now, the thing that keeps on coming up in these abuse discussions is -- and I'd have to say that the lady sitting on my right here scared me quite a bit with some of her suggestions -- [ Laughter ] >>MICHELE NEYLON: -- is that, you know, pushing back responsibility to everybody left, right, and center, and let's introduce legislation here, there, and ever where else, and I just feel like saying, "Stop. Take a deep breath." We receive take-down notices, abuse notifications, lovely, charming letters from solicitors with lots of letters after their names. And I am sure they produces lovely bills. And we are more than happy to work with law enforcement. But let's just stop there for a second and look at it in simple terms. No registrar in their right mind, or no hosting company in their right mind would want to upset the rest of the Internet community. I think it was -- I'm not too sure exactly who came up with this idea of -- the idea of a good neighbor principle, that we all want to get along and live happily ever after together. We may fight with each other from time to time. We may disagree with each other. But, ultimately, the Internet enables us all to do business. And if we can work together, then it'll blossom, grow, and we'll all get to drive nice cars. So the thing is this: When it comes to Internet abuse, people need to be realistic. Stop confusing trademark abuse with serious crime. They're two totally different things. The gentlemen on my left here, who come from the law enforcement community, will probably talk to you about some very scary things that people do online. And these things happen, and they will happen. And we, as registrars and hosting companies, we can get caught in the crossfire. And we should be able to work with these people to stop these kind of crimes happening. But we shouldn't allow the trademark people to confuse matters and start calling trademark abuse a crime when it's not. You also have to bear in mind that laws are, in many cases, national laws. Now, personally, I couldn't give a damn which law is being broken if somebody is using one of my servers for spamming. It abuses -- it uses up my resources. It upsets my neighbors. And it has a negative impact to my other clients. Not interested in the legislation. I don't care. You need to just tell us in simple terms, "There is this abuse which is going on now. This is the source. This is what the type of abuse it is." I'm not interested in getting a lesson in SMTP protocol and being told that there is bizarre traffic on port 25 over TCP, which one charming company went through the trouble of telling us, when a simple, "There is e-mail coming from here. It is spam. Please stop it." Okay, we will stop it. Asking hosting companies and registrars to hand over their clients' details, when they're just innocent bystanders, is completely unreasonable. If you want our clients' details, get a court order. So, I mean, the thing is that when dealing with abuse, you have to bear in mind, we're not trying to upset anybody. We want people to be able to use the Internet, because, ultimately, if they're having a bad experience, they won't. If they're -- if that happens, then I can't sell them more services. If I can't sell them more services, I can't make any money. If I don't make any money, I don't get to drive that nice car. I keep repeating this "nice car" analogy throughout this ICANN meeting. Maybe it's time to change my car. So I think I'm going to move along quickly and let the guys from law enforcement talk about what kind of things they see as being important. But just to leave it with one thing. Please, those of you within the security realm, if you are going to send ISPs and hosting companies take-down notice, would you please, please, please put the detail of what it is you want at the top. You can put the legal stuff from your legal department down at the bottom. Just give us the -- you know, the URL at the top. [ Laughter ] >>MICHELE NEYLON: Legal stuff at the bottom. Thank you. >>CHARLES MOK: Well, well, human language again. So, yes, we've heard from three different angles. We're coming to the fourth, thank you, Michele, first of all. And the next speaker, panelist, will be Paul Hoare. And, in fact, when I first saw Paul's affiliation, I thought it was -- he was from serious organized crime. And fortunately -- maybe unfortunately -- or fortunately, he's actually from the organized crime agency of the U.K. government. So maybe we should get somebody from organized crime next time to be on the panel, and we will have something even more exciting. [ Laughter ] >>CHARLES MOK: But maybe Paul will give us the stimulus, anyway. >>PAUL HOARE: I'm fortunate -- Okay. How fortunate is finding one of them to actually come and see us? We'd have to do some work. How do I follow that? On Monday, the malicious conduct consumer protection session, I spoke about the inequality of arms between criminals and law enforcement, and the current threats. I'm not going to rehash all those arguments again and bore you with my slides again, because by Thursday afternoon, you've got PowerPoint wear-out. And an excellent presentation early on laid out the problems in very articulate terms. But in bullet points, online criminal groups are no longer amateur. And we see organized crime diverting resources and capability to industrializing and hiding criminal behavior on the Net. Professional criminals are adept at abusing weak procedure and using the landscape to their own advantage. And abusive DNS is intrinsic to the current attack vectors, with thousands of domain names being registered and automated, switching every few minutes, to frustrate us and the industry's efforts to virtually combat that. So, unfortunately, production order at every stage is not going to happen. Law enforcement and security company perspective sees criminal groups migrate to providers with weaker processes. The APWG report backs that up again. I've read it as well. Finally, obviously, but importantly, criminal groups can't be relied upon to self-regulate. You can ask them nicely, but they won't. [ Laughter ] >>PAUL HOARE: On the investigation side, cybercriminals have no regard for international boundaries and pass across several jurisdictions in the blink of an eye, tracking the same route for law enforcement involves weeks of bureaucracy and negotiating international protocols and law. With the level of Internet crime, this traditional response for law enforcement needs to be augmented by methods of mitigating damage caused by cyber attacks quickly. But I'm not here to pass all my woes on to you. Some national governments are live to this issue. And I think Rosemary talked about it briefly, attempts to address the issues within national boundaries. But this doesn't protect from attacks from the outside and doesn't solve the problems. Without -- Law could be passed. There isn't any national law. But without the involvement of the U.N., global law is not available. I don't know that anybody here wants the U.N. involved in this at the moment. The likelihood that all governments are going to pass the same law, which is what we would want, is almost nil. And any pockets of weakness or nonlaw reduces the impact of any law that we have nationally. This is true of industry as much as of governments. And the lack of globalization of cyber law puts the emphasis on producing -- on solutions which we need to take to the overarching governance bodies, such as ICANN, the only bodies in a position to affect the translation of identified good practice into an acceptable regulatory framework. "Regulation," there's that word. Law enforcement believes that ICANN are in a position to institute this framework. And it's important for them in their current position to do so. Now, I know that ICANN are making efforts to bridge solutions for these issues. And they're welcoming certainly myself and Adrian on this panel are indicative of this. To this end, we've submitted this week suggestions for amendments to the RAA to address the issues of criminal conduct on the Internet or go some way towards it. This is going to the RAA Amendment Working Group and the GAC. I know that some of the proposals submitted will have some implications for some registries and registrars. But they are based upon current good practice, and they're not unrealistic. Strong though your customers standards, swift audit and compliance regimes, and the early sharing of intelligence are big steps towards combating the threats. And they're already in place in responsible registrars. Adam highlighted the work of dot org in designing the policy to reduce criminal abuse of their system. It's commendable work, which proves how effective such policies could be. It's tangibly reduced criminal use of dot org. But criminals just migrate to other TLDs and carry on their trade. Only this type of policy being obligatory across the sector will have a drastic effect. Edmund highlighted all the issues in designing policies and implementing them. Well, why does everybody have to do this? Surely it's better to have one industry standard across the whole sector. This week, we've seen the progress on the new gTLDs accreditation compliance that Greg Rattray and his team have pushed forward. And certainly the developments of the high-security zone verification program and the added checks within that are most welcome. We've questioned why ICANN has chosen to split the issues of the new gTLDs and the older TLD accreditation and the issues of changes it current- -- the arguments around the changes of current contracts are well made. We don't, however, see the requirement -- we do, however, rather, see the requirements for greater due diligence, transparency, and open, authentic WHOIS to be relevant. It needs to be relevant to all the TLDs, whether they're new gTLDs, the ccTLDs, whatever TLD they are. Ideally, all of them will need to work to the same standards of best practice. If existing contracts can't be changed -- and I can understand why there are difficulties with that and they won't be updated willingly -- then at least the consumer should be aware of what level of due diligence each one carries out. It's in a similar vein to the high-risk zones we talked about earlier on. And Dave touched upon the security to attract customers earlier. There's a real opportunity within a finite time window to be seen to address these issues and to implement a regulatory system, which is designed and implemented by this community. I'm assuming that there's little appetite for the responsibilities of any part of this community to migrate to other organizations that would welcome the opportunities to take some of it. A U.K. member of parliament said, pertinently, I think, the government-imposed legislation and regulation is never as effective or focused as that imposed by the sector itself. All parties would prefer the Internet experts to self-or coregulate rather than having it imposed upon them. But have no doubt that governments are watching developments closely. And in a world where the Internet is crucial to economies, critical national infrastructure, and national defense, an ineffective option or poor Internet regulatory framework has a finite shelf life. The community needs to seize the initiative and find solutions while that opportunity still remains to you. And I think that's it for me. Thank you. >>CHARLES MOK: Thank you, Paul. Adrian, next up, Adrian Koster from the Swiss Federal Department of Defense. >>CHARLES MOK: Thank you, Paul. Adrian. Next up, Adrian Koster from the Swiss federal Department of Defense. >>ADRIAN KOSTER: Just to clarify, it's the Swiss cybercrime unit. I don't want to bore you with Swiss administration issues. So I actually do have slides. So may you give over the control of that? Thank you. So I'm not really seeing very good on the screen, so I hope I still will always be in the same slide here and on the screen. So in -- sorry. I've seen that nation states and the Internet don't really work the same way. And they have sometimes much difficulties in understanding how each other works. So the nation states, they have governments who are -- have a responsibility to protect our citizens on their territory. They issue legislation. They can issue criminal law. And they have law enforcement that enforces that criminal law. And it's all about compliance. Do not break the law! Then the Internet has a community, which is a self-regulating community, is also responsibility towards its users. I put up 1.3 billion so far. I just learned in a recent presentation that it's 1.9 billion people who have a computer, actually, at home. So it means it's probably over 2 billion people who are online. They are all users. So it's -- the Internet is global. And it runs on policies and terms and conditions. It's most of -- everyone is subject to civil law, and they do abuse handling. But it's all about the operability of the Internet. The Internet is a network, and the community wants it to run the whole time. So it's not much about compliance and not breaking laws. So it's more about does it affect the operability of the Internet? So what is the reaction to violation of rules? First off, this is not about freedom of speech. Because freedom of speech is guaranteed in most -- throughout most of the world. It's about phishing, fraud, sexual child abuse, but also about botnets, DDoS attacks, malware, spam, things that actually go against the operability of the Internet. So the community has already strong interest in preventing and fighting that kind of problems. Law enforcement wants to identify the actors. It wants to prosecute them and to punish them, so they won't do it again. And the community and Internet is -- many things are anonymous. And there's a huge wish for anonymity. If there's a breach of rules, often it's only retracted -- the servers are retracted. They block domain, or they just act on one simple case. That was the question: How do you prevent first the same person from abusing the same service again or abusing another service? It's all about responsibility, but also liability. Law enforcement cannot prevent all abusive behavior. And it has a hard time identifying the actors. But law enforcement is always bound to legal process. So law enforcement will not just go out and arrest just anybody, put them in jail, and put them away. It's all -- there's all legal processes. And they are followed throughout the world. So it's not -- we don't have to be afraid of law enforcement. Law enforcement is there to help you, to get the bad guys, not to put the good guys in prison. The community cannot punish the offender. The community cannot imprison someone or cannot put out a fine or whatever. Let's get the next there. The community has access to most of the evidence. They hold all the data. Earlier, it was law enforcement can go to a scene of the crime and they can investigate what is there. But now it's all in the -- within private companies. It's all within the community. And it's often very fluctuant or it comes away quickly. But the community is usually subject to civil liability. And that's what many players are afraid of. If I will shut that domain down, will someone sue me? Will they come after me? And will I have to pay, especially in the United States, huge amounts of money when I do it not correctly? So victims of crime and the general public do often not understand why the police doesn't find the offender. They say, well, don't -- don't block access to images of sexual child abuse. Just go out there and get the actor. Get the one who's done that. But that's pretty hard. We have to fight on all fronts to prevent further abuse. And law enforcement and community need to work together to make the Internet even better place. We heard on Monday -- at the Monday session I chose slightly bad wording because I said, "Let's make the Internet safe and secure place." And I was proposed that that would not be possible. So let's make it safer and a more secure place, just a better place for everyone who is in it. Yeah, so, as a concrete solution, I -- I encourage all my law enforcement colleagues throughout the world, wherever I go. And I also would like to encourage the industry to reach out to each other to establish contact. So, when you see abuse as a community member, you know where to go, who to address. And then make -- give the law enforcement a possibility to prosecute the offenders. There are not so many criminals out there. And, if we go after them, consequently, and, if they have to be afraid that they might be catched and put into prison, the crime rate will probably increase. Thank you. >>CHARLES MOK: Thank you, Adrian. And David Giza of ICANN will have the last word on the panel. And maybe let me also remind our audience that, after David speaks, you will have a chance to ask questions. So you might want to start thinking about, you know, your question and get -- move yourself a little bit closer to the microphones. David? >>DAVID GIZA: Thank you. Well, I have five minutes here, and I'm going to try to keep us on time. First of all, I am the leader of the contractual compliance team at ICANN. And I have to tell you that I'm very proud of the fact that I have a team of five highly dedicated professionals working full time on contractual compliance matters. For those who have followed our work this past year -- and by that I mean in the last 10 months -- you know we've been very busy. Our team has been taking our responsibilities very seriously in a very professional and efficient way. This year we have either terminated or non-renewed 16 agreements. We've issued 184 breach notices to registrars. And we've also issued over 4,290 enforcement action notices to registrars. I have to tell you that registrars, by and large, step up to the plate and do the right thing. So, in many instances, registrars get a bad rap because of where they sit in the food chain. But I will tell you that, when we send notices to them, they generally respond. Now, they don't always tell us what they do. But, when we go out and investigate and look deeper, we find evidence of what they've accomplished. So what does that mean? Well, what that means, I think, is that, as we think about malicious conduct and we think about what we're going to do as a community -- and I mean that seriously, as a community -- we need to think about the malicious conduct toolbox that we're building here. And so what are the tools in our toolbox? If you look just at ICANN, and, you know, the tools that I have in my toolbox today begin with two types of contracts -- contracts with registrars and contracts with registries. And, inside of those tools, they actually become a bit like little toolkits that have certain enforcement terms and conditions or provisions that our team tries to use constructively with registrars and registries to develop corrective action plans that, basically, help them drive their business models in a way that ultimately serves the compliance purposes of those agreements. Are we always successful in our work? No. Is there more we can do? Sure, there is. And, with respect to malicious conduct, what is it we should do? So, if we think constructively about that -- and several suggestions have come sort of rolling down the table and in my direction today -- you know, I would suggest to you that, if you approach this the way you approach problems in business, you look for collaborative solutions that are designed around rapid continuous improvement. Right? And so rapid continuous improvement and contractual compliance enforcement, in my view, means that this toolkit has to grow and that each member of the community that has tools in the kit uses those tools constructively. So let's think about that just for a quick second. What does that mean? Okay. Industry-led initiatives. I think registrars are in the best position to use those tools in the toolbox constructively with help, assistance, guidance from ICANN and, when necessary, enforcement pressure to deploy those tools. But I think, if you give registrars the chance to step up and do this, as Michele said, they will do it, provided it's clear what we're asking them to do. How about best practices? We all love the notion of best practices, but we find that it's difficult to get best practices implemented industry-wide or even globally. So what if we had a malicious conduct task force? And what if that task force was represented by the people you see up here on the stage today? And what if that task force was assembled for the purpose of actually making sure that this toolbox has the right tools and that each one of us who reaches into that toolbox uses those tools constructively to address malicious conduct? So what might we do at ICANN with our tools in this toolbox? Well, clearly, you know, we've thought about this. And we think there's an opportunity immediately to help construct or build tools that will be useful, perhaps, first and foremost, to registrants through the registrar accreditation agreement. And so I'll be serving as a member on a GNSO Council registrar accreditation working group that is about to convene for the purpose of determining whether there is a need for further amendments to the registrar accreditation agreement. That working group has a lot of hard work ahead of it. And, as you heard today, law enforcement has already provided their long list and short list of potential or further changes to the registrar accreditation agreement that could help address malicious conduct. ICANN is also joining in that effort. And I'll give you an example today that I think would be instructive. You know, we could, for example, you know, work collaboratively with registrars to make sure that registrars continue to do what many do today, which is to investigate allegations of malicious conduct and then report those investigations to who? To ICANN? To you? To law enforcement? To the party that's submitted the claim? I think registrars generally look to find those solutions. But, unfortunately, there are so many incidents of malicious conduct today that perhaps registrars just can't address them efficiently or consistently inside of the systems that they have. So perhaps they need to develop tools in their toolbox that will help facilitate the mitigation of malicious conduct. Perhaps. Now, certainly, you know, ICANN believes that through registrar accreditation agreement, we can ask registrars to establish a point of contact for malicious conduct so that ICANN has a particular individual, you know, one person, who is accountable and responsible as a point of contact inside their business for purposes of working with ICANN to address complaints involving malicious conduct. That individual, working with sophisticated software tools, could accomplish enormous things for the benefit of the community as well as for purposes of complying with the contract. There are other suggestions that ICANN has that I think will be further discussed and explored in this working group that has been recently formed. But, with the short time I have, unfortunately, I can't go through that laundry list and give you all of that information. But what I would suggest to you is just a parting thought is that, you know, we're in this together. And, you know, quite frankly, my view is that, you know, blind obedience to the rules isn't going to solve the problem. It's a very important constructive step in moving forward. But I've heard it said here and I've heard it said elsewhere that the Internet community, you know, has become, essentially, a self- governing culture, a culture that should be based on integrity. And it's the integrity of each and every one of us as individuals and as business partners in the Internet community that will make the difference on whether we successfully, as a team, solve the malicious conduct issues and problems ahead of us or whether we continue to lag behind the curve and let the criminal element get the best of us. So I would say in closing that this is a call to action. And, if we're going to respond affirmatively to the call to action, then we should really think through some of the ideas that have been presented here today, consider joining together in a task force environment, and working constructively putting that negativity and negative comments behind us but working constructively towards end results that will reduce, mitigate, and perhaps in my lifetime, you know, see a true elimination of various forms of malicious conduct. Thank you, Charles. >>CHARLES MOK: Thank you, David. Let's give a round of applause first to our panelists, and see if we have any questions from the floor. And I do sense that there should be questions among the panelists for each other. And probably we should open the microphones to our -- the panelists from the last sessions as well, you know. They are sitting in the back and they might have anything to add or ask. Now let's go to our first -- Tim, you go first. >>TIM RUIZ: Thanks, Charles. Tim Ruiz with GoDaddy. And I, again, appreciate all the time and the very informative message that you presented here today from all the speakers. Just one thing that I'm concerned about after being here in Seoul for a week and in many different sessions, and that is as well intended as it is, I guess at times as a registrar I feel like I am under assault, because there are so many different things, so many different aspects, so many different directions at which we're being - - that you are coming at us from. So the one thing that I would ask is that a lot needs to be done. There are a lot of issues, clearly some things need to be fixed. That we figure out a way to come together and try to consolidate some of this so we don't have so many different efforts that registrars have to be involved in or keep track of and try to keep tabs on in order to effectively participate in solving the problems that we have. And I don't know quite where to begin with that. I think the RAA working group perhaps is one area where we could perhaps focus on. But that's the concern that I have. GoDaddy has 2,200 employees, and we feel overwhelmed at times with the things that are going on at ICANN. So when you are talking about the smaller registrars, where it may be one or two people involved in some other countries, they don't even know where to begin. That's why they don't show up here. That's why they don't join the registrars constituency, because the initial look at it, they are just blown away. So that's just an observation. Again, I really appreciate and have total understanding of the issues that you raise, but let's try to be a little more organized about how we approach it. >>CHARLES MOK: Okay. >>RUDI VANSNICK: Rudi Vansnick from ISOC Belgium. First I want to send a message to Charles. I have the impression that your panel members have been phishing on you, because they have been misleading you, so they sent you to some other URLs in order to get some other definitions of what they are representing. But that's a small joke. [ Laughter ] >>RUDI VANSNICK: I'm pleased by the spectrum of the speakers and what they have been bringing up, but somehow I'm afraid that when you have consumers sitting in the room, that after ten minutes they run out of the room, because they will be afraid. If you talk about law enforcement, every single citizen tries to disappear, because he is afraid of law. And I think that's just the difficulty. And I remember talking to David in Mexico while we were preparing the e-crime panel that, in fact, we see there is a lot done by different parts of ICANN, and different parts of, let's say, the organizations delivering services on the floor. However, I'm still confused on the fact that I see a ball bouncing from one party to another. I'm just waiting till the ball doesn't bounce anymore. And I think that's, somewhere, the mission we have: To find the moment and procedure to stop bouncing that ball. And then the user will say, "Okay, I am take the ball and I am going to play with it now." That's my message. >>CHARLES MOK: Thank you. Any comments from our panelists before we read out two questions from the Internet? >>PAUL HOARE: I think that last point is very important, that the ball has got to stop bouncing. And it's got to stop bouncing before you have the ball taken away from you. There has got to be some kind of suggestions moving forward. David's points are really well made about what's progressing, but his language is scattered with "generally," "by and large," "most of them," "many do today." It's not all of them. And as we say continually, criminals migrate to the ones that don't do what needs to be done. And that's why we're so vociferous in requiring everyone to do it rather than just a few. >>DAVID GIZA: Paul, I completely understand that point of view. And I think that that's why having industry-led initiatives that establish industry-wide norms and standards that become self- governing at the outset and self-enforced is the logical starting point. ICANN enters into that arena through its contracts with registries and registrars. And where those industry initiatives are falling short, through the contractual terms and conditions in our agreements, we would be in a position then, I think, to take the enforcement measures that law enforcement is looking for. But at the end of the day, I do agree that accountability and responsibility should reside, if possible, with one entity. But is that entity ICANN? Many people look at ICANN as the entity that ought to be in charge and take accountability and responsibility for malicious conduct. I just don't know that ICANN is prepared today to take on that responsibility without broader community discussion and debate on the unintended and unforeseen consequences associated with taking that role on. And that's why I suggest a task force would be an appropriate first step to make sure we are all clear on what that accountability and responsibility means so that no registrars are disappointed in the process if they end up putting all their faith and trust in ICANN. >>CHARLES MOK: We have two questions from the Internet. >>MARGIE MILAM: One is from Esperanza in Spanish, and her question is: What can ICANN do to improve understanding of the need for antivirus software by users? Anyone have any suggestions on answering that question? >>DAVID GIZA: I am a firm believer in information and education, training programs designed at a common denominator or level in plain language to help explain the features, advantages and benefits of those programs. And again, if that's something that ICANN needs to do, we can certainly take that as an action item to determine how to best deploy that through ICANN's current structure. But there may be other partners that we could work with in the community to accomplish that result without having that entire responsibility rest on the shoulders of ICANN. >>CHARLES MOK: Rosemary. >>ROSEMARY SINCLAIR: Yes, I just wanted to make a comment that I think goes along the same lines. The consumer, of course, has their direct relationship with their ISP. So it's a matter of ICANN, I think, because of its position in a central role, if you like, coordinating the value chain to work with all different parties, to encourage those parties to maybe share information about what works. We have got some examples in Australia amongst the ISP community of specific initiatives that they have taken to encourage consumers to take -- load antivirus software and the like. So I think there are examples. It's the global leadership and coordination role that I think ICANN could step up to the plate on. >>MARGIE MILAM: And we have a comment from Jennifer Perry. She indicates that all this prevention is well and good, but someone has to help the victims, and we do. And she refers to her Web site at e- victims.org, and we would like to see more support to the victims. >>CHARLES MOK: Okay. Please. >>LESLEY COWLEY: Hi, thank you. Sorry, I'm shorter. Lesley Cowley, CEO of Nominet, dot UK. Some of my comments this week have been about the Affirmation of Commitments which puts the public interest and the end user at the heart of policy. And this issue obviously is right in that area. Some of my other comments have also been about how we tend to develop policy in ICANN using a silo mentality, so we will develop policy for C's in the C area, G's in the G area and so on. And I would really support the idea of a task force that goes across the constituencies in these areas, because a number of us are already developing best practice and solutions. I'm hearing a lot of problem statements, but I'm keen to move from statements or problems to sharing solutions, because I think there are a number of them developing out there. But this is an issue that goes across all constituencies within ICANN, and is a public interest area. >>CHARLES MOK: Thank you. We are running over time a little bit already, so I will take this as the last question from Rebecca, and let all the panelists have a round of final words after that; okay? Rebecca. >>REBECCA MacKINNON: Thanks very much, Charles. My name is Rebecca MacKinnon. I am an academic based in Hong Kong and also co-founder of Citizen Media Community. I have been posting a few quotes from the panelists into Twitter, and I posted a gentleman from Switzerland said that freedom of speech is not really an issue in this discussion because, I quote, "Freedom of speech is guaranteed throughout most of the world anyway." So I posted this onto Twitter and somebody in China very quickly responded, "What planet is he living on?" So I guess my question to you is, do you really believe that freedom of expression really is not an issue in this discussion at all? And I'm curious to hear from other panelists how the issue of freedom of expression and the protection of voices that may be unpopular in certain jurisdictions and that are not actually protected well at all, given that we are globalizing the DNS, how that is going to be factored in as we go forward, recognizing that law enforcement and fighting crime is a legitimate need. >>CHARLES MOK: Thank you. >>ADRIAN KOSTERS: Yeah, I might -- I didn't want to say that freedom of speech is not an issue. Freedom of speech is, of course, an issue. But it's not what we, as law enforcement, want to address. Freedom of speech, everybody, when you come up to the community, yeah, they are afraid of law enforcement. Everyone hides away. But that's exactly what I want to encounter. We don't want to take away your freedom of speech. But when something bad happens, if you have victims -- because we, from law enforcement, we kind of represent the victims, because we get to know them. They come to us and they say, "That happened to me. I was frauded" or "My computer got infected," and whatever happened to them. So they are victims and they come to us, and we don't want to take away anyone's freedom of speech and we don't want to put policies in place that would limit the freedom of speech. That's not the issue. Our issue is victims of crimes and not victims of -- you don't have victims of freedom of expression. >>CHARLES MOK: Yes. >>PAUL HOARE: If I can just add something else to that. There is an issue around what the definition of crime is. Crime means a different thing in every country of the world, and I'm not going to give you examples of where we have been asked to do things for other nationalities which we can't do within our jurisdiction because it's not a crime. But there are commonalities across crime. Theft is theft across the world. Child abuse is accepted across the world as being distribution of pedophile material across the world pretty much is accepted. Theft is theft. There are some crimes, and thought crime is one of them, that the world is very divided about. And certainly we have to take that into account, whichever policy -- if we are going to issue global policy, it's got to be something that's accepted in every jurisdiction. >>MICHELE NEYLON: That's an interesting question. We have seen so many ridiculous and totally spurious takedown notices over the years where somebody goes to eat in a restaurant, the food is dire, the service is terrible, they are overcharged, all this kind of thing happens, and then somebody will then issue a takedown notice because they didn't want their restaurant to get a bad review. Now, obviously the situation in certain countries around the world, it's much more serious than that, but don't think it doesn't happen in countries where we have some right of freedom of speech. It's a very common thing for people to pervert the legal systems in order to advance their own goals. And I'm looking very clearly at the I.P. people. They have a terrible habit of using one bit -- saying it's one thing when it's another just so they can get something through. Now, the people who I work with in law enforcement, they get caught in the middle as well. They are being sent ridiculous things like "They won't mention my name," but I can imagine what's happening because we have seen it as well. It's madness. And what needs to be defined clearly is what we're talking about is serious crime. Something we can agree on. Murder is a serious crime. Child abuse is a serious crime. These things are something that most people will accept unless there is something seriously wrong with them. So if we can just make it as narrow as possible. But I don't think it is ICANN's role to try to replace national laws. I do like the idea that David has of working together to see what we can do and where we can do it. Because, from my perspective, I find it incredibly overwhelming that, you know, there are so many different vectors and places you can go with the information. There's the APWG. There's -- each individual bank has a reporting function. Each large ISP has a feedback loop. There are so many different places. And unless you have a huge amount of time or are very, very committed, you're not going to be able to do what you'd like to be able to do. And that, unfortunately, I think is the problem. Thanks. >>HONG XUE: Okay. Because of the time constraint, I'm not going to comment on Rebecca's question directly. But I do have the final word on ICANN's role on abuse. I do see a balance in ICANN's policy development process. ICANN is enhancing its accountability mechanism. But ICANN is accountable and responsible to multistakeholders. It cannot because of some stakeholders are particularly articulate and resourceful and they got special attention for that. For example, for trademark protection, we do see that so many policies developed specifically for protection of trademark rights and interest. But for even more serious crimes, such as this spreading malware, crimeware, Fast Fluxing, and causing huge damages to users' interests, there have not been very sufficient remedy offered through ICANN's policies, though they do deserve ICANN's special attention. That is the reason I analogized PD DRP to this antiabuse mechanism. It doesn't mean I agree with the post delegate DRP. Just the contrary. I disagree with it to a large extent. >>ROSEMARY SINCLAIR: I'll go back, Rebecca, to my first -- my opening comment, which was really that the Affirmation of Commitments talks about the public interest. And for me, that is a broad concept which includes freedom of speech. It also includes freedom from abuse. And then when you go further, the issues are security, consumer trust, and international cooperation. So I think it's important to have that context for our discussion and further work in this area. >>MARGIE MILAM: I also wanted to comment about the fact that some of these issues are being addressed within the GNSO. It's only affecting new gTLDs, though. It's only -- I'm sorry -- gTLDs. So it's only affecting a small part of the problem. It doesn't affect ccTLDs. But we do have a Registration Abuse Process Working Group that's looking to see whether policies should be developed. And we also have the RAA drafting team with what David Giza mentioned, that's a joint effort between at-large and the GNSO to explore amendments to the RAA. So there certainly are some forums that are talking about this in more depth. But Tim Ruiz is correct. It is piecemeal. And there needs to be probably a more comprehensive approach to dealing with this issue. >>CHARLES MOK: Thank you, Margie. I think we're really, really beyond our scheduled time. And, David, you haven't said anything. I want to give you one final chance to say something at the end of our panel. >>DAVID GIZA: Thank you, Charles. I have been waiting patiently, intentionally so. So my final remarks are, let's get going. We have to start with this task force. We have to determine what we need to do, how much we need to do, how well we'll do it. And then at the end, is anyone really better off as a result of what we've done. I think this is the catalyst to move, to move forward. I see colleagues in the audience. I see new friends in the audience. And I see colleagues and friends here who I think would invest their time and energy in this task force to make something happen. So, again, we just need to get started. >>CHARLES MOK: Thank you. And I thank all of our audience for staying until the end of this session and all of our panelists, panel one and panel two. Let's put our hands together for all of them. Thank you. [ Applause ] >>CHARLES MOK: And have a nice evening.