IGF 2019 – Day 4 – Convention Hall I-D – OF #48 MELANI, Reporting and Analysis Centre for Information Assurance of Switzerland

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> JORGE CANCIO:  Now the mic is apparently working.

Welcome, everybody.  Please come to the table.  It's a very big room, and at the table, you have nicer cables, nicer connections.  It's much more convenient for everyone, and we don't mind if you all keep on working through 90 percent on other stuff.  Just pretend you are listening.

And if you have something to say, of course, it's great if you intervene.

So we will give you one minute more to come to the table, and then we will kickstart the meeting.  Thank you.

So we are Swiss so we have to be punctual.  It's compulsory in our country.  Otherwise, we get fined.  My name is Jorge Cancio.  I come from the Swiss Federal Office of Communications.  And on the program, you will have seen, perhaps, in prior versions that this is the of column open forum, the Federal Office of Communications, Swiss.  We are devoting open forum to specific issue, and we have great experts here.

The issue is DNS abuse and misuse.  So all the aspects which are tied to this issue and which have been discussed amongst other places, the internet corporation for names and numbers very recently, in Montreal, in Canada.

Do you know internet is by definition multi stakeholder and interdependent.  Interdependent might be a new terminology we are using more.  It comes also in the title of DH of interdependence by the high level panel on digital corporation.

So this means that the functioning of the internet of the DNS depends on all the players in the system.  And one core part of this system is, let's say, at least for us who are not technicians, who are not really people who have a good education as lawyers or social scientists, it's like the digital phonebook.  The DNS or the domain name system, which translates domain names into IP numbers.

So if a malicious attacker can manipulate or tamper with this phonebook, we may end up in completely different places than we expected, and those places might be there to prepare an attack against us.  And we will see the different kinds of attacks which are possible.

In iCann, we've seen different statements, different discussions.  I will not go into the details of it, but even iCann, the organization, had interesting statement in February this year, so it's already 9 months away, where they observed an increase of attacks on the DNS.

So we call those attacks often DNS abuse attacks, but as we will see here, the many different kinds of attacks that fall into this category, there are also others which go beyond specifically the DNS, so it's good to be as precise as possible to define the different types of attacks we are talking about because the way of remediating those attacks will vary.  It will be different, and the measures taken to protect the users or to protect the DNS might vary.

So we have two long‑time experts from different parts of the world that will help us, hopefully me also, to better understand what DNS abuse can be and what can be done to preserve the DNS as a core infrastructure, as part of that public core of the internet, where supposed growing international consensus is emerging, that we have to protect it from being tampered with.

Our first speaker is Cristine Hoepers.  I hope I pronounced that modestly correctly.  The general manager from CERT.br, so from our colleagues.

And our second speaker then is Michael Hausding, lead DNS and domain abuse expert at the Swiss network information center which is run by Switch, which is our CCTLE in Switzerland, our country called top level domain.

So without further introduction, I give the floor to Cristine.  Please go ahead.  Thank you.

>> CRISTINE HOEPERS:  Thank you very much.

I would like first of all to thank the Swiss government and everyone involved to create this open forum.

As we are talking here about DNS in a more technical way, I have some slides.  I don't know if they can ‑‑ oh, okay, it's there.

So we were kind of debating if we were using slides or not, but we would like to discuss the complexity of what we are talking about in more of a sense of how many actors are involved and how complex it is to define abuse.  So DNS is both a distributor database and protocol.

And we see abuse of the protocol and of the database.  So I think it's very fair to say that we have attacks, abuse, and sometimes just misuse of DNS.  So in this area, usually when people talk about DNS abuse, they are talking about DNS operators and how DNS operators could solve all the problems.

And I think we have more actors involved in that.  We have hosting providers, because some of the attacks involve having hosting DNS, malicious DNS.  We have ISPs that could contribute to cyber hygiene, and we would like to discuss a little bit about this.

There is very little consensus on what is DNS abuse, DNS attacks, and DNS misuse.  And I think one of the only examples we have of taxonomy, it's a paper published last year that actually has a pretty complex graph that not necessarily reflect the consensus of the community but really shows how diverse it is.  It talks about DNS protocol that usually are talking about spoofing, and other stuff.

We have DNS server that usually means taking a DNS server offline, hijacking the server itself or part of the traffic.  So and we have ‑‑ and this kind of attack of abuse/misuse that we can debate what abuse is, what misuse is, if it's attack or not.

We have kind of not necessarily good uses of DNS, and we have seen first iCann issue some reports on DNS reflection and amplification and in a sense, a long time communications are open resolvers are not really a problem, and then we agreed that they were.

And this all shows how we are involving how mapping DNS how such a critical infrastructure can be abused or misused by malicious actors.

And we are not going to necessarily discuss this today, but I would like to say that for example in the far right they classify benign services as a malicious DNS resolver.  So this is kind of confusing.  And it's confusing when for example you have a hosting company hosting a malicious DNS resolver and you report them and they say, oh, just having it within your server is not an abuse.  Anyone can have a DNS server.

And then we say, yeah, but if that server is providing wrong answers to like social networks, domains, or something else, and it's being abused in conjunction with something like compromising a host or compromising a router, then it's not okay to have a DNS service running in there.

So I think that there's a lot that other actors could do to help us have a more stable ecosystem to help users trust more DNS answers in other parts of the infrastructure.

And just as an example on how confusing this is, this year we have two very different attacks being called DNS hijacking attacks.  And that caused confusion, even to the technical experts.  Imagine to like people trying to decide policies or users trying to understand the ‑‑

We had ‑‑ and I will give some more details in each.

So the first one was the DNS infrastructure hijacking campaign, and this kind of campaign was very tied with the sea turtle that was sited this week in several panels.

But in this case what was compromised?  Credentials at the registrar.  You could say that someone was trying to hijack the domain delegation.

So what was being hijacked was the domain itself.  It was registered but no longer pointing to the right servers.  But the servers in control of the attackers.  And that would be reflected to the whole internet.

So the actors involved ‑‑ and this is just an example.  It's not like an authoritative answer ‑‑ is the registrar.  It's a complex actors.  So they need to be reinstated the domain to the legitimate owner.

So that implies that the registers need to have good policies, they need to have good ways to identify the right owner, not only by passwords or something weak.  And we need the domain owners to be able to detect that someone is actually tampering with their registration.

So I think it's one way to see.  And the other attack that was being called hijacking involved the malicious resolver, hosted usually at VPS and cloud platforms, plus consumer route compromises.  So this affected Brazil very much, and we are seeing this happening since 2014.

So what's compromised is the user home router.  It's not something that the DNS operator, the registries and registers could do something about.  And what the being hijacked is not a domain.  It's the resolution pass.  So people cannot trust the resolution path anymore because they are still seeing the name of this case, Gmail, PayPal, Netflix, in the browser, depending on how they are ‑‑ if they don't know how to check certificates or if they didn't pay attention that it was not secure, they would get duped.

And really who needs to act is first and foremost the hosting provider that is hosting the malicious server.  We have thousands of people affected at once, so that the quickest way.  And ISPs in general need to work more in cyber hygiene and helping the user to disinfect.

In some companies, ISPs manage the routers.  In other countries, it is the user that buys them, so there are different roles.  But sometimes the ISPs could alert that.  So this is a kind of hijacking that, like, the registers cannot act.  You actually have to have cooperation from a whole ecosystem, but you have criminals using DNS.

The fact that DNS is part of the critical structure of the internet, and that all starts with your name.  So I think this is really one of the main points that I wanted to make, that what we are talking about when we talk about DNS abuse and DNS attacks is more than just domain take downs or trying to see if there is malicious content hosted somewhere.

Because there are multiple ways to abuse and misuse DNS, or how you want to call that, but they do not necessarily involve malicious domains.  They involved compromising parts of the infrastructure.  Sometimes the user, the router, or some other parts.

And it's really hard for the user to detect this.  We could say, oh, the user could try, but we know that's hard.  Technology's complex.  It's not easy to teach how to check certificates.  It's not an easy part.

And it's also hard to detect if a domain a malicious or not.  We had plenty of discussions about that this week, so I'm not going to talk about that again.

And who can do something about it?  Of course, we always recommend that the operators, the registrars, they need to have multiple fact identification.  You should choose your registry register based on good practices, and this registers could encourage good practices, make it easier to use DNS, to use best practice, to use multifactor of identification.

Search response teams, they can help in the analysis because sometimes not all actors have all the pieces of the attack.  So we could help see how different parts of the internet are being used to abuse and how DNS is part of a bigger abuse campaign or attack campaign.

And I think most hosting providers, this is a challenge very close to our heart in Brazil.  Most hosting providers, they are not really with good policies to deal with DNS abuse when they are being used to host malicious DNS servers because the policies actually don't cover that.  Sometimes they just cover that you should not have open resolvers.

So we are able to take the servers down when they are also an open resolver, but most of the times we get into a debate, oh, but how do I know that that bank or that organization is not actually hosting here, so you get into like a lengthy debate with something that could be resolved with DNS query that will show who is the authoritative server for a domain, for example.

So it's really a lot of policies and processes that need to be improved, and I think everyone is involved and needs to have like best practice, cyber hygiene, and this week we talked a lot about the need to implement standards and practices.

And I think this will help a lot to reduce DNS abuse as a whole.  So this was my opening contribution here.  I hope that it sets the scene for a lot of discussions during the session.  Thank you so much.

>> JORGE CANCIO:  Thank you so much, Cristine, and also thank you very much for staying within the time frame.

We will have at the end of the session 15 minutes of open discussion, but if there is any immediate clarification, question, or any issue of understanding on Cristine's intervention ‑‑ I don't see any appetite for that.

Perhaps we are hungry and thinking about ‑‑ you can go.

>> MICHAEL HAUSDING:  Thanks, Jorge.

We're the largest hosting provider in Ireland, and I'm also on the board of the internet infrastructure coalition, which is probably the largest trade organization for the infrastructure industry with members in the Americas, Europe, and further afield.

While I appreciate the kind of framing of the issues involving DNS abuse, I do take a little bit ‑‑ I do take some of the commentary about the hosting providers as potentially being a bit problematic.  You might be having issues in Brazil with your hosting providers, but, I mean, a lot of the hosting provide, like members of our organization and others, we do take DNS abuse quite seriously.

The biggest issue we run into is the quality of the reports.  The reports that we are sent are unclear or full of lots of information that isn't particularly helpful whereas simpler, clearer, this is the issue, this is why we think it's an issue, et cetera, those things can help.

But I think that framing it that all hosting providers are not taking action or are refusing to I think is a little bit unfair.

>> CRISTINE HOEPERS:  It's just that actually we are very happy that it's hosted in Brazil because then it's quick to take down.

And I'm talking about the really major ones.  They always say that the reports are bad, and then when they find the reports in the back, oh, no, you were reporting the right thing.  We were not aware that these was abuse yet or we didn't understood what was going on.

We received other countries saying, oh, this is not illegal in our country, so we are not going to take down.

And really what we say is just make a query for the authoritative.  Who is the name server of like CERT.br, you can find that from the root.  And they would say that's the complex.

So this is what I would say, that is more process and policies.  And when we happen to meet people in person and they see, then they change processes and that actually works.  But I think it's just that they just migrated to the next one, and to the next one.  And then we are for the next five years just going hand in hand and different companies.

We are trying to work with mark.  They have a hosting working group.  We presented this information there.  We have talked to some of the abuse service providers there, trying to create new playbooks, but they all kind of said, oh, we were not aware that this was an issue.

This is kind of they are after me to pick it up this issue, but it's an issue.  And I think it's an issue of taxonomy.  This is why I wanted to intervene.  Because most of the time we see that they are just not getting what people are reporting.

And because it was a problem that's affecting one part of the world and not another one, and I think this is where we could improve taxonomy and we could improve maybe having like policy templates, so making sure which parts of DNS abuse are problems.

And we see a lot of batting in like registrars and registries, and I think everyone needs to recognize a little bit a part of what they are doing.  So I think this is really my point, and I those this problem more because it was in the media and involved several actors.

So I think this is really the issue.  Thank you.

>> JORGE CANCIO:  Thank you, Cristine, for the clarification comment to the clarification comment from Michael.

But we have a colleague a bit to the right.  Please go ahead.  Please introduce yourself.

>> AUDIENCE MEMBER:  Hi.  Good afternoon, everyone.  My name is Doreen.  I'm from South Africa.  I work for the name authority, a state owned entity which is responsible for the administrating and the licensing for domain space in South Africa.  And so far in South Africa, we are the biggest domain name authority with over 1.5 million rents.

But we have an issue a serious problem, colleagues.  One of the serious issues that we have in South Africa is domain name abuse.

We have people registering these names on the first and second level registration for the intent of abuse and offensive registration.  We have tried to get everyone, especially the financial sector, to implement DNS and it's just not really being welcomed because they feel like it's a technology which comes from western countries to Africa.

And again another issue that is very difficult for us to enact is DNS is that we lack the skill sets.  I don't want to say this technology was brought to us in ‑‑ because there hasn't been any training or school sharing on DNS sec.

Now the question is how do we then strengthen our policies from the register agreements and the registries.  Because you will take down a domain name today which is spreading child pornography.  After three seconds, another is up.  Is it a problem of the domain name authority or a problem of the register itself?  Thank you.

>> JORGE CANCIO:  Okay.  I think this builds a good segue to the next intervention from Michael Hausding because he's also coming from CCTLE, from the Swiss one, and there are we are dealing also with these issues and the questions DNS sec, implementation, how much, how quick, and what are the right incentives to go about it.

So if it's okay for you, I'll pass the floor to Michael, and I hope that he's also able to put some light at least from his point of view to the question you put forward.

So Michael, the floor is yours.

>> MICHAEL HAUSDING:  Okay.  Thank you.  I will address that during my talk.

I'm Michael.  I work for Switch.  Switch is the registry, so we operate the top level domain for Switzerland.

But Switch is also the home of the Enron.  And as the Enron, we run the computer response team for more than 20 years, and that's why we also have a background in internet security and in cyber crime.

Switzerland is somehow special because Switzerland has a law on internet domain names for nearly ten years now, the back home router law.

And as a registry, we have to implement it.  And the so called ordinance on internet domain names regulates what the role and the task of the registries are, and I'm happy that the registry has no mandate to fight DNS abuse but we have a mandate to fight cyber crime.  And I think that's important because the term DNS abuse is, I think, misleading because it suggests that there is a single problem and there's a unified answer to that problem, and I think that's not the case.

As a registry and a cert, we have two problems we address.  One is the problem of malicious registration.  So people who register the domain names for fraud, for fishing, to run facing websites, or for terrorist propaganda.  Sometimes we have ‑‑ not in Switzerland, but it's a general problem ‑‑ we have malware that uses domain generation algorithms and these domains are then registered as common control servers for bot nets.

We have this in Switzerland too, and I will explain later how we deal with it.  But the main approach here is this is abuse, and we try to identify the abuse of registrations and handle them together with the authorities.

Completely different from that problem, we see the problem that there are attacks on the DNS system, and that's something with DNS sec fits in because it's a small step to make the DNS more secure.  So DNS attacks, Cristine already talked about them.

But the main common issue here is not really attacks on the DNS but websites that are compromised.  So you set up a fishing page at a compromised website and then you send a few million fishing emails and then the DNS is involved.

We also saw the ‑‑ what I call domain delegation hijacking attacks in Switzerland.  Cristine already mentioned the sea turtle campaign.  Switzerland was affected, and what happened thereafter, the registrar was compromised.  A third authoritative name server was put into the file and this third authoritative name server gave wrong answers, enabling the attackers to get a certificate and also to steel the email credentials from the mobile phones.

So without doing anything, the user just went into a network, got the wrong answer for the emap server, and because the mail server had a valid certificate, their credentials was into the attackers.

We then have DNS hijack attacks, so for me that's everything in the wrong part.  So as you get wrong answer, there are different ways to do this attacks.  It's more than one.

Another thing we see is sub domain hijack attacks.  So this is point to domain name that is either not registered or somehow can be overtaken by attackers.  So set up a web page with a third name domain name of your target, and it looks legitimate.  You even get a DLS certificate for that.

We see the root DHTP servers that lead you to DNS server, gives you selectively wrong answers.  So if you are in networks, maybe you get the wrong DNS server that gives you 99 percent right answers but just also in that case a sea turtle gave you the wrong answer for your email server.  And then if your email line connects to the wrong email server, you lose your email credentials.

And we also see a lot of hijacking for black hat now, so that the a domains are hijacked and are compromised and just used for search engine optimization.

For all these cases on the left side, we act as a cert.  So that means we're doing incident response.  But the goal here is to inform and support the affected parties.  So usually you either have a domain owner or website owner that is compromised, and we send out emails and inform them and tell them what to do.

We try to mitigate these issues.  For example, we share information on these domain names in Switzerland and also with the larger security community to mitigate the problem.  For example, if a domain is hijacked, it will be most likely blocked by the ISPs in the DNS fire wall for the first 24 hours.  So the risk that people lose their credentials there is low.

And we also do remediation.  That means we send detector notes to the host and tell them, hey, you have a compromised website.  Please clean up.  And that works pretty well.  We do that for about ten years now, and all the large in Europe, and usually after two or three hours, they clean up.  There are a few smaller ones that don't have the resources, but for the compromised part, usually cleanup is done within 24 hours.

What we also do is, rather DNS sec, we give free trainings in DNS sec to authoritative name server operators and also to smaller ISPs.  We team up with there for example and they gave a one‑day training that just gives you the essential knowledge of DNS sec and how to implement it and also to demystify a little bit the whole topic because ten years ago DNS sec was not ready to implement, but now it's quite easy.  So in the most resolvers, it's just one line of config, and your DNS server is resolving.

We also try to promote open standup like DNS sec like D mark which is important to fight.  Email spoofing, and we are working together with the government to strengthen the resilience to cyber attacks because I think DNS is ubiquitous, and every cyber attack has somehow a DNS component.

That basically was the attack part, but we also face a malicious registrations like most of the CCTLDs and also DDLDs do.  I'm sure you all know about the problem of fake web shop.  That is what keeps us busy, or what kept us busy the last three years.

We see domain names registered for web shops and if you order something like this on a web shop, if you're lucky, you get something like this.  And if you are not lucky, you get nothing.  But in both cases, your credit card is stolen.

Now, as a registry, identifying and analyzing and making a decision on these kind of web views is out of our scope.  We don't know which shop is legit and which one is a fake one.  That's why we work together with the police in that case.  The ordinance on internet domain names gives us some authority to ask Swiss authorities for support, and we ‑‑ for example, we are allowed to share information with Swiss authorities about registrants even without their agreement.

That means we see suspicious registrations, we are allowed to report them to the police, and they can make a decision and give us an order on what we have to do with that.

So basically on the right side, you see a statistic about the fake web shops we took down in the last five years.  The red bars are web shops where we try to identify the owner and usually the owners of fake web shop don't identify themselves, so we are allowed by the ordinance on internet domain names to take them down after 30 days.

However, with a fake web shop for 30 days, you pay $5 for the domain name, you sell five pairs of shoes for $100, you make a lot of money.  That's why it continued after that, and by the end of last year, we started together with the police to take them down immediately.

That's also something that the ordinance of internet domains allows us.  If there's a reasonable suspicion that a domain name is used to steal credentials and personal data.  And we as a registry are not able to identify that abuse, but the police, they are investigating these cases, and they are following the campaigns of the fake web shop owners.  They know exactly when a fake web shop is used to steal addresses or credit card data, and that's how we were able to take them down immediately and keep them offline until the owner identified himself.

And until now, we took down 20,000 of these domain names.  None of the domain owners identified himself.

So how is the whole process working?

This is Switch.  This is the registry.  So we have the database of all registered domain names, and we have a pattern of registrar data, so basically who is the registrar, who is the domain server, what emails is used, and we use that to identify once every day malicious new registrations.  So we do that every morning at 6:00 and send the data to the police.

The police then automatically make screenshots of these websites, they see is it responding at all, and after they make the screenshot, there's an analyst from the police in Switzerland, and he then makes the decision, is that something that is malicious where we need a take‑down or is it something we can ignore.

So after the analysis of the website, there are three possibilities.  One possibility is to do nothing.  The second thing is, okay, it's ‑‑ it's a registration that is ‑‑ is suspicious.  For example, if we have search engine optimization, two fake web shops, we cannot take them down immediately because there is no immediate danger that credentials are stolen.  So the police ask us to identify the owner, and usually we take them down after 30 days.

But if it is a fake web shop and the police are sure the owner of the web shop will steal the personal data in these web shops and steal the credit card, they send us a request to immediately take the domain down.

Usually, we send that as a job ‑‑ that sends the data to the police at 6:00 and at 7:00 or 7:30, we have the list and the order from the police to take them down.

Everything is transparent, so we make a report.  The police makes a report.  They both go to the office of communication.  And also in the emails we sent to the domain holder, we always inform the domain owner about his rights, so in theory the domain owner can say, okay, I don't want my domain name to be taken down.  I want a formal request by an authority.  But so far, for 20,000 take‑downs, we haven't received one answer yet.

So that's what we do against malicious registrations.  And malicious registrations are not only the fake web shops, but if you look at the number, the fake web shops are currently the ones that keep us busy.

We also have domains that are for fishing, terrorist propaganda, and there we work with other authorities.  The authorities in Switzerland have to be accredited by the office of communication, so currently we have four authorities that are accredited.  One is the government, so basically they're responsible for fishing and malware.

We have two polices.  They are responsible for protecting citizens, so basically we do all the fake web shop protection with the police authority.

And we have the federal police that the responsible for more international crime and also terrorism.

What are the key success factors to keep a clean domain?  I think the regulation helps us because it enables us to do things it.  Enables us to share information.  It enables us to suspend a domain name and encourages ‑‑ it also requires cooperation.

For example, as a registry, if we see a fishing page, we can suspend the domain name for five days.  After that five days, we have to turn it back online because we would just have the power for these five days.  And if we want to suspend it for longer time, we need one of the accredited authorities to send us an informal request for up to 30 days, until we then can delete the domain name because the domain name ‑‑ the fishers usually don't respond to our requests.

And that cooperation is critical.  I think for fishing we work with Melanie.  For fake web shops with the police, and only together we can solve this problem.

I don't think there's a single entity that can keep up with this problem.  As a registry, we can act fast, but we don't have the ability to analyze websites and to judge on content.

There's also other things, like we have the pharmacies.  We have fake financial offers.  And as a registry, there's no way that we can make a decision on that, and that's why we need to rely on the financial regulator, on the medical regulator to make the decision there.

Because they have experts that can judge it, and that's important.  And the last thing that's at least for the fake web shops that's critical is because you have 20,000, so automization is critical because you can't handle that many.  But it's also easy because the bad guys, they also use automization, and that's what enables us to do the detection.

And lastly, I think that cooperation is really the key and that no single entity can solve the problem that sometimes I see finger pointing and say the host needs to fix it or the registry needs to fix it or the police needs to fix it.  And I think if we try to go that way, we will not be able to solve the problem.  Thank you.

>> JORGE CANCIO:  Thank you so much, Michael.  This brings us back to the idea of multi stakeholder and interdependence.  We have to work together.  And also in a small country like Switzerland where everyone is counting really the pennies and the citizens have ultimate control on what bodies are established, this is a question of necessity, that everyone works with everyone, and that we establish as sufficient procedures as possible instead of big new authorities which no taxpayer would accept.

So I think that we also heard a couple of times the name Melanie.  Melanie, just for your information, is the national cybersecurity center.  It has an official name which is much more complicated, but I didn't tell the national cybersecurity center in Switzerland.

And for moderating the discussion, the Q & A, I will pass the floor to my colleague Adrian Koster from Melanie.  But before ‑‑ and I'm really thrilled that so many of you have been taking pictures of the presentation, both on the table and in the sidelines, so people are paying really attention, and that's great to see.

I would really ask both Michael and Cristine that if I didn't tell possible that we upload the presentations to the website of the IGF where the session is presented so that everyone can download the presentations.  And of course I guess that both Cristine and Michael and also Adrian and myself to the extent to which that it's useful, we are also very open to take this offline and to continue dialogue and cooperation after this session.

But now, as I said, I will pass the floor to Adrian to moderate the discussion.  Thank you.

>> ADRIAN KOSTER:  Thank you, Jorge.  And thank you to the two presenters.  Thank you, everyone, for coming.

So I will open up the floor right away if someone has an intervention or comment, questions.

>> AUDIENCE MEMBER:  I have a question.  During the presentation, you said many times that you would take the sites down.  I'm assuming that a registry can only stop the domain name from being resolved to an IP address.  So does that mean you are working together with the hosting providers to actually take the site down, or what exactly are you doing?  Thanks.

>> MICHAEL HAUSDING:  Okay.  I think the question is for me.  So if we talk about a take‑down, then as a registry, we remove the delegation of the domain name.  So if we receive an order by the police to suspend the domain name for 30 days, we remove the delegation so that the domain no longer resolves.

The registrant itself, he still is the owner of the domain name so, he has 30 days' time to identify himself, and if he does, we will lift the suspension of the domain name.  But as I said, nobody replies and that's why the domain name stays offline until it's deleted after 30 days.

That's a domain name take down.  That's the removal of the delegation.  That's also take down of content, and that's if we have compromised websites, we send take down requests to the web host and say we identified a fishing page on the domain name on the website you are hosting.  Please take it down.

And usually the web host, if it's fishing ‑‑ if there's a fishing form on the website, they will do that within 24 hours, on average.

>> AUDIENCE MEMBER:  Thank you for the presentation, and I must say, I guess ‑‑ after this presentation, I will hunt you down.

And one more thing I wanted to ask.  You actually said that you take down domain names which are spreading propaganda and what not.  In South Africa, we have an issue of electro engineering, especially when it comes to elections.

We have a whole a lot of domain names which are registered for the purpose of spreading propaganda and disinformation and fake news.

How do we then bridge the gap between taking down a domain name which is for malicious purposes without being seen as if we are being censored, you know, as in you're censoring people.

On the multi stakeholder model, we shouldn't practice censorship at all, but how do we then bridge the gap between misuse and censorship?  Thank you.

>> JORGE CANCIO:  I will take this one.

Well, we don't tackle the freedom of speech issue with this because what we are trying to do is taking down websites or clean up the Swiss domain space.  We don't even necessarily want to take down the content of the internet.  We just see that there's a trust level in our top level domain.  And when users go to a .ch domain or a website that they are not a victim of fraud or they are not victims of fishing.

So this is a ‑‑ mainly a measure to clean up our CCTLT from fraud and from criminal behavior.  So this is not meant to limit any fake news or any spreading of some propaganda.

When it comes to the terrorist propaganda, there's a specific law in Switzerland that says you cannot make propaganda for ISIS or Al‑Qaeda and stuff.  And for there, there's also the federal police, and they will investigate and decide on this is propaganda for this entity that is forbidden in Switzerland.

But the fake news is not forbidden in Switzerland, so you can spread whatever you want to.

>> AUDIENCE MEMBER:  Register operator and chair of the top level domain group.

My question targets a problem we have also in Germany, where not only the domain names are used for ‑‑ but also dot‑com domain names, which are in a similar price range at the registrar.

How do you deal with ‑‑ I guess you have dot‑com fake shops targeting Swiss users as well.  How do you deal with them?

>> MICHAEL HAUSDING:  Well that concerns dot‑com domain space, and we are mainly trying to build trust for our own CCTLD.  I believe every registry needs to be mindful of their reputation, and dot‑com is the biggest and it's really hard for them to measure ‑‑ to take measures across the board.

But when you operate your registry, or as in the case of Switzerland, we have our CCTLD.  We try to improve the trust there.  And what we do is a very pragmatic approach.  There needs to be a quick action because on the internet, everything needs to be in real time.  But there is also a due process.

So for every registrant, we need to have the possibility open to enter into due process so we can request a formal decision by an authority why this shop is taken down.

And what we do after this 30 days, when they don't identify themselves, then they decided to not enter due process.  They don't want the decision.  They are okay with us deleting or first suspending then also revoking the domain name.  But this is an administrative measure.  This is not a criminal proceeding in the first place.

But there's certainly ‑‑ there should be an international law enforcement efforts to tackle the web shop, the fake web shop issue.  But that is a police or it's a law enforcement matter.

But from the DNS operator point of view or from the registry and registrar point of view, you just want to have as few fraudulent or abusive registrations as possible, and there are measures that you can take to verify the registrant.  And criminals, they don't want to be verified.

So if you put a process in place that allows a suspension of a domain name, you use it.  And if you do good work, you will, as Switch does very good work, for 24,000 domain names have suspended, you said, no one ever complained.

So this is also a quality management thing.

>> ADRIAN KOSTER:  Any other interventions?

>> JORGE CANCIO:  There's somebody behind you as well.  Maybe I'll let Allen go first since he hasn't spoken.

>> AUDIENCE MEMBER:  Thank you.  I'm over from Canada.  I'd like to ask Michael.  How do you identify the potentially suspicious registrations?  And secondly, if you're so successful in identifying these, why do you not deal with the issues at the front end?  In other words, preventing them from registering?

>> MICHAEL HAUSDING:  Good question.  We have patterns that allow us to identify the suspicious registrations.  And because the use authorization, it is quite easy.  They always use the same email provider, they always use the same DNS service.

And we also share that information with other CCTLDs that do similar things.  But what we see is if we really found a pattern and then really took down the domains, there's a change in the behavior and a change in the pattern.

And the second question was that if we are able to identify them, why don't we take immediate action at the time of registration, and that's a simple answer.  Because the law doesn't allow us.  So far, the law requires that we have to register a domain registrant, but there's a revision of the law, and I hope that with that revision, we get the possibility to identify potential suspicious registrations at the time of registration and then take some action at the time of registration.

But the revision is currently ongoing and most likely it will be in effect in a year, but then we plan to see if we can move the identification of suspicious registrations right to the registering process and take an action there.

>> THE MODERATOR:  Thanks.

>> AUDIENCE MEMBER:  Yeah, thanks.

I think the Swiss method sounds like, you know, you've solved some things, but you seem to be focusing entirely on just the .ch name space, which is why some of us are obviously going what about the dot‑coms and what about all the other DLTs.

So I guess the question is then are you collaborating with the other country code operators, like Europe has their new system that they're about to turn on in the next couple of weeks, which will be doing a predictive analysis of potential abuse up front?  Now, that doesn't deny the ability of the domain to be registered, but it does slow down the registration, which might be something that could be of use to you.

And then just in terms of the GTLD space, just for those who aren't aware, most of the larger providers, so go daddy, Amazon, and several others, we all signed onto this abuse framework in the run to the iCann meeting in Montreal which just lays a basic line of things we will have to take action on without having to get court orders.

But just the collaboration, I suppose that will be interesting to hear about.

>> MICHAEL HAUSDING:  The question was on collaboration.  We share that information with the other CCTLDs within the council of European top level domains.  And we are open to share it also with the GTLD space.

I think the patterns are changing.  They're not changing fast, but sometimes we miss something.  So old patterns, match.  But new patterns, we don't get.  So if someone reports a domain name that didn't match the pattern, we update the pattern.

I think we will get better if we cooperate more.  The patterns, that's something we also found out when cooperating, they're always the same.  So they don't have a certain pattern with a certain registration scheme for one CCTLD.  They just use it for all.  So if one takes a new pattern, yeah, we share it and the other CCTLDs can also make use of it.

And if there's interest in sharing these patterns with other entities, we are for that.

>> AUDIENCE MEMBER:  And of course we share our law, our policy, with everyone who is interested.  So if you're an operator registry, you can put policies in place, but then you need to enforce them.  So that's another thing.

>> ADRIAN KOSTER:  So with this, is there any last burning question or comment that someone wants to make?  Otherwise, we will wrap up.

So thanks everyone for coming.  So numerous.

>> JORGE CANCIO:  Yes, thank you.  Thank you so much.  We are giving you back one minute, so thank you very much, and enjoy the rest of the IGF and hope to see you soon and that you enjoy also the PowerPoint presentations as soon as they are online.

Thank you.

[APPLAUSE]