The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> JOHANNES MYHRE VALLESVERD: Welcome everybody to this session on building trust. My name is Johannes Myhre Vallesverd. I'm also chairing the national expert group against digital fraud also chairing the informal antifraud forum we also have today an online moderator online taking any questions from online. So, welcome again everybody. The goal of this session is to not only talk but also to look at what we are doing and what can we do in operational terms. Regulatory and technical to reduce fraud. We should aim at not just identifying the vulnerabilities but also to use our collective intelligence to identify potential mitigating measures.
So in order to do so, you need a good team. A team that has different angles to the problem so today at the stage we have a powerhouse of fraud fighters. These are people who are working on reducing the problem of fraud from very different angles we have on my right‑hand side. Rens Grim an anti‑scam specialist. We have Kamilla. We have Riika. We have Emily Taylor, cofounder of GSE the global signal exchange and will be accompanied by Lucien Taylor. We are also happy to have Rima Amin. Also, Birgitte. Last but not least we also have Nico Caballero, so it's a fantastic lineup.
I'm looking forward to hearing your presentations so let's jump right into it. The first speaker, can take the podium now. He is Rens Grim, an ant scam specialist. They have a lot of information on the global picture of fraud. So, tell me, Rens how is the global picture like?
>> RENS GRIM: Welcome, everybody, I hope you enjoyed your lunch my name is residence I work for the global anti scam alliance and I just wanted to show you and promise you no artificial intelligence was used to make this presentation but I leave it up to you. So global scam alliance. We are a nonprofit organisation. What we try to do and we aim is get all the stakeholders together that are involved in fighting crime we do that by exchanging knowledge.
By sharing the best solutions there on the market to fight fraud. Our mission is very simple we protect consumers worldwide from scams. If the room was the world, today, then 25% of you have literally been a victim not confronted with scam but been a victim of scam. 25%. Imagine that of the worldwide populated connection. That's a lot. We tried to extrapolate on the basis of a worldwide survey that we do on 60,000 people and we've guesstimated that the total volume of losses is estimated to be one trillion dollars. I am from The Netherlands and that's more or less the GDP for my country. In most countries, crime online scamming, online fraud is either the first or the second most reported crime. I've highlighted England with 38%. If you can imagine that only two and a half percent of those behind the scenes, those, the fraudsters and the online scammers are actually prosecuted. Two and a half percent is actually good because worldwide it is estimated it's 500s of percent. So the British are doing a good job, but that's a desperately low number. I've put down some highlights from a survey that we've done in 2024 you see that 67% of world citizens believe that they have the skill to recognize a scam. That's pretty good. That's two out of three people are capable of seeing a scam and possibly being protected against the scam they are confronted with.
However revictimization is quite a problem. On the basis of the same survey we've seen in many countries that victims are not only victimized twice but in some cases three times so the number is maybe a good number but if you look behind the scenes, it's still troubling. Phone calls and text messages are still the most popular media to scam. Almost half of the world encounters a scam once a week. Globally 31% are uncertain whether AI was the most frequent. Shopping then identify theft. Many victims are caught out by reacting quickly to attractive offers. Either it's too good to be true or they don't have the knowledge to judge if they are doing the right thing in making a purchase of the service as delivered. 74% concluded that they were the victim of the scam themselves. That is a rather high number. It's also culturally determined if you go to countries like, say, for the Philippines it's more a family thing together that people together say hey best friend you've been a victim of a scam. Bank transfers are the dominant scam payment method. Globally only 4% are capable of getting full refund. Only 4%. Last one, and I save that one for last is at 7% of people globally admit they would be taking part in a money mule. They would be asked a question, if I gave you 20,000 dollars you can keep a thousand dollars and 7% say that is a good idea I will do that. Even 50% say why should I give back 1,000 dollars I'm going to keep the money at all. Looking here at the audience I would like to of course statistically 7% could be here of course I'm, you're not the piece of people, but if you are I'd like to meet you at the bar and we can discuss later on. Scamming is combatted 3,000 years. In oldenship it was good to favor the gods, to mum phi a pet animal. 7,000 animals have been mummified. They noticed 33%, one in three was fake so we've been scamming and we have been scammed for about 3,000 years.
This is an interesting one, this is a Japanese lady, 65 years old who actually paid 35,000 euro to get per lover back from space because he needed a rocket. This sounds incredible but it happened. My ex‑wife is a yoga teacher and she said to me Rens it's the warmth of the heart conquering the brain. Guess who is the next victim. These are not nice people. This boy took his life after he was victimized or threatened to be exposed. He killed himself and after the deed they concentrated on the father, they said to the father we're going to ruin the legacy of your child so we're not dealing with nice people. We're dealing with the scum of the earth so be aware. What can we do? The floor is for Lucien and Emily because we have to be practical. We've been talking about collaboration for ages it's now time for action. It's now time that the registrars, the banks, the social media companies come together, share the knowledge together so we as a whole as a population are better capable of fighting online scam and online fraud. Thank you very much.
>> AUDIENCE: (Applause).
>> JOHANNES MYHRE VALLESVERD: Tell us, Kamilla, how does the floor look like from the regulators?
>> KAMILLA SHARMA: Thank you your highness, it is a true privilege for me to be here today.
And yes, I truly conquer with the reflection from Rens the problem of fraud is truly global and is truly massive. And remember the consequences are not just monetary. The emotional consequences can be sometimes lethal. And this was not bad enough. Fraud also reduces the level of trust in digital technologies; this reduction of trust is a threat not only to the constructive digitalization of societies but also of threat to the economic growth in our democratic processes. Trust is a fragile quality. It takes a time to build up. And no time to tear time. First some quick points from where I come from the Norwegian communications authority is a regulator of communication in Norway our responsibilities stretches from resilience and management to market, regulation and supervision, we are also given the regulatory task with regards to both the European AI act and on digital services. The picture shows our head office in the southern part of Norway we also have offices in total 170 employees.
A key focus is working for safer digital services including safer internet, base platforms and services so we are pleased to be here in this very relevant session. Just briefly, this is happening in Norway too. There is no doubt about that. Almost all Norwegians have been exposed to fraud attempts and one out of four have lost money to fraud. The financial losses are huge. In total, Norwegian citizens lose around 100 million euros a year to fraud. With a population of 5.6 million people this means approximately 18 euros per citizen. The banks stop around 256 million euros from being lost to fraud. So, we have all heard about the call for action. Then I'm happy to say that Norway can tick that box. We can always do more. There is no doubt about that. But at the same time, we are doing a lot. For example, in 2023, we formed together with the national financial police, the national expert group against digital fraud. This picture is from the first meeting. Today, the group has participation from several public and private stakeholders including mobile operators, the CDRP, police, bank sector and others and we have happy to have three mobile tech operators on board. They are providing crucial and constructive contributions in the collaboration. But it is not just collaboration and discussions the group also conducts vulnerability assessments and finds mitigating operational measures this is for example, one picture here. This is a table, is from the result of the digital roaming shield that was in November 2024 as one of the first in the world. This shield is the reason why no practical number can be spoofed from abroad. The trust in mobile numbers was low some years ago due to a lot of spoofing but now it is almost restored. A fun fact of this slide as you may have noticed, that you can see that the fraudsters take ordinary Christmas breaks and they also take well‑deserved weekends off so they're not on duty all the time. But it is not a full or total shield. This is a very simplified illustration of some of the block measures that protects Norway as you can see it's missing a chunk and there are dotted lines breaking through but again we are block almost all spoofing where we are not blocking foreign spoofing numbers. We are blocking a lot of SMS but not all. A lot of blocking of fraudulent URLs but a lot goes through as you can see. And on the OTTs and the internet best services we do not know how much is blocked or how much is passed through. That is why we are expanding our initiatives towards internet based services it doesn't matter for the end user where he or she gets defrauded we need to protect them on all channels but how to we begin with this difficult endeavor? The answer is to reuse the successful, the multistakeholder working results. We need to be collaborative, operational and pragmatic. Why pragmatic you may ask? Well, we will never get rid of fraud, crime will always be there and AI will make it difficult or probably impossible to represent fake representatives for true. I think it stopped working your highness? Okay. Yeah. Okay. Lastly, I want to mention the importance of teamwork, one collaborative project that we gained very interesting that is the global forum. Or GIRAF as we call. Regions have participated in the meetings from all over the world. There is the global fight against digital engaged grade. If you're a regulator please consider joining. With these remarks I will close my intervention and I look forward to the rest of this session, thank you.
>> AUDIENCE: (Applause).
>> JOHANNES MYHRE VALLESVERD: Thank you very much Kamilla it's good to see some mitigating measures are indeed working and protecting the citizens every day.
That's very good. So, we will move on, let's kick it up a notch we go over to the UNODC so Riika you can take the stage. What can you tell us about international legal framework addressing fraud as a form of organized crime? Very happy to have you here. Good luck.
>> RIIKA PUTTONEN: Thank you very much and good afternoon to everybody as we saw in Rens presentation, fraud is really as old as humankind but in this post‑truth era supercharged by technology artificial intelligence, DeepFakes and so forth, fraud is not only surviving, but it is absolutely thriving. It is evolving in terms of speed, scope, and scale and it is absolutely exploding in that regard.
Also fraud really affects every one of us. If I asked you if there's anybody in the room who was never targeted for fraud I don't imagine many hands going up. I think all of us are constantly targeted by fraudsters. In various ways and forms. So we don't fall for fraud. That terminology we should leave aside. We are targeted for fraud. Whom are we targeted by? We are targeted by organized criminal groups. There is a U.N. convention against transnational organized crime which is almost universally adhered with 193 parties in the convention so that is a very, very broadly adhered to convention of the U.N. The idea behind the convention is simply to promote cooperation because clearly when it comes to fraud there's nothing one single country can do in isolation but we need a concerted effort by every single state and all the different players like this morning we heard about the multistakeholder approach the private sector, civil society, academia and all the players. We need everybody around the table. How does the organized crime convention which is already 20 plus years old has it really withstood the test of time in terms of applying to fraud as it manifests itself in today's world? I am very glad to say that it has. Because the draft, there's meaning all the member states of the U.N. actually drafted the convention to apply to all serious crime and serious crime if I again asked you as the audience what does serious crime actually mean I will get as many answers as we have people in the audience so draft, to come up with a threshold. Any offense that in your domestic legal system is punishable by four years or more of imprisonment the maximum penalty four years or more is serious. I'm also very sad to say that fraud despite the severe consequences that we heard about is not a serious crime in all countries. So there is homework for all of us to do the consequences are severe and the nature of fraud keeps on evolving so thus does the national legal framework and there was just the new U.N. convention against cybercrime that was adopted recently actually at Christmas last year and that convention now kind of takes the whole fraud debate also to another level and includes also manipulation of electronic data and ICT systems. So that manipulation is now also covered not only the traditional forms of fraud through deception. But that convention which will open for signature in October this year, that's when the signing ceremony takes place. That convention also builds upon the Budapest convention for those who may know already, and adds proposed by Singapore which is the leading country in the world when it comes to combatting fraud. One more type of fraud through more kind of traditional deception. This is how fraud is often carried out so that convention, again, will mean a bit of homework for all of us for countries, to continue criminalizing fraud in a way that actually reflects the reality in today's world. So, I was very punctual today, I would just like to finish with a little announcement to say that U.N. ODC and Interpol will host a global fraud summit in March 2026 in Vienna and we hope to see many of you there. Thank you very much.
>> AUDIENCE: (Applause)
>> JOHANNES MYHRE VALLESVERD: Thank you very, very much Riika. It is good to see there are exciting regulatory measures on the pipeline and looking forward to signing procedures in October let's go to the next one. Please stay up, we are now going to hear from Emily and Lucien Taylor the global founder of GSE. I first learned of GSE this winter and it was refreshing to see the operational aspect of the GSE.
With no further ado I will give the floor to you.
>> EMILY TAYLOR: Could we have our slides I think we have ICANN slides which I'm happy to have a go at but... is for the Global Signal Exchange.
>> JOHANNES MYHRE VALLESVERD: Sorry for this little hiccup. So while we are here now, those of you online, you can post questions in the chat field and they will arrange which one will be presented later on. Now, Lucien and Emily.
>> EMILY TAYLOR: Thank you so much for the floor and inviting us here to present the Global Signal Exchange. My name is Emily Taylore and I'm joined by Lucien and the more observant will notice we have the same surname and yes, we are married. Rens has given you a detailed overview of the scale of fraud generally so I will not dwell on this slide instead I want to think about, you know, the ways that way that cybercrimes can be disrupted and the journey a scam will take from building infrastructure whether establishing a company, a website, a domain. You... establishing a false identity using and abusing the services of platforms and of other services. Engaging with the victim. So, they will be relying on platforms, they will be relying on internet service providers, telephone companies and it's only at the very last second when they persuade a victim to part with their money that it becomes obvious there is a fraudulent payment there. All of that happens prior to the payment and all of those services are used and abused now the current status has been that there can be advanced sharing of information within each of those industry verticals perhaps nationally but there's almost nothing that takes information across those different sectors and shares that information internationally. The scammers work internationally, they share information and to fight it effectively so do we need to do. So, the Global Signal Exchange is really a clearinghouse, it's not a takedown service. It's about enabling those different services along the fraud attack chain to share intelligence with one another in realtime to combat fraud and scams. And it was announced last October, so set up the Global Signal Exchange is a nonprofit and it was set up in partnership with the Global Anti‑Scam Alliance bringing together their amazing international scam fighting network and with the support of Google which committed to sharing threat signals from right across its business services for the benefit of scam fighters.
At the session in London which Johannes was talking about the Global Signal Exchange was called out by two ministers, the home office minister, and a minister who I believe is here. And we are getting many partners onboarded.
The latest is that we have over 160 organisations either joined up or in the onboarding channel. Including four of the big tech who are committed to sharing those data and we also of course work across the nonprofit sector with fellow civil society organisations so truly this is a multistakeholder voluntary initiative so now I will hand over to Lucien.
>> LUCIEN TAYLOR: Thank you Emily, I will do a full tech demo. I have three minutes and Emily took twelve seconds of that. So, mind you all I built this Global Signal Exchange over 20 years, we've been developing this for 20 years my team and oxford information labs our job is to make a difference.
Both pursue and prevent crime. So, on the pursue we have a new acronym, the QIQ factor that supports quantity, immediacy and the quality of threat signals. In terms of the quantity, we're now going into the actual global signal exchange every day we do an audit of new signals. We started with 40 million threat signals. When you think the British police are advertised that they're getting 30,000 threat signals from consumers every month we're getting a million a day and I don't think we're seeing half of it but we're also interested in uplift and overlap. And we're going to go steampunk here so ‑‑
>> Uplift when parties share signals we observe uplift. Overlap. When new parties share signals and simultaneously share the same signal we increase confidence.
>> LUCIEN TAYLOR: And so what we are now looking at is also the immediacy of the signals. We've got the time to live signals.
The average time to live of signals is basically up to four days so we all have a job here to try to reduce that time lag. Quality. You have the provider score of the threat signal provider but also the quality of each signal and the provider themselves can give a quality score, a confidence rating. And also the people receiving the signal can give a feedback and we're missing feedback from this whole game between us all and that's what we're trying to do. Another part of our job is to develop lead tables. We have registry lead tables who is the best, who is the worst, here you can see the huge percentage, their stock is toxic, registrars, those with over 50,000 domain names we say they're actually big players. You're looking at large percentages of stock at the bottom that are toxic. Finally, we have a number of pilots, we're working with advertisers, registries, registrars, block providers, big tech, marketing providers and we have a new public sector service for police and law enforcement which is basically an investigations platform where they can look signal by signal at various metrics in there. Thank you very much. Finally, the impact we all need to change the game. We need to do cross‑sectorial international signal sharing and make things quicker and reduce the cost of threat intelligence for the small players.
Thank you for the extra ten seconds.
>> AUDIENCE: (Applause)
>> JOHANNES MYHRE VALLESVERD: We are talking a lot about data sharing. We're talking about realtime, we're talking about scale. You're doing it. It's impressive the work that you're carrying out. And the Norwegian level is at the top of that list I said it now.
In the panel we need to have social media. And I am very happy to say that Meta could join this session.
We have all seen fake profiles, fake stores and all the fraudulent activity on social media. Rima and tell us the work you're doing on fraud.
>> RIMA AMIN: I will talk about where fraud sits sort of within our team. So my team's focus on tackling adversarial threats those are the threats actors who are persistent in nature often have resourcing behind them.
And have a strategic goal in mind. So those threats tend to typically manifest as foreign influence operations, cyber espionage, hacking and frauds and scans. The reason frauds and scans falls within this subset is because they are some of the most aggressive and agile of actors out there. They have a huge amount of infrastructure underpinning them as well. Emily spoke a lot little bit about the attack chain. I will add more detail.
This is the anchor in how Meta thinks about this problem as well. We took a step back and identified what are all the different tactics that these operations are, you know, what are they doing.
And then we categorized them in terms of the sequencing within which they happened. And came up with this attack chain. It starts off with the building of infrastructure and that's where people and tools are essentially being organized to conduct scams. It's important to say that at this point harm is already happening. You may have heard about people being tricked into sort of job scams and being forced into scam, centers where they are forced to conduct these scams.
The next stage is preparing digital assets so when you have the people and the equipment you are then creating your online identities. The scammer moves onto engage the victim. That can be through a post, an ad, a message, it's that first point of contact where they're engaging. They move onto execute which is where the financial transaction takes place and the cleanup where the actor is trying to conceal their activity to avoid being detected can be things like money laundering. In terms of via attack chain, a couple thing we observe, one is for us as Meta. We have the most visibility and the most opportunity to really intervene at the engage stage where the victim is being contacted by a scammer. And the prepared digital asset page. We're also conscious there are others working to counter frauds and scams that may have more visibility into other parts. So, law enforcement may have more information on the criminal groups that are building up the infrastructure. Or banks may have more information at the execute stage where the financial transaction is taking place. So, for us we're really focused on what can we do within the space we have visibility and what can we do to support others who may have visibility in other sort of phases and the other thing that we're thinking about a lot is how do we push this as far left as possible? Because the further left you put in your interventions the more chance you have at stopping this at scale. How do I go forward? So, I'm going to try and give an overview of our, the pieces of our strategy to tackle frauds and scams. The first is actually building up our product defences to make them as sort of resilient as possible to scammers who may try to abuse them. Of course, if we know that somebody is a scammer, we'll take them sort of down off the platform.
But there may be times where we don't have enough signal and so putting in frictions and warnings and things like that are incredibly important. We're also thinking about how can we leverage new technologies to counter frauds and scams.
So you may have heard that public figures' images are being misused to trick people into scams so we launched sort of use of facial recognition technology. To understand if a public figure's face is being misused and then if we have some signal to accompany that we're able to pull it down. That has helped us to tackle that problem.
The second area is empowering users. How do we encourage people to, or equip people in the best way possible to be as cyber resilient as possible that includes suites of tools, so things like two factor authentication making sure they have everything they need to be cybersecurity on our platforms but also on other platforms across the internet as well.
The third piece is disrupting scammers so here I'm talking about pulling out these criminal networks that I was talking about before. We have investigators who are able to do that. Pull those networks out. Share that intelligence with others who are tackling the problem. And then be able to use that intelligence to rebuild our product defences to make them stronger to prevent things in the first place. And then the fourth pillar and this is really important and goes back to the attack chain as well is how can we collaborate across society leveraging the GSE who is facilitating signal exchange, building up pilot programs working with others to sort of campaign to inform people how to tackle fraud and scams. I am out of minutes, I will stop there but looking forward to the rest of the discussion.
>> AUDIENCE: (Applause).
>> JOHANNES MYHRE VALLESVERD: Thank you and we will come back to your discussion. Another important part of the global fraud fighting team, this powerhouse of resourceful people and businesses is the mobile operators. So what are they doing and how are they doing this? To give you an example we are very happy to have Birgitte tell us what are your insights into all of this?
>> BIRGITTE ENGEBRETSEN: Thank you, Telenor is a company in the Nordics with more than 200 million customers.
We have connected both people and societies safely. For over 170 years. And in Norway we have close to three million customers. The majority of the data traffic in Norway is going through our networks. And our services. We are, therefore in a unique position to look into what kind of problems do we have related to fraud and digital crime? Which is targeted towards the Norwegian society. In Telenor Norway we have the leading security teams in Norway with the expertise to combat advanced threat factors as well as criminal groups. That means that if you are a Telenor customer you have some of the best security experts on your team at all time.
Our ambition is to be the safe internet for the Norwegian customers and society at‑large. Since we are digitizing services to make our life easy and both in our private lives but also in our work lives this is fantastic, however, that increases the push from criminal actors from physical space to the digital space. Telenor is experiencing that customers and the public are more concerned about their digital security lives now much more than before.
And it's a high demand from both information but also security advices and assistance in protecting against fraud and threat actors. There, all of Telenor's both mobile and broadband customers will get their subscriptions with fraud filters integrated into those subscriptions. In addition to that, we offer extra services in order to secure both private customers but also the business customers. With security and their digital life or work life. In addition to a yearly publication which is the annual security report and combined with an open threat assessment, we also publish a quarterly security pulse for the security situation in the Norwegian society. In 2024, we could see that we blocked more than 2200 million attempts in fraud and crime towards customers in Norway.
That's similar to two attempts of the digital crime each day towards our customers. This is a huge number and it shows that we need to take threat seriously and it's not a local threat, it's a global gain for these actors. Yeah. Although we are taking many, many steps to stop digital crime and fraud towards our customers and the society as a whole there's still jobs to be done in order to combat this. Together. And to effectively combat digital crime it's crucial for businesses, government, agencies and law enforcement to collaborate closely the collective effort can lead to more robust defences against cyber threats. Organisations must prioritize investments in advanced cybersecurity capabilities. By adopting cutting edge technologies and proactive strategies, businesses can better protect both themselves but also their customers and their society at‑large.
Quality and security must be given a higher weight in processes. It's crucial that public sector creates a market for security and robust services and use their purchasing power in order to support that. By doing that, we can keep the public safer but also create the market for security services. Effective loss and regulations related to cybercrime can create a safer digital environment. Legislation can stop criminal activities. In this context, effective also implies clear. Let me give you one example. How do we balance customer's need for data privacy, protection, and secure communication channels with the need to share data between relevant actors, such as banks and telecos. Dilemmas such as this must be discussed in a collaborative context thank you.
>> AUDIENCE: (Applause).
>> JOHANNES MYHRE VALLESVERD: Thank you very much for those exciting comment and I totally agree with the multistakeholder comment you made and also the operational remarks on the clear clarity of law. Least but not least, when I discussed with my co‑moderator who is online now, we needed the domain name market industry or regulations on board.
So we have fact finders. We have regulators, U.N. operators, social media, GSE hub so we asked starters at the top of the government advise committee and he answered within a couple of minutes. Very happy to have you here Nico. We want to hear about the issue of phishing that remains a dominant form of abuse often used in exploiting loopholes. What specific issues is ICANN doing to enhance register and registrar accountability. Floor is yours.
>> NICO CABALLERO: Thank you, can you hear me? So thank you my name is Nico Caballero and I'm from the advisory committee to ICANN and I am assuming that everyone knows what ICANN is. I am surprised that I had to explain but broadly speaking ICANN deals with domain names and let's say the translation between those names and IP address. IP4 or IP 6 addresses.
So let's take a quick look and I only have five and a half minutes DNS abuse landscape as we understand it within ICANN there are five main, I would say the top five DNS abuse types the first one being phishing which makes up more than 90%, you know, according to some numbers is 95 or 96% of the cases. You know, and there are some other sources as well. And then malware, botnets, farming and spam, you know, for the remaining percentage. Spam, when used as a delivery mechanism for the other four, right? And a huge impact I won't get into the details, you know, it's been already explained. But broadly speaking, you know, we're talking about twelve billion, you know, impact, you know, in terms of annual losses. And these are numbers coming from the internet society from last year. What it does is you know is it basically erodes trust in the DNS ecosystem which is a very bad thing. Sorry. Let me move this. And that's what I was more or less talking about. So I want to share with you some highlights from our last meeting.
ICANN 83 in Prague. Some highlights from the GAC sessions on the one hand we have malicious registrations that clearly enable our phishing. And we also identify that there's a lack of uniform enforcement, you know, against rogue registrars, you know, and again there are many different sources for this. This one coming from the clean DNS, from a clean DNS study. There's another case study that says that, you know, registrar X let's just say, unnamed is linked to more than 60% of phishing domains in 2024. And we can talk about that a little bit later with more specific numbers. So I won't read the whole thing because there's obviously no time for this but phishing scams account for a large portion of DNS abuse. With again some reports indicating the comprised all in all 62% more or less, 62% and this is according to AG IT services and some other sources and you have the sources right there and you can check later and then we have spam, malware and botnets. Farming is almost nonexistent, but there are at least in the DNS abuse landscape, right? And then botnets, you know, which are basically networks of infected devices controlled by attackers and so on and so forth. And I'm taking a look at the time. So, I won't get into details but I want to concentrate on the program that ICANN has and the three main pathways so to say the first one is contributing data and expertise to fact-based discussions. And there are four things there. The first one being the DAAR. Stands for domain abuse activity reporting which is a system that looks at abuse and activity and for volunteers, CLTDDs, country level code domains and the main and we can talk about what ATAHI is and capacity building and training that's one track so to say the second track being providing tools to the ICANN community, you know, through informal, again, standing for inferential analysis of maliciously registered domains as you know ICANN is kind of like an acronym romance.
So I just, I'm just trying to be careful to actually explain what each of the acronyms means and then SIFT which is a special interest forms on tech so that's basically the second track.
The third track being enforcing contractual obligations with registries and registrars, compliance that enforces COs. In policies and agreements including RA which is registry agreement and RAA again the registrar accreditation agreement. And I am running out of the time. So, and there are some also some potential sanctions and service level agreements being discussed. These are proposed solutions, you know, and some brainstorming we had within this. The first one being a stricter SLAs for takedowns, 24 hour response mandate and we're discussing that this is not in place yet but this is some just brainstorming session we had in Prague two weeks ago. Contractual penalties, suspension for repeat offenders within the ICANN contracts that is and then proactive screening, you know, as was mentioned before AI driven pattern detection.
You know, like bulk registrations and, you know, there's lots of information in that regard. And then finally and I will finish with this because we're running out of time absolutely. The most important point would be, you know, collaboration frameworks, you know, as per the net beacon's ID. Reporting tools and standardized abuse reporting as per the internet society's trust initiatives.
Capacity building for global south registers and, you know, the realtime data sharing, you know, within the GAC itself. The government advisory committee within ICANN and there are so many sources there. No more time for that but anyways, thank you so much and very happy to engage in conversations or taking questions. Thank you so much.
>> AUDIENCE: (Applause).
>> JOHANNES MYHRE VALLESVERD: Thank you very much Nico and I must say I was, the GAC meeting back in 2007 and it's good to see that the role of GAC is now evolving and that you are mentioning taking some stricter operational measure. That's very I think very, very, very needed because the units are a very important part of the puzzle where you get the domain names. So we are now moving over to the panel session and I've been looking forward to this for many months now we will go through some questions to the panelist and then we will
>> RENS GRIM: Bad didn't get better. Your football team that you support lost 10‑0 and then the next game they lose 10‑0. I wonder what the atmosphere is, we did a good job because it wasn't worse than last year. I don't think so. I think with AI we will see writing of fraudulent text in SMSs, in e‑mails we will see that in generating dialogues on, let's say platforms like WhatsApp and Telegram, Facebook messaging we see an increased mimicking of voice, creation of images being that a person or a product and also the producing of voice again be it a product or an image. I think it's a very difficult question Johannes to answer but I think we are not yet at a tipping point I believe, but that's my personal opinion it will get worse before it gets better.
>> JOHANNES MYHRE VALLESVERD: I think you're right. Let's brace ourself and then we have to tackle it. But it's getting increasingly difficult to differentiate. Let's talk a little bit more with the regulator when you are here at the table Kamilla. You talked about the transition, that we will transition toward internet based services.
What are your thoughts on this transition?
>> KAMILLA SHARMA: I don't think it is easy straightforward answer to that question. I don't think so. But I think that we must entail that internet based services is a very broad term. It is very complex field. Both technically, legally and culturally. But I really strongly truly believe that the industry and the regulators share many of the same goals we have seen it so many ways in the past time so I think we can base that also with the future collaboration. We all want increased digital trust. We all want increased digital inclusion. And we all want to reduce fraud. We will get some, yeah, we will get new regulatory tools, no doubt about that. But I think that the most important aspect is that we work together with the internet stakeholders and the traditional stakeholders on the regulatory side and from the industry. I truly that is many ways that we have to find out how to do it.
>> JOHANNES MYHRE VALLESVERD: Thank you very much for those comments. Totally agree. So, we sometimes see we ask for regulations, but many times the regulations is really there. We ask for clearer rules on privacy but they are really there. Sometimes you just need some guidance. But let's take a look at the legal framework and let's, question to Riika to see how are countries doing with the criminalization of fraud as it manifests itself in the world today.
>> RIIKA PUTTONEN: Thank you your highness criminal law is not a magic bullet it exists in the regulatory framework and doesn't exclude the administrative measures against fraud.
They coexist so to say. Globally speaking, different countries use different terminology for fraud. Some use fraud, scams, theft, deceptions, swindling, misrepresentation and so forth. So, we are far away from actually having a common understanding what fraud in sales in today's world. And as I mentioned earlier, fraud in this various, under these various names is not always criminalized as serious crime but we've heard of the serious consequences of fraud and therefore I do think that it warrants to be criminalized as serious. And this really is problematic for international cooperation. Because judiciaries around the world would have to rely on each other for mutual equal existence, cooperation and so forth to be able to tackle the organized criminal groups which operate without any regard for rules and so forth. They operate transnationally so must countries as well. So, and if we do not criminalize fraud in a somewhat uniform manner, as serious crime.
We don't necessarily have the legal tools for countries to actually cooperate internationally. So, these international conventions are not only paper, but they are actually, they constitute real tools to combat fraud. So really criminalization matters. We are not yet there. Thank you, your highness.
>> JOHANNES MYHRE VALLESVERD: Good intervention. So, I totally agree. It's, fraud is not petty theft as we heard from Rens Grim the consequences of fraud can be lethal so let's tackle this organized crime, international organized crime as that organized international crime. So, but we always hear about privacy. We can't share data. We can't share data. But can we share data? And let's talk to somebody that has shared data. How did you do it, Emily? How are you been handling the data privacy issue?
>> EMILY TAYLOR: Thank you very much for the question your highness in any healthy democracy protect for fundamental rights and the rule of law are not a nice to have, they're absolutely essential. And they also give the bright lines for law enforcement to adhere to. I think often in these sort of debates, you know, we as humans love binary. So we like, are these in opposition to each other, criminal justice and privacy? No, they're absolutely not and in the UK we were very fortunate that our national data protection regulatory actually issued some guidance to clarify this matter which is extremely helpful and as Riika says this is not, whether it's in the criminalization area or in the data sharing area, this is not a static legal international framework. We've got, we've had the OECD principles, the second additional amendment to protocol to the Budapest convention. EU evidence act and the last goes on. So you know, within the GSE, we have been working on the protections for privacy alongside the technical development from the outset and I think that that's really the way to do it. And to make sure that whoever is sharing data is always in control and in charge of what happens to it and there's no sort of really lax default settings. So privacy laws are not an annoyance, they need to be baked. The adherence needs to be baked in from the start so that people who are using the system can have confidence that their privacy will be respected and that they, that, you know, that helps to give them the benchmark and the level playing field so that people feel confident in sharing data to combat scams and fraud.
>> JOHANNES MYHRE VALLESVERD: Good answer, in law when we talked about the shields, we got input saying we need some guidance, please give us some guidance and it took a couple day to provide the guidance and that's all it needed to get the ball started. Of course, the industry did all the work but we made some guidance in the start and that kicked it off. So totally agree. Okay. Now, Rima, many people are being confronted daily, perhaps not daily but often with fake profiles on different social media channels.
And you don't have to talk for everybody here but what do you think about the challenges of fake profiles and fake content? How do we reduce this problem? You talked a little bit about it in your presentation but do I have any comments on it?
>> RIMA AMIN: Fake accounts are an incredibly important thing for us to be able to counter. If we go back to via attack chain, creating the identity is one of the earlier parts that we are able to have visibility in. We have teams that are working to create technology to be able to detect this stuff at scale and just to give you an example of the type of scale that we are looking at in Q4 of 2024, we took down 1.4 billion fake accounts. 99.9% of those proactively often at the point of creation before they were reported to us. So our technology is catching these fake profiles and I should caveat here that because we're catching them very early on we don't know the purposes for which they would be used, right? It's not necessarily all frauds and scams but we know that fake profiles are important when it comes to frauds and scams. Now when it comes to that .1% of the ones that we, you know, weren't able to catch or reported to us, there is a challenge that comes with that. So the teams are constantly thinking how do we close that gap and get close up on it? The challenge can be is that as you become sort of more aggressive then you catch innocent people within that as well. Yes, very important part of the work. And something that we're focused on. I want to touch on content a little bit here as well. As you mentioned. I don't know if anyone's come across a piece of research by Camille Francois that talks about how, or way to handle adversarial harm on the internet she says you can focus on actor who is like who is behind the activity? Then there's behaviour. Which is what are the behaviors that the person is sort of doing on the platform? Things like trying to reach out to numbers of people that they are not connected with. That type of behaviour and the third piece is content which is what is it that they're actually posting on the internet? Now, all three of those components and again we say see framework are incredibly important. For frauds and scams content is important but it is a harder lever to pull. If you compare it to a harm like terrorism, fraud, it's not as obvious and they deliberate construct this to not be as obvious and then the second thing is the content switches all the time. Fraudsters will try to promote one item and then move to another. That's part of their MO whereas it's harder for a fraudster to shift their behaviour or hide who they are. Of course they will try to but I think that is really important to sort of bear in mind. And that framework is something we think about a lot when it comes to how do we tackle fraud in our ecosystem.
>> JOHANNES MYHRE VALLESVERD: Thank you very much. We will get some questions afterwards from the room also so if I have anything just prepare yourself if you want to do that. Birgitte you emphasized the importance of cooperation and I know many of the things you're doing are costly. How can they help in this regard?
>> BIRGITTE ENGEBRETSEN: I think we should reflect upon the magnitude of the problems presented from all of us and the fact that we need to work together and we need to share the burden so maybe let's think about it in the triangle where you have the customers they should ask for secure and safe services and be willing to pay for that. The government needs to finance part of those costly measures and tech and teleco companies also needs to invest. So it's, in this triangle, I think we need to really, yeah, divide the burden between the three.
>> JOHANNES MYHRE VALLESVERD: Good I agree. Those are the money that you put in protecting citizens is in the long run you get all back with interest. So, yeah. Good intervention. Last but not least over to Nico. You are in a key position here as the chair of the governmental advisory committee and we have a lot of data and you have a lot of issues at your hand but in particular to this phishing, the topic that you mentioned is there any, let's talk a little bit out of the box now. Possibility for data sharing? Realtime data sharing? To the anti‑phishing work that you had mentioned while still balancing the GDPR?
>> NICO CABALLERO: Absolutely and I took time to prepare mainly four things. But important to take into account the first one is layered access models. You know, implementing, you know, tiered access to data. Where the critical feels like for example anonymized e‑mail contacts. Are available for legitimate purposes. Like cybersecurity of course, while protecting personal data through reduction or encryption, that's one thing. The other thing would be a centralized accreditation; can you hear me? Because, I'm having trouble with my ‑‑ developing a unified accreditation system for vetted entities so to say like law enforcement, cybersecurity professionals and so on. To request nonpublic data, ensuring compliance with GDPR, GDPR's legitimate interest provisions. Also, you know, a collaborative framework engaging with, you know, data protection authorities in the industry stakeholders. To align policies with GDPR as in, you know, as you can see in the temporary specification and the EPDP that's expedited policy development process, again, long and complicated acronym coming from ICANN but it is what it is, while preserving again, as I said before interests like fraud prevention which is our main point here. And then finally there are some technical solutions like, you know, coming from ICANN. Like supporting innovations like the RDRS which is the registration data request service, you know, formally, you know, known as the SSAD to streamline data requests without, I would say overburdening the registrars. So that's more or less what I can share at this point.
>> JOHANNES MYHRE VALLESVERD: Thank you very much, Nico. So we have a couple of open questions first and you can answer if you, when you want, just raise your hand. And then we will open the floor, but first question, we will talk a little bit about privacy. So I will give you a provoking question. On privacy. Are the privacy rules now protecting the victims or the fraudsters? Anyone want to give that a shot or both?
>> RIMA AMIN: I can give it a shot. I spoke a little bit earlier about the facial recognition technology that we deployed in order to protect people from scams relating to public figures. We deployed that pilot across the world in I think it was October of last year basically. And one of the challenges were that we were unable to deploy it within sort of Europe and the UK at that particular time. Because we were, you know, navigating with the regulator and putting all those pieces into place to ensure that they were sort of comfortable with this technology. So what I would say is that these protections were designed for the right reasons and the right sort of principles behind them. But I think what needs to be sort of added to them is understanding sort of the adversarial landscape especially when it comes to fraudsters as well.
So enable us to deploy things at the speed of which we need to because these are some of the fastest actors out there and so we need to make sure that we are able to deploy things in the right way at the speed of which we need to.
>> JOHANNES MYHRE VALLESVERD: Thank you. Good comment. Riika.
>> RIIKA PUTTONEN: Yes. I totally agree and indeed privacy laws were actually put in place to also prevent fraud. So the intention as Rima said was a good one but it's the implementation of those laws that leaves some room for improvement.
Privacy, the right to privacy is not an absolute right in the national human rights law. It is a qualified right. So there are certain conditions and if those conditions are fulfilled, it can be compromised.
The right to privacy. And it can be compromised for certain good reasons, legitimate aim and that would be, for example, public or a public safety national security. And when we look at the scale of fraud, I do think that the legitimate aim is there. So indeed, it is not an absolute but a qualified right but in addition to that legitimate aim it also has to be prescribed by clear and accessible law, so, again, for legislators, some work to do, served as legitimate aim and it has to be necessary and proportionate and then you are in compliance with international human rights framework.
>> JOHANNES MYHRE VALLESVERD: Thank you, yeah. Emily.
>> EMILY TAYLOR: I think Riika and Rima have made excellent points. Where I would come in is reflecting on the transatlantic tensions around data sharing between close allies, all democracies, all subject to the rule of law and Nico I had the misfortune to be on the EDPD and the expedited bit was certainly not very apparent in this multiyear process.
But actually rather than blaming ourselves I think we reflect on how difficult it is and that who is a microsome of sharing data but Riika you talked about laws being understandable. There's a story of a guy going around an international law conference wearing a T‑shirt that said only God is GDP compliant.
And if we think about how difficult it is to comply and the nature. For U.S. countries that are risk averse because they come in a much more litigious we think how do we do it better.
The fundamental rights need to be protected and legitimate people also need to be protected from intrusion, but we can do better.
>> JOHANNES MYHRE VALLESVERD: Thank you for those words. I completely agree. Let's move on now we will take one question from the floor and then we will get the online community on for the next one and then we will go back and forth. So, we have the first question is when you present your question, present just say who you are and where you come from and then the question. Thank you.
>> AUDIENCE: Thank you, thank you. We heard why signal's important by effectively everyone in the panel. Whether it's to identify criminals to aid enforcement or to protect end users. Building on Emily's comments about the forced binary choice between privacy and security and the weaponization as were rightly said the qualified right of privacy.
We're seeing some significant unintended consequences for example current and plan change to internet standards are removing signal. Which will make those consumer protections that the Norwegians enjoying ineffective because you will lose the signal you need for that and make it far harder again to identify criminals or to the ICANN example, the lack of proper know your customer processes mean that the, we're aiding the criminals that undertake phishing because we got no idea who registered the domains so registers and registrars are hiding behind those privacy protections so how do we get people like on this panel more involved in actually stopping those harms as unintended harms.
>> JOHANNES MYHRE VALLESVERD: Is that a question to Nico on know your customer perhaps? Thank you very much for your question.
>> NICO CABALLERO: Even though I'm not involved with any commercial activity within ICANN. ICANN is certainly taking steps and a stricter enforcement like for example registrars must accurate who is data or face suspension of domains on the one hand. You know, broadly speaking, the reporting system, the ARS has historically monitored compliance though I must recognize it was paused after GDPR but on the other hand, you know, as of right now, registrants are obligated to man contain accurate contact details, you know, to investigate complaints within 15 days which is good progress as compared to, not an ideal situation, not the best solution but ICANN is doing good.
>> JOHANNES MYHRE VALLESVERD: We are, I was looking at the time here. Thank you for the question and the answer and we can connect the dot from these. I think we will get the online community up now Frode, are you there? I feel it's a melody Grand Prix. We will get him on the screen.
>> Many thanks for the presentations from the panelists and for the interesting discussion. So far there is no question in the chat but we encourage people to ask questions in the chat which can be read aloud afterwards.
So I will just hand back to you, your highness to take more questions in the room.
>> JOHANNES MYHRE VALLESVERD: You are in contact with the producer. That doesn't matter because we have four people here, three people waiting in line. So let's take this one first.
>> AUDIENCE: No, I was on first.
>> JOHANNES MYHRE VALLESVERD: I have to say your name first and where you're from.
>> AUDIENCE: Rens brought up the issue of extortion and this is something I had personal experience with earlier this year where the victim took his life. As Rima showed the engagement aspect is conducted on platforms. In this case, it was WhatsApp. My question is for the global south, for developing nations, how can we increase awareness, what is the responsibility of platforms to increase awareness on these scams? And through the law enforcement is not as equipped as developed states within the developing world. How can we get law enforcement up‑to‑date and if there is no mechanism to report these things to law enforcement how can we report directly to the platforms?
>> JOHANNES MYHRE VALLESVERD: Thank you, sir, very good question.
>> RENS GRIM: Thank you for your question, sorry for your loss. It is a difficult area, especially in this extortion. In the country of origin, the people behind these scams are seen as heroes and even the nation is discouraging people to go to school and just go scamming but to answer your question, I think it is the whole purpose of the stakeholder participation, you know, getting into touch with local enforcement agencies and propagate that cooperation. This is a difficult story, there's no strict criminal prosecution possible. So, if it happens in country A and the extortionist is in country B it's extremely difficult to get that person in country B to be prosecuted. We're not there yet. I believe that encouraging countries, nations, governments, to also actively go after the people within their country who are propagating and who are actually committing these crimes. That is the first step forward. Does that answer your question?
>> AUDIENCE: Yes, somewhat.
>> RIMA AMIN: I can also take your question and I'm sorry for your personal loss. I think in terms of the question you asked around sort of raising awareness and what we can do there, I think there's a couple of pieces there, right? So you've got sort of campaigns that we can work sort of together on. I think that the working together piece is really important because what we often see is fragmented sort of awareness campaigns and people and young people especially being bombarded with so many different messages that actually bringing those together is incredibly important and that is something we look to do with governments and those types of entities. The next is sort of interventions and building products in a way that is safe, creates safe environments, so separating for example messages that come from people you're connected with and putting in sort of the guardrails there. And the piece on law enforcement, I think it's something that we try to do at Meta is work with law enforcement so we have people focused specifically on outreach to help law enforcement identify what information they can request, how they can request it and how they can actually use that information to be able to investigate and enforce there. And then the piece on reporting is also particularly sort of important. One of the challenges we have in the type of scam but also other types of scams that end up on websites and other sort of platforms is that we don't necessarily have the context that we need to be able to able to enforce say reporting through the platform or through the law enforcement channels that are available is important for us to then be able to look back and be able to enforce on that particular actor.
>> JOHANNES MYHRE VALLESVERD: Thank you, Riika and Emily and then we have to close down but it's an important question so we need to reflect on it.
>> RIIKA PUTTONEN: Thank you for that important question and example as well. At U.N. we have the intergovernmental processes which we've done a couple of on fraud. And there's an increasing awareness of the seriousness of fraud as such and including naturally also sexual extortion. We also have activities that range from prevention to protection of victims and witnesses.
Pursuing the criminals, the organized criminal groups behind it and also promoting that cooperation so I hope in the years to come, there is an increased awareness but clearly we still have a lot of work ahead.
>> JOHANNES MYHRE VALLESVERD: Emily?
>> EMILY TAYLOR: Very sorry to hear of your loss. I just wanted to address another aspect of getting law enforcement up‑to‑date which is the collaboration with industry. Note, global south and also other countries are suffering from lack of resources in law enforcement and are simply not able to follow up all the leads. And industry has a part to play and this goes to the point about burden sharing and this is something that we're doing within the Global Signal Exchange with pilots between law enforcement and industry to see, to what extent can industry sort of take some of the burden from law enforcement, enabling them to do what only law enforcement can do which is the pursue element that there's an awful lot of prevent and a lot of following up that industry can do in that.
>> JOHANNES MYHRE VALLESVERD: Thank you very much, all, for those commented on that and I'm very sorry that we don't have time for more questions but we are here so you can approach us after this session. I would like to thank everybody for your contributions, I would like to thank the panelists, well, we will never get rid of fraud. It will always be there but we can tackle it one piece at a time. We can eat the elephant one piece at a time. I would like to thank Frode for his on-line moderators and also the IGF for having this session on the important topics I hope this is not the end of anything.
This is the start of anything. We have to be more operational, get action done, share data, guidance and tackle this fraud because it's serious, it's lethal. So, we have to protect the global citizens toward... against this international crime. Thank you very much for your participation and your presence.
>> AUDIENCE: (Applause).