The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
¶ (Music playing) ¶
>> EMILY TAYLOR: Good afternoon, everybody. Thank you very much for joining us this afternoon. You are at Workshop 280 , DNS Trust Horizon: Safeguarding Digital Identity.
My name is Emily Taylor. I'm the CEO of Oxford Information Labs and a co‑founder of the Global Signal Exchange.
We were asked to put together this panel this afternoon for two dynamic coalitions, the Dynamic Coalition on DNS Issues and the Dynamic Coalition on Data and Trust and thank you to those organisations for asking us to do it.
So this workshop will look at the WSIS+20 and the issues of digital trust and identity through the lenses of blockchain identifiers in emerging namespace and multistakeholder voluntary measures to fight online harms, including scams and fraud.
Now, each of these issues requires the domain name system, in some way, to evolve to cope with these emerging issues, and each has been a struggle because they're complex in nature, and they require the coordination of multiple stakeholders.
We will hear from a range of speakers on the issues, and the sessions will be moderated by my good friend and long‑time colleague Keith Drazek, who's Vice President Policy and Government Relations at VeriSign.
So with that, Keith, I hand over to you. Thank you very much.
>> KEITH DRAZEK: Okay. Thank you very much, Emily.
And welcome, everybody, to our Workshop 280. And, as Emily noted, this is a joint workshop proposed by the Dynamic Coalition on DNS Issues and the Dynamic Coalition on Data and Trust.
Our view of this session is really, in some ways, the beginning of a multistakeholder conversation on two separate issues that Emily touched on, blockchain identifiers and the need for responsible integration with the DNS and online harm mitigation up and down and across the stack with different roles and responsibilities and technical capabilities for the various actors in the stack.
Each one of these really does requires multistakeholder engagement and multistakeholder input. We just want to call that this is sort of the beginning of that conversation. So look for more opportunities in the near future to engage on these issues.
So I'm going to go ahead and introduce our panellists here. Before I do, I just want the note that as we are here at IGF, in a season of looking ahead to the WSIS+20 Review, we thought of this workshop in the context of the UN sustainable development goals, in particular SDG 9, to build resilient infrastructure and build industrialisation and foster ‑‑ we want to make sure industry and other actors are really engaged in trying to engage in the IGF context, some work around that specific SDG No. 9.
With that, let me go ahead and introduce our panellists. A little bit of housekeeping, we're going to have five or seven panellists to make introductory remarks.
We're going to try to keep a good chunk of time at the end here for the dialogue. Then we'll probably save five minutes at the end for a wrap‑up.
First panellists ‑‑ and not in order of speaking, necessarily, but first on my list is Lucien Taylor. Lucien is a CTO and Founder of the Global Signal Exchange, a global clearinghouse for real‑time sharing of scam and fraud signals.
We also have Hilde Thunem, Managing Director of Norid, the Norwegian CCTLD registry.no.
We're thrilled to be here in Norway, of course.
Online, I believe we have Graeme Bunton, who's the Executive Director, NetBeacon Institute, an organisation established by PIR, the .org registry that's focused on helping the Internet community identify and report DNS abuse, establish best practices, fund DNS research, and share data.
We also have Benoit Ampeau, Director of Partnerships and Innovation at Afnic, the French Internet registry.
We have Swapneel Sheth, Senior Director of Research Engineering at VeriSign and the office of our Chief Technology Officer.
And we have Rima Amin, Security Policy Manager Community Protection with Meta.
And Dr. Esther Jaromitski, UK Department of Science, Innovation, and Technology. Esther has a Ph.D. in Internet governance. She's here speaking in her personal capacity.
And we are very, very happy to have each of you.
Because we have two topics, I'm going to lead off with the first, and that's going to be the topic of blockchain identifiers and the DNS. Probably stop after the three speakers have had their chance to give an intervention and remarks and have audience engagement before we move to the next segment.
I will be watching the time with Emily and be sure we're keeping to schedule.
Benoit, I'm going to turn to you first. Blockchain identifiers and the need for responsible integration in the DNS, from your perspective, what are the main challenges to maintaining trust in DNS systems in the face of emerging technologies like blockchain?
>> BENOIT AMPEAU: Thank you. Yes, I will talk about the importance of stress and the security of digital identities and the challenges posed by the new technologies like blockchain and current Domain Name System, DNS, and the concerns.
It's a challenging thing to present this in such a short time, but I will do my best.
This constitutes a reference for creating and reserving names on the Internet.
It's available the all connected Internet people for more than 40 years.
During this time, we can observe some initiative for automatic naming systems. For instance, I can mention ‑‑ and they are seeking to establish themselves by exploring models on DNS and also partly inspired by DNS.
For many years, at Afnic, we have applied to different use cases and technical environments. Regularly, the integration of namespace such as those used in the Internet of Things or in the Internet system.
We also conducted a study publishing a report last year on the possibility of blockchain actually replacing the DNS. Now we are working on more technical layers ‑‑ also on name reservation services.
In addition to that, we established with our partners a roadmap of work on the current ecosystem and blockchain identifier solution providers.
For provider mappings to ultimately later this year developing a framework.
Very quickly, three outcomes of our studies. Trust, trust is essential for the sake of digital identities. Without it, users cannot operate effectively online.
New technologies into ‑‑ presents unique challenges.
Blockchain has proven to be robust in terms of the data associated with the identifier. It has questions about governance and standardisations.
Global consistency are yet to be built for blockchain.
Second one, DNS and blockchain, these are two different ‑‑ unique naming space.
The uniqueness of names, Internet Corporation for Assigned Names and Numbers, which supervises through the ‑‑ on a delegated basis.
No name can be registered twice in the same space is key.
In the case of blockchain, naming space is regulated by smart contract which is defines the rules of blockchain identifiers.
In theory, this ensures a uniqueness.
They're operating independently. Therefore, it's possible to be allocated by more than one blockchain leading to the application.
The DNS area of study, a coalition between identifiers and domain names. Things like dot wallet and dot crypto could present issues.
(Phone ringing)
>> BENOIT AMPEAU: Sorry. That's me.
In 2012, ICANN received the application for these and so on and so forth.
Of the providers found, we found top identifiers that were the same as existing GTLDs, one with eight direct conflicts, the second one with four, and the last one with one.
We also add with existing ‑‑ and identifiers not regulated by ICANN.
So our work aims to give a concrete view of the situation to better evaluate and provide a risk assessment from other stakeholders, which is important here. Institution, policymakers for their own purpose.
In a nutshell, DNS is crucial for digital identities.
The integration of blockchain within the DNS could present opportunities but also significant challenges.
Makes them prone to confusion when resolving names.
Finally, stakeholders' involvement is important to overcome these difficulties and understand the benefits but also, very importantly, the risk.
Thank you.
>> KEITH DRAZEK: Thank you very much, Benoit. I just want to reinforce one of the things that you mentioned, and that is the importance of the fundamental foundation and the importance of the single authoritative root in dealing with matters in the DNS. One of the challenges and one of the concerns that you've correctly flagged is the potential for duplication of records when there should be a single record.
So I think this is important in both today's context and in looking ahead to the upcoming launch of the next round in the ICANN space.
There's currently an application window that's targeted for April of next year with likely delegation of some of the strings applied for perhaps a year after that.
So this is a live and active topic when we're talking about potential applications both at the technical and policy level when it comes to expectations around these unique identifiers.
So with that, let me turn to Swapneel.
>> SWAPNEEL SHETH: Thank you. It's good to be on this stage with this conversation.
Domain names have been long identifiers in applications going back all the way ‑‑ you can think about telenet, FTP servers and domain names adapted to be used for the web use case.
So what we've seen, though, in the past few years, is that there's interest, and blockchain applications and other applications have emerged as a new use case for user‑friendly identifiers.
Blockchain wallet, we've all heard of blockchain wallets by now. Blockchain wallets tend to identify users via a long, alphanumeric chain.
We're seeing a lot of interest in using DNS domain names for these use cases and blockchains.
Sorry. I just ‑‑ yeah. So there's a lot of reasons to use DNS domain names and blockchains. This can use a DNS domain name, integrate that with a blockchain application, we call that DNS integration. So imagine when you're trying to send crypto cryptocurrency ‑‑ how do we think about a domain name that's transferred or expires after the domain name has been integrated into the blockchain application.
How do we avoid risks, right, with inconsistencies, with the security concerns that come along when the same names are used across multiple systems?
These are really important topics. Without coordination, these systems will fall out of sync. And when they fall out of sync, they will give rise to inconsistent behaviour, and, more importantly, these issues will lose ‑‑ undermine trust we've built in DNS over the last several decades.
Don't get me wrong, integrations have the ability to enhance the domain name. We believe the way to get there is responsible DNS integrations. We can take the benefits and extend it to these new use cases and blockchains.
So safeguarding the stability, security, and reliability of critical Internet infrastructure has been at the very core of what a design does.
Alongside keeping the same values in mind, we're also supporting development of responsible DNS integrations.
So what have we been doing? We have published a variety of research papers and steadies to raise awareness of SSR issues that exist in today's DNS integrations.
We've also ‑‑ we're all actively working with the community and encouraging the community to come up with standards and best practices.
DNS has well‑defined standards and practices for transparency, for control, and for domain name lifecycle management.
You think together these principles can inform and should inform how we develop these new integrations with DNS.
So now the Internet success has been rooted in interoperability, trust, and collective ownership. We must preserve these values.
So let's work together and collaborate together so we can use the existing critical DNS infrastructure for the new use cases, but let's do so in a manner that supports our collective goals, which is to build a safe, securable, reliable ecosystem.
Thank you.
>> KEITH DRAZEK: Thank you very much, Swapneel.
I will turn to Esther. I want to remind everybody that when Esther is concluding her remarks, we'll turn to you, the audience, to see if you have any questions or comments. Our panellists are more than welcome to engage together and compare notes and have any conversation that would like to have.
Esther, we've heard about national approaches to only safety. From the UK's Online Safety Act to emerging blockchain systems, as there's potential solutions, what do you think needs to happen at the global level to address the trust and security challenges? Thank you.
>> Esther Jaromitski: Thank you so much for your question, Keith. I really believe that the choices we will make in the next two years will determine a lot of whether the Internet will remain a stable and trustworthy source or whether it will become a great vulnerability for us.
I will explain why in my remarks.
Before I begin, this is not UK government policy. It's based on my research and AI.
When the World Wide Web, it was probably not imagined that it would be what it is today.
It's 5.4 billion Internet users, which is an incredible number and what we hope will grow and reach everyone.
Living in this environment presents a lot of risks and challenges. I know we will move to the topic of fraud after this, but I just wanted to highlight how important it is that we maintain the system.
UK alone, fraud accounts for 80% of cybercrime.
While all of this is intensifying and we have a lot of fraud in the current DNS system, new naming systems that we are discussing today are emerging in parallel.
And this is developing their own logic, standards, and risks.
ICANN, which we respect and love to be the important body that is keeping the Internet stable and operable, acknowledge that there's building outside the Domain Name System. The market has grown to $360 million today.
There is information and lots of talk about Web 3 groups preparing in 2026. So this is a good time to discuss these challenges.
So the critical choice I want to highlight is we need to answer the question. My co‑panellists have addressed do we integrate this blockchain system into the existing DNS and see it as a security layer to the system that we have today, or do we watch our infrastructure fragment in dangerous ways in which fraud will likely just intensify?
And the question that we're facing today is definitely not whether these systems will emerge and whether this threat will exist because it already does and it will, and we've already moved past that question absolutely.
And I am proposing very much a multistakeholder approach to really tackling this. We need new initiates led by different stakeholders to create global trust infrastructure that integrates these two systems.
Some of the things I'm thinking about is also connecting it to some of the GDC and WSIS and SDG lines that we have.
It would be smart to integrity identity into DNS queries. So when you visit Lloyd's, you would be able to verify that the domain is authentic.
Principles three, four, and five would allow to detect fraud in real time.
How does this work? Well, we know that blockchain identifies ‑‑ they create tamper‑proof certificates that ensure that the website you're on is legitimate. That's something that adds a layer that demonstrates that the DNS is not forged.
So this is a great opportunity to combine these two approaches.
This will strengthen the root principle of root connectivity. That's why I can pay attention to this now and leverage the next round to ensure that this is integrated before entities are established outside of the GTLD programme.
Integrating AI infrastructure would enhance rather than replace the system.
We need to think about quantum solution thinking processes that integrate AI into managing fake websites, detecting and signifying that there's a form of domain hijacking taking place.
So without going too much into detail, what my point is that we are not going to succeed if we try to replace the DNS. It will be really bad for the Internet. We need to integrate new technology and innovation into the system we have today.
And to conclude, being a multistakeholder process is the only way forward. No government, no private entity, no civil society group can solve it alone. It has to be done with what we can do today, the ICANN, the CAG. We need to make sure these important thoughts that we're discussing today are integrated.
>> KEITH DRAZEK: I think this is one of the reasons we're here at IGF bringing this to the community's attention.
There's a microphone on each side. You can get in queue.
I'm checking to see if we have anybody online.
I would say we have five or 10 minutes to discuss this topic before moving on, if we would like to. Or we can move on to the next and come back for questions at the end.
Ah! Edmon, come on in. Hello. Welcome.
>> EDMON CHUNG: Edmon Chung here from DotAsia. I just wanted to pick up on the integrating blockchain and some of the emerging technologies to how we manage the DNS. Two things I want to highlight. One is I thought the question about including cryptographic technologies to the processes is quite interesting.
Currently, the DNS sec protocol, the extensions, do do that. How would blockchain add to that.
What about the registration data? I personal find the registration data to be quite use ‑‑ I mean, blockchain might be useful for registration data, especially for, you know, like domain transfers, ownership transfers, and authentication of those issues because of the nature of blockchain. See if there are any thoughts on those two things.
>> Esther Jaromitski: Thank you so much for your question. It's very good that you brought it up. I wanted to get into that as well. It's true that it already provides some form of validations in the DNS responses to prevent the tampering.
But this blockchain enhancement really just builds on top of that, I would say. So it would exist as a form of secondary security layer on top of the DNS sec.
And that would be similarly to what happened happen when we need to develop quantum resistant processes.
>> SWAPNEEL SHETH: They're supportable and otherwise, email and web traffic are supported via the encrypted protocols. Right? So I want to restate that DNS is secure today as‑is.
>> KEITH DRAZEK: Okay. Thank you very much for that.
Edmon, thank you for that question.
We have another speaker. If you could identify yourself, please, and go ahead and ask your question.
>> ANDREW CAMPLING: Yeah. Hi there. Thank you. My name is Andrew Campling. I'm from a consultancy, which, amongst other things, spends time thinking about the DNS. Again with the comments about DNS sec, I'm skeptical that there will be value add on that specific point, doing two lots of the same thing. I know there's post‑quantum ‑‑ we have to think about the compute cost, the environmental cost of doing that twice.
So I think we should be cautious heading in that direction.
The point I wanted to make, though, the Web 3 naming schemes, that they don't have governance ‑‑ some that don't have the feature, fairly immature governance. Just by design. They're still very early in their evolution. I think there's a lot of very useful lessons that could be carried across from the DNS into those systems. So there will be benefit at the governance level, if not the technical level.
I don't know if anyone wants to comment on the governance points.
>> SWAPNEEL SHETH: So I don't know if you've been following DNS Op working group in IETF. And so we have a couple of drafts we're working on towards responsible DNS integration. And one of the ones recently, as of earlier this week, was adopted by the working group. It talks about what are the concentrations for creating DNS domain names into blockchain namespaces or blockchain applications in the responsible manner. So there's a checklist of things to go through as you're building your integration. Hopefully, by the end of it, you will have a responsible integration. And you will have the governance of the DNS because it's rooted into the DNS ICANN‑managed DNS root.
If that helps answer your question.
>> (Off microphone).
>> SWAPNEEL SHETH: Yeah. And going back, a plug‑in here since you brought up post‑quantum DNS Sec, if you're interested in the topic, we're working on it. We'll have hackathons, and we'll also have a PQ DNS meeting at the upcoming IETF meeting. So please join us and feel free to contribute.
>> BENOIT AMPEAU: If I may, a side comment? So linked to the question, so I fully agree with what you said, but from the blockchain provider solution perspective, we do not know yet if they would like to engage in this way, in the responsible integration. So basically, we know Internet is complex. We all know this. Maintaining, providing consistent user experience for a stable, resilient, secure Internet, it's complex. So we'll see what the future will be by integrating these kind of actors into the DNS ecosystem at large.
>> SWAPNEEL SHETH: I'll make another point, while we're on the topic is the interest from communities. The draft I just talked about, I have co‑authors from ENS, which is an alternative namespace in the blockchain, name service. Another co‑author is Bluesky, which is a decentralised social media namespace that's trying to use DNS domain names as social media handles.
So I just want to say that there's enough interest from the web community to integrate responsibly as long as we're willing to work with them.
>> Esther Jaromitski: And maybe just to add, you know, to emphasise that this is important to think about now because ICANN has the opportunity to seriously engage. As I mentioned earlier, it is a growing industry. There's interest. It's also within our hands.
>> KEITH DRAZEK: Thank you very much. Thank you, Andrew, for the question and the engagement.
Two quick questions in the chat that Emily will read, and then we will probably pivot and move to the online harms discussion, and we can always come back to this at the end.
Emily?
>> EMILY TAYLOR: Yeah, so we had a comment from Lucifer saying, Okay, I'll sum it up. It's not that complex. The entire Web3, 4, 5 blockchain saga is merely a creative lazy attempt to monetise the Internet by fragmenting DNS with an alternative route. Nothing revolutionary here, just reheated hype. Time to move along.
Bev Wathen did a thumbs‑up in agree to Esther's call for integration and not replacement of the DNS.
And Carolina from Oxhill ‑‑ Hello, Carolina ‑‑ asked two questions.
How do we ensure responsible integration happens in a multistakeholder manner? And, also, how to get the blockchain community to participate? What incentives exist for them to participate?
Thank you.
I think the second question you touched on in the recent remarks.
Thank you.
>> KEITH DRAZEK: Thanks very much, Emily.
I think to Carolina's question about, you know, what are the opportunities for engagement, I think the dynamic coalitions that are represented here are future opportunities for continued engagement on a multistakeholder way in this conversation but probably not the only options. So we should think about how to engage folks from this particular community and also other perspectives to make sure we have a broad understanding of the various concerns and opportunities.
So thank you for that. We will now pivot and move to our discussion on online harm mitigation.
I will just take a couple of minutes to give context and frame the discussion.
Over the last five, 10 years in the ICANN community, there's a lot of discussion about DNS abuse and the need for enhanced tools for compliance at ICANN to deal with the so‑called bad actors.
A couple of years ago, the GTLD registrars ‑‑ obviously, that's a subset of the broader topic of online harms. So that's DNS technical abuse. There's obviously other online harms that are related to content, and there are a number of different actors in the Internet infrastructure stack that have different roles and capabilities and technical capabilities to mitigate abuse at the most appropriate time, the most appropriate level without disproportionate impact on other actors in the system. I think what we're going to talk about today is the broad topic of online harms.
With that, we're going to turn to Hilde first.
The Norwegian top‑level domain is an example of low rates of domains being used for fishing, malware, and spam. Can you share some insights, from your perspective, around what could be the reasons behind that?
>> HILDE THUNEM: Thank you for having me on the panel. I would like to start by saying that just like in the offline world, I think online abuse rates are a reflection of many different societal factors.
So even though I work at the registry, it's not all the DNS that does this. But I do think that the Norwegian model approach to the domain name provides an example of how many different stakeholders can work together and have a positive effect.
So all the main registries, people like me that hand out domain names, we work out on the local law and the registration policy. One of the factors that influenced the type of neighbourhood that sort of grows under a top‑level domain is the requirements that the registry imposes. We do this with different stakeholders in the Norwegian society and within the domain regulation that provides the framework for the basic principle of this.
And one of the requirements we have is that anyone who wants to register a domain name must identify themselves by providing either the organisation number registered for business enterprises, and foreign companies can do this if they have a Norwegian subsidy.
So if you worked and were away for a long time, you get one of these.
And before granting the right of use to a domain to anyone, we verify that they exist in one of these official registers. So we look it up. This ensures that each domain name is registered and responsible for how the domain is used.
So sad to say ‑‑ I hope I'm not breaching any childhood dreams hear, but Santa Claus does not have a domain because he does not exist.
This is not only a registry effort. We don't talk to the domain holders directly. It's the registrars that have the direct contact with the customers that are required to know who they are and to ensure that the one contacting them actually represents the organisation that they are trying to register a domain for.
How they do this is left to the registrars because that varies wildly. If you're a small registrar that knows everybody or a large one with control systems.
There's a rule to how many domains an individual can have. If you're an individual, you can five and if you're a company, you get 100.
Domain names are a limited research. The Norwegian way of there must be cake left on the table for the newcomers. We want some still there so early adopters don't get to take them all.
So both of these requirements are for other reasons than fighting online harm.
But they have a happy side effect that they irritate the scammers a lot because, first of all, as someone wanting to register a domain to use it for illegal content, scams, spam, they have to either identify themselves or steal somebody else's credentials. When they do and sneak past the registrars control mechanism, they get only 100 domain names or five, if they stole someone's personal details.
They have to burn through a lot of domain names in order to spread their scams.
At the same time, the whole point of making out slightly difficult for the criminals is also not to create a burden on the letting domain holders. We want people to have domain names and have their little corner of the Internet where they have ownership of the content they produce instead of just being on the large social media and technical platforms.
This makes a fairly safe space, but, of course, there are Norwegian criminals, and there are other criminals that steal credentials. So in the case that domain names are used to commit a crime, then the rest of the ecosystem comes into play.
The Supreme Court in Norway, established as early as 2009, a principle that it's the domain holder that holds the responsibility of the use of the domain name. Since that is actually a real person and organisation, there's a place to start if one wants to take action.
This year, the Revised Telecommunication Act is responsible for putting this principle into law.
When proportionate, action may be taken against the domain name, but search measures requires the safety of rights.
With the personal requirements, almost all of the domains used for the technical online harms, like phishing, are compromised domains. So the domain holder is a victim that has his website or his domain compromised and not necessarily the perpetrator.
But in those rare cases where a domain name needs to be taken down, instead of the content acted upon, Norwegian police have a clear mandate in law to seize domain names, similar to what they can do in the offline world where they can seize a car or a gun or a dog if it has bitten someone.
Just like in the offline world, also, in the online world, when they seize a domain name, they have to follow the requirements for due process. And the Consumer Protection Agency has the power to go and require the domain name be deleted or transferred, in the case it's serious online harm to consumers as a whole. But in those cases, they have to go to court to prove they tried less impactful actions first.
So, in summary, I think it's the combined effort as part of the registration process. Then the regulatory framework and the public authorities, both providing official databases we can use but acting when other online harm is being a problem.
>> KEITH DRAZEK: Thank you very much, Hilde. I just want to touch on a point that you raised, and that's the important distinct between domain names registered for malicious intent for the purpose of perpetrating fraud or online harms and compromised websites, web hosts. And you noted that where a domain name was registered with legitimate intent had an account compromised.
So there's a range of possibilities there, in terms of the use of the domain name, but I think you also reinforced an important point. Depending on the nature of the harm, there's the register level or there's the need to engage the content layer of the infrastructure stack to make sure that the Web hosts, the CDNs are also involved for instances where a website had been compromised because they're the only actors that can take the surgical act needed to be able to address that particular bit of harm.
And so proportionality is important in all of that. Thank you for all of that.
Thank you, Hilde.
Okay. I'm going to turn to Lucien next.
Lucien, on day zero, there was a great session that I recommend to everybody. It was on fraud and scams. We heard from you about your new initiative to address a number of challenges in tackling scams and fraud.
Curious what you would like to share on that and how it's different from any other initiatives.
Lucien, thank you.
>> Lucien Taylor: Thank you very much, Keith.
I just wanted to say I think we're going to do our little speeches, and then there will be questions after that, if you want to take a rest.
Thank you very much.
Yeah, Keith, thank you for that.
Three short answers, and then I'll extemporise.
The first answer is we didn't dream up the idea of the GSE ourselves, building a global exchange. A number of organisations came together in a multistakeholder community and asked for that organisation to be created. In other words, that it was missing in the current fight against scams and fraud.
And so how are we different? Well, we seek to change the game in the effort to tackle scams and fraud.
Finally, in answer to the ‑‑ well, it's a point that I generally want to say. We're here at the IGF, and we really think that this is the ideal space, this multistakeholder environment, to discuss these sort of things. But I've also been hearing about the Internet infrastructure forum and others where these are safe places where we can actually come together and figure out how to solve this without kind of getting into a circular firing squad.
So to dig in, my first point, the creation of a new data signal sharing entity, the need for cross‑sectorial platform was created in Lisbon in 2023. The GSC brings together a number of partners to deliver a new service to fight scams and fraud. Currently, we have 160 organisations in the accreditation pipeline. So there's a strict accreditation process. We have commitment from Big Tech ‑‑ thank you, Rima. And we have a huge new opening proprietary threat intelligence from Google. They're opening up their own threat intelligence to this new idea, this new venture and less depend on the threat signals bilaterals and have a single service to go through, as a kind of broker.
We also are in negotiation with several governments. How are we changing the game? Cybercrime is rising relentlessly. I don't think any of us can argue that. I asked my family to give me WhatsApp examples. They've got dozens. You've got to pay a fine. You've got a new bill from some car park or tax office.
We're under this relentless pressure all the time to reevaluate the things that we've been presented with.
There are a number of initiatives across the Internet supply chain verticals ‑‑ we call them verticals ‑‑ that are doing good things, but cybercrime, the vector is still increasing.
When I talk to the supply chain, I'm talking about the supply chain available to fraudsters.
A fraudster will build a domain name, identity, register, company, build a website, benefit from content delivery networks and so on.
They will then establish false IDs on social media channels and some others.
They will easily engage the potential victims through chat, through email, through messaging services. Finally, step four, I call it, a banking commitment is made. A crime is registered. At that point, we know we're dealing with a criminal. And then that he package those fraud services and recycle and make them available and actually provide a fraud and scamming industry for others to enjoy.
So the criminals are moving faster than us. They're exploiting cross‑border legislative tensions and sharing bad things between each other, better than we share things.
So the GSE aims to deliver new things.
First of all, face up to the governance and policy changes, and they are considerable. We've been talk about them in ICANN and IGF for decades now.
Secondly, address the technical challenges.
Now, in terms of the government and policy challenges, we are tackling border and cross‑sectorial challenges, and we've hired good lawyers.
And I'm not even going to talk about that today.
Thanks, Emily.
I will get become to my comfort zone. We've created quick factors, QIQ. You can't invent a new organisation without new acronyms. First, those quick factors are quantity, immediacy, and ‑‑ have we got enough data to reflect the problem that consumers are suffering? In January, we had 40 million threat signals. Let me put that into context. The action fraud City of London please, they're getting 30,000 threat signals every month. We've risen from 40 million threat signals through Google stack up to 270 million threat signals. They're rising by a million threat signals a day. And we still believe we're not seeing half of it.
Hopefully, when Meta comes onboard and starts providing signals, we're going to start to really see what the consumer is suffering from.
We want those more signals to be provided for the participating organisations, and we call this uplift. Uplift is when all parties share signals and, thereby, find new information for themselves. We observe uplift.
We also want to reduce the cost of signals for the smaller players.
Immediacy. We need to make things quicker and reduce the time to live for frauds and scam online. The time between when a signal reported and a signal mitigated needs to be brought down from an average of four days between detection and mitigation.
Esther mentioned the need for Federated models and quantum, big computing power to move toward real threat detection as they're happening.
Quality, to tackle both the quality and the signal and the provider. These are impacted by two things, confidence scores and feedback.
So a signal can be improved by overlap, when all participates share signals and simultaneously detect the same signal, we increase confidence.
And the next part is to develop a feedback loop. It's cybernetics and something I started talking about in 2003. It's missing in the game. The feedback work is enormous. You can't provide feedback to threat intelligence signals, which are low‑quality neighbourhood watchdog type things. These are not data that will stand up in court. The signals are absolutely essential.
I'm running out of time, so I will just summarise.
We have Big Tech doing handshakes and police enforcement.
>> KEITH DRAZEK: Thank you, Lucien. I think you've described a clear need for intermediary and data clearinghouse, a platform of data sharing between threat reporters, reporters of abuse, and the operators of infrastructure that have the capability to address that abuse.
Right?
So thank you very much.
Time check. We've got 18 minutes left. We have two panellists yet to speak. I want to try to keep a few minutes, five minutes, at the end for engagement from you.
Rima, if I can turn it over to you.
>> RIMA AMIN: Thank you. I will start by saying our team in security policy worked to counter adversarial threats in a number of different areas. So that tends to cover influence operations, cyber espionage. Abuse accelerates harm to people and businesses across the board.
Our teams are really focused on working to prevent mitigation and stay ahead of these threat actors that are looking to abuse platforms and violate our policies by redirecting users off over to malicious platforms.
Everyone has said this is an Internet ecosystem problem. So we need the approach to responsibly manage and mitigate some of these DNS abuses.
Just to touch on a couple of the key areas that we're concerned about and that we see, the first being domain spoofing where domain names are created closely to resemble legitimate ones in order to deceive the people using our platforms.
We also see them being used to sort of phish people online and steal their credentials.
The second area relates to cybersquatting and domain impersonation. It lures people into a safe space that they know. Then they commit harms towards those people.
The third is relating to deceptive redistricts. So adversarial actors tend to root users to malicious websites by making them think they're visiting a legitimate one. Then they get thrown over to a harmful website, potentially with sort of malware and other harmful things.
One emerging area that we're seeing is the use of link aggregators and shorteners. That's one area that's emerging.
Just to dive a little bit more into the frauds and scams space and how DNS abuse proliferates that. There's a number of different areas. I will start with the account side. If you are a fraudster, you're most likely to use a fake account or compromised account. Compromised accounts are lucrative and have a history behind them. And those accounts can be used to manage different business profiles, et cetera.
So we see them very often targeted in a way that they might try to gain access to that account is, again, through malicious links, which would sort of install malware and steal credentials and a bunch of other different things.
Once identities are created, so sort of Lucien's point earlier, they will try to engage with the victim. That can be for a post, ad, message, whatnot.
The victim is often taken over to a website. Now, that website might be sort of impersonating a particular shop. They try to buy a product. They no longer receive a product. They try to go back to the website. They don't get any resource, and then they go over to the banks.
So it's challenging. We can do what we can ‑‑ once we understand it's malicious, we can take it down from the platform and make sure it doesn't reemerge, but to Lucien's point about how long they stay on the Internet, they continues to exist on other platforms and cause harm.
A couple of things that we've been doing also to protect the misuse of Meta's brand, we've been able to have some success in being able to take down some of these domains. Last year, we were able to take down 15,000 URLs that came from sort of Vietnam. We've also been age to take down 9,000 URLs that were impersonating WhatsApp, Meta, and Reality Labs. And we're able to take some action, but we believe more is needed.
To go back to the point of these websites existing on the Internet, we take efforts to share the intelligence and signals that we have.
So we do that through existing signal sharing programmes that we have can industry, and we also think GSE has potential, especially because it's not industry focused but because there's cross‑sector sharing that is happening there.
In terms of moving forward here, a couple of things that we think would be really helpful, I think the first is having global solutions. We've seen some really good practice here today. I think bringing those into global context would be helpful because of the nature of the Internet.
We see a lot of countries trying to tackle this in their own way. If there was a consistent approach, we think that would be incredibly helpful.
We also advocate for transparency and accountability policies, including areas that help with authentication online.
Abuse is mitigated as promptly as possible. We support the whole of community cooperation here because we do understand that it is a complex problem. We only see different parts of it. So we need to be pulling these pieces together.
>> KEITH DRAZEK: Okay. Thank you very much, Rima. I think the last point is really critical. That's collaboration, cooperation, information sharing up and down and across the stack, and, also, to both of your points about the need for cross‑sector engagement, for example, the financial processing, we have information that would be helpful to other parts of the Internet tack. Thank you for that.
Graeme, I'm going to turn it over to you.
>> GRAEME BUNTON: Thank you, Keith. I will try and be brief. First of all, apologies that I couldn't be there in person. I'm got a pretty small kid at home, and we've been travelling a bunch, and that's some difficulty sometimes.
I would like the share here today about the work that we've been trying to do to disrupt online harms and what we've learned in that process and how that can contribute to further work within this community.
So, first, a little bit about the Institute, it was created by public interest regular industry in 2021. It's a not‑for‑profit work and needs to do good work.
We're working across the community within ICANN and outwards to try to educate, collaborate, and build tools and resources to try to disrupt DNS abuse. So the institute was created to try to fill that need.
We're not commercial, as opposed to the not‑for‑profit.
We don't do anything for fee. All of what we do is free.
As we began this work with the mission of trying to make the Internet safer for everybody, we first needed to understand the landscape and DNS abuse. We created a project called net beacon map, it's an analytics platform. It's a transparent, academically robust attempt to measure DNS abuse across the system as well as things like concentration, mitigation rates and median time to mitigation.
And we do that with Core Labs.
We've been providing this publicly to the ecosystem for three years. I lost some sense of time being stuck in this room.
And really trying to enable the multistakeholder community to try and do data‑driven policy discussion and development as well as really drive industry action based on rigorous data.
And so what have we learned from that? A couple of things. One is 95% of malicious domains belong to about 50 registrars or less. 80% belongs to less than 20.
So on a malicious domain front, if a way that's good news. The problem space is not huge. You know, there's differences between the registrars.
There's way to bring parties together and improve the situation.
You know, we can see the changes within the industry based on the ICANN amendments that came into effect last year. They're close to diminishing returns on cases of DNS abuse for the large in the space.
Right now, we see an acute issue with two registrars with very large abuse campaigns happening. We'll publish more about that in the next few weeks. All of that is leading to how can we begin to disrupt these things. And so we built net Beacon Reporter, which is a conduit that anyone can use. Use it to submit abuse reports to any GTLD registrar or participating registry as well as hosting companies and CDN.
So we're trying to take reports in, standardise them, enrich them, make them better, and reduce the technical burden on the reporter and distribute them to multiple layers of the Internet stack to try to disrupt those harms.
That work was directly responsive to some multistakeholder outputs, SSR2 and ‑‑ 1 is a, if you speak ICANN, more specifically.
So we've been running that now since 2022. Doing somewhere around the realm of 20,000 abuse reports a month. And we learn an awful lot from that volume. We're getting a lot of feedback from the hosts and registrars that we're reporting to. We can see who is taking action and when and why.
We can do better at evidence gathering and getting information to others in a timely fashion and helping them respond faster. All of those are interconnected.
Lastly, it seems that we need accessible proactive processes. Abuse is happening at such a scale that trying to react all the time isn't sufficient. You know, there are days where we sent 6,000 abuse reports out. 7,000 abuse reports out to individual registries or registrars. And that just doesn't work. It doesn't scale that way without some form of auto‑instrumentation. But, really, it's about getting in front of it. How do we think about collectively getting in front of some of these issues.
And making a point about trust and users, I think we can rely on trust based on behaviour within these systems rather than identity because behaviour on that platform, how many domains have you registered, how long is your hosting account, those attributes cannot be faked. And a really good place to be building trust on as we begin to think about who has access to these tools and resources.
I will stop there. I know we only have a few minutes.
Thank you very much for the time.
>> KEITH DRAZEK: Thank you very much, Graeme. Really appreciate it.
We have like three minutes left, so I have two people at the microphone. If we can be brief ‑‑ I'm sorry. We have three. Let's try to fit in the three interventions.
Thank you so much.
>> FLOOR: (Speaking French).
(Interpretation is not available for captioning)
>> KEITH DRAZEK: Thank you for the question. I know we have a couple of French speakers on the panel.
So Benoit?
>> BENOIT AMPEAU: I will translate and make it short.
There are victims from scam companies because they're also, themselves, sending emails from Gmail, Yahoo, and not ‑‑ what would be the use of local TLDs.
I hope I translated correctly.
>> KEITH DRAZEK: Thank you for the translation.
So good question. Maybe we can take it offline because we have others in the queue.
Is that Andrew?
>> Andrew CAMPLING: It is. I'll be real quick. Two very quick points. Firstly, ICANN has done great work to tighten up the contracts to address some of the DNS abuse issues. The real gap is the lack of action by some of the CCTLDs.
So how do we get governments to also step forward to address this? So maybe this is the right forum for that, as some of them are here.
And then secondly, despite the good work at ICANN, the definition of DNS abuse that I can use is incredibly narrow. For example, it doesn't address things like CSAM or it does cover phishing. So how can get more work done to broaden the definition so it has more impact than it already has?
>> KEITH DRAZEK: Thank you, Andrew. I can respond to that briefly? One of the bright lines is when you get into content‑related matters, ICANN's bylaws prohibit from getting involved into content.
So the definition of DNS abuse is relatively narrow by the necessity of ICANN's bylaws, but there are other venues for discussing content harms that are being discussed and developed.
Bertrand, I'm going to go to you. It's one of the areas where some of these content‑related discussions are going to take place.
Thank you.
>> Bertrand: As Keith mentioned, we have been asked to organise the space to address a certain number of abusers that cannot be addressed in the ICANN environment and to engage other than the DNS operators.
This is the Internet Infrastructure Forum, which is a new thing that started basically in February of this year.
I want to very quickly mention, in light of what you have been saying, one, this whole thing is a speed and scale challenge. It's a data‑sharing challenge.
The second thing is scams, fraud, and so on, there's a concept evolving that we've been discussing, which is the notion of theft by deception. This is a category of problems that would really benefit from coded actions by the different actors along the stack.
The next thing that I love about what is being presented here, these are bottom‑up, spontaneous organisations, just like the IETF emerged and others emerged. This is the stakeholder bottom‑up initiatives in action.
It actually is what is needed because the governments are hobbled by the jurisdictional challenges that prevent them from addressing cross‑border issues.
We see the emergence, Graeme was here. You were talking about what you're doing with the signal exchange. There are layers here. The IAF is a space for the discussion of what could be done by the different actors. We see the emergence of new intermediaries that handle the new abuse workflow problem, management, and what you're doing is contributing to the platforms for exchanging signals, and I think this is building the system that, at last, will allow law enforcement to engage and other actors so the whole number of actors can, in a network fashion, address those abusers.
>> KEITH DRAZEK: Thank you very much, Bertrand.
With that, we're two minutes behind. We need to wrap up.
Thanks to the panellists and everybody online. Thanks to you in the room. I wish we had another hour, but we need to close the session. So thank you very much.
(Applause)
