In this webinar, Georgia Osborn, Senior Research Analyst at the DNS Research Federation, Carel Bitter, Distinguished Engineer at Spamhaus, and Chris Niemi, Manager of Strategic Initiatives at Markmonitor, sit down to discuss ccTLDs in the larger context of DNS Abuse. Watch the webinar or read the transcript to learn their thoughts on the matter.
Full Transcript, Including Q&A of “League Table Talk: Ranking ccTLDs on DNS Abuse” Webinar
Editor’s Note: The following transcript, including the questions and answers (Q&A), has been edited for clarity.
Introduction
Speaking: Natalie Brownell
We’d like to welcome you all to our League Table Talk, and thank you for being with us today. This League Table Talk is being presented by the DNS Research Federation, Spamhaus, and Markmonitor. With that, I would like to introduce you to our presenters.
We have with us Georgia Osborne, Senior Research Analyst at the DNS Research Federation. She has authored and co authored products on internet governance, blockchain domain names, regulation and the NIS2 directive and DNS abuse. Prior to her work within internet governance, she worked as an intelligence analyst within counterterrorism. She plays a midfield defense position in her local football team, fondly known as the Goal Diggers.
We also have with us Carel Bitter, a distinguished engineer at Spamhaus, and he has been with Spamhaus for over a decade. “Most of his time is spent investigating how a bad actor’s infrastructure operates, and ensures internet users are protected from nefarious activity. From malware and snowshoe spam to DNS domains and everything in between, he is always absorbed in a cat and mouse game, tenaciously hunting down malicious entities. With a focus on reputation across all internet resources, Carel enjoys reviewing data that helps provide context, and ultimately protection.”
And we also have with us today, Chris Niemi, Manager of Strategic Initiatives here at Markmonitor. He’s a domain name professional with over 20 years of experience in the corporate registrar space. A subject matter expert on ICANN’s New gTLD program, he’s a thought leader known for providing service and support solutions around domain strategy, domain disputes, and dot brand services.
He has been an avid American football aficionado for longer than he’d care to acknowledge, but for today, he’s all about the world’s game. And with that, I will go ahead and pass you off to Chris to take us into today’s discussion. Thank you.
Speaking: Chris Niemi
Welcome to league table talk live, we’re going to give you the hard hitting sports news you’ve come to expect from every over-serious and overpaid football commentator and analyst around the globe. But today we’re going to do it with a twist with the UEFA Euro 2024 having been played earlier this summer.
And with the Premier League season just starting this weekend, we’re going to take that energy from the real football season and turn it into pontification about the exciting and ever changing world of country code top level domains, and the evergreen threat that is, you guessed it, DNS abuse. In this 34th week of the 2024 domain season, we’re going to get you up to speed on all that you need to know.
You may be familiar with the beautiful game, but today we’re going to talk about the beautiful domain.
As Natalie so kindly introduced them, my co hosts in their real world jobs, today we’re all going to be sports pundits of the corniest (and most informative) sort. So, without further ado, let’s goooooo! Ready guys? I’m ready.
Speaking: Georgia Osborn
Oh yeah, I’m ready.
What is DNS Abuse?
Speaking: Chris Niemi
Okay, so before we get into it, every good game in a team needs an opponent. Unfortunately, in the internet world, there are all sorts of opponents of the worst kind: the trippers, the handballers, the slide tacklers, all over the interwebs. And they all deserve a red card, if not a suspension.
But between law enforcement, cyber security experts, brand protection companies, and the brands themselves, everybody wants these players off the field. So, before we get into the details on where these bad guys are, let’s take a step back and look into the rules of the game. And that’s where we think about, in the DNS area, what is the definition of DNS abuse?
Earlier this year, ICANN, the Internet Corporation for Assigned Names and Numbers, amended some of its main agreements, the Registry Agreement for Registry Operators and the Registrar Accreditation Agreement for Registrars, to add formal definitions of DNS abuse. In this case, they’ve defined it as these five things: malware, phishing, pharming, botnets, and spam, when the latter is used to deliver any of the four other abuse types. So this is one particular take on what DNS abuse is comprised of, but in other contexts, DNS abuse can be turned into even vaguer notions of potentially anything that utilizes the DNS system to carry out harmful or illegal activities.
Carel, what’s your take on DNS abuse? What do you and your referees over at Spamhaus think of it?
DNS Abuse and Spamhaus
Speaking: Carel Bitter
Well, I think to start off, the ICANN definition is really useful because those are things that basically everybody agrees on. You know, they are bad things everybody would agree on without hesitation, or to stay on topic, give a red card for those kinds of things. Being Spamhaus, obviously we take the whole spam angle a little bit broader. And so we also care about spam when it’s not being used for any of the topics mentioned there.
So there’s spam to let’s say sell Viagra or sell insurance or anything like that. That’s definitely within our purview and something that we care a great deal about, but there’s also a lot of other abuse related activities with domain names that rely on domain names to work out. A good example that probably everybody knows is SEO spam where people buy big numbers of domains, create, basically fake websites with content to drive traffic to other content, to other websites, to promote other websites and that’s something that’s basically outside of our scope of discussion today.
Also, outside the DNS abuse scope that ICANN has, but it’s definitely an example that’s out there. Another thing that people often are keen to drag into this debate is anything dealing with intellectual property. That’s also outside of what we take care of, what we look at, but also definitely outside of the DNS abuse scope as ICANN defines it.
And yeah, depending on who you talk to, some people will say, “This is great,” and some other people will say, “Well, it’s not so great.” We would like to have the ability to issue the red card for those kinds of things as well. But, it is what it is right now. And, I think, let’s deal with the bad stuff first. Let’s get the worst players, the worst offenders of the field first, and then we can, focus on some other things.
Speaking: Chris Niemi
Okay, Georgia, so obviously, the DNS Research Federation has a take on this, which is clearly what led to the league table idea. Were you just looking at the football standings one day and said, “Eureka, this is it! This is how we have to do it!”?
DNS Research Federation League Table Methodology
Speaking: Georgia Osborn
Thank you, Chris.
Yeah, we wanted to show that it’s not all about giving out red cards and sending people off the pitch, although that would make for a good league table. It’s about incentivizing the best of the domain name industry with the lowest abuse rates.
So, we wanted to encourage some of the good work that the ccTLDs are making by basically making it a sport. And the league table is sort of designed to spur healthy competition amongst like minded registries, which facilitates an arena where ccTLDs can vie for the lowest abuse rates. It shines a light on good behavior and seeks to foster a culture of continuous improvement for a safer internet for everyone. But it also keeps us on our toes. We have pundits wondering who’s on top. Is it France? Is it Germany? Is it Spain? What you’re seeing, with this league table is basically their ranking. So I’ll go into detail about what that looks like when we’re looking at the league table, and what that means. But basically you want to spur on healthy competition.
Discussion: Reviewing the League Table and Ranking ccTLDs in the Context of DNS Abuse
Speaking: Georgia Osborn
What you’re seeing right now is the league table so I can kind of go into a little bit more detail. If you look at the first number on the right hand side that is their rank is in terms of all players, all of the TLDs, so that’s including gTLDs.
So that’s the first number that you’re seeing on the right. And then you go to a number next to that. That’s where they are, where they were last week. So we want to show that these, these numbers, this ranking, is not static. It can change. It’s different from last week to this week. And you can see quite a lot of them have gone up in terms of less abuse rates week on week, so that’s sort of what we were trying to do with the league table.
Speaking: Chris Niemi
Okay, so it seems like the game plan was to sort of come up with this metric driven structure and then it looks like, because they were analogous, you settled on the EU ccTLDs for today’s presentation, is that right?
Speaking: Georgia Osborn
Yeah, I think it’s one of those things where the EU performs really, really well as a group in terms of their ranking around DNS abuse.
From our statistics, from a report that some of my colleagues did which was funded by ICANN’s business constituency, the EU ccTLDs accounted for only 3 percent of malicious use compared to their global market share of around 14%. So really, that shows that the EU ccTLDs are performing very well.
They have the lowest abuse rate of any TLD block. So one of the reports that we were writing was basically to answer, “Why are they doing so well? Why are they performing so well? And what can we learn from them?” We went into detail. My colleagues, Emily Taylor, Alex Deacon, and Nathan Allen all wrote a report around the measures that are put in place for the EU ccTLDs using a specific methodology. And I think it’s important to note here that, with methodologies, there are different measurements for these things, it really depends on what you’re trying to show. With this particular measurement, the abuse reports, which are included to understand the ranking of each TLD, the data is from OpenFISH, APWG, abuse.ch, URL House Project, and none other than our friend from Spamhaus as well. So, we’ve got a mix of things here that bring the numbers up to where they are and then we also look at the number of registrations with the number of abuse reports.
So, that’s really what we’re looking at in the league table. And Alex Deacon has written a really good blog on the different types of measurements. You know, just because we have that measurement doesn’t mean that any other measurement is right or wrong. It depends on what you’re trying to show. But I think with this league table, it’s important that we incentivize those who are doing well to do even better and show that it can change week on week.
Speaking: Chris Niemi
Great. All right. Now that we have that foundation under us, to pull back a minute, Carel, how do you think the bad players pick where to play the game as it were?
Speaking: Carel Bitter
It kind of depends on what they’re trying to do. But, often you see that it comes down to two big factors.
First one being how easy it is to get a domain. To clarify that a little bit, for certain TLDs, there are restrictions. For example, some of the European countries on the list here require you to have the registrant owner, technically the owner of the domain, to be in that country, to be either a citizen of the country or a business in that country. Obviously that puts up a sort of a natural barrier where, if you look at a lot of the, especially the largest scale of cybercrime, comes outside of Europe usually, and, so that, by definition, already makes it kind of hard to get one of the ccTLDs that are specifically mentioned here.
And another big factor is price, especially when the type of abuse that somebody is doing, some threat actor is doing, requires a larger number of domains. It could be tens of of domains, could be hundreds, could be thousands, or even tens of thousands. Obviously, the more domains you buy, the bigger the price is going to play into this. If a domain is being sold for a couple of dollars per domain or in the tens of dollars per domain that’s quite a big factor there. So, basically, those are the two things that usually influence where people go. I think it’s important to realize that for many of the bad things people do online that require domain names, the domain names themselves are being treated as a throwaway asset.
The domains are being acquired, they’re being used to do the bad thing, could be phishing, could be malware, whatever. And there’s this realization that yes, whatever they do, it will be discovered — by researchers, by filter vendors, and things will be blocked, so the domain names will be taken down. There’s really an expectation amongst the threat actors that the domains have a fairly short lifespan, so that means that the moment it gets killed, if you want to continue doing what you’re doing, let’s say you’re running a phishing campaign against some bank in Sweden, there’s a good chance that after you run your campaign, your domain will be taken down. If you were to continue your campaign, you’ll need to get new domains. It’s a continuous thing where bad guys keep buying new domains.
If you look at specifically this list of the European domains, that’s something where compared to the gTLDs, they really excel. It’s just a little bit, or sometimes actually a large bit, harder to acquire one of these domains compared to getting a gTLD where basically, anyone anywhere in the world can acquire one of those TLDs, which is by design, I must say.
Speaking: Chris Niemi
So Georgia, I think we’ve talked in the past about this — about how the “front office,” if you will, of a ccTLD registry, of what its approach is, how it’s set up. Does that sort of affect what can happen in the DNS abuse space?
Speaking: Georgia Osborn
Yeah, totally. And I also agree totally with what Carel said about, the gTLD space being totally different to the ccTLD space, particularly, if you look at the rankings today. I took a little sneaky look this morning to see if there were any changes, and there was a change. Last week, looking at it there were a few arrows going down. So, what you would see last week would be a red number with an arrow going down. And the reason why it’s different this week is because a couple of gTLDs had a few bad… I guess it was a bad week for them in terms of abuse and they shot right down. So that’s made all of the ccTLDs go up. That’s why they’re all showing a green number right now. I just want to highlight that there’s a difference, that that’s sort of how the numbers are ranked.
With the ccTLDs, particularly the European ones, a lot of them are run by not for profits or universities. I think it’s really important to note as well that they operate in the unique context of their country. So those are really two important points when it comes to it.
They often vary in business model, ownership and size. And then also the relations with their government are different depending on what’s going on. That changes the fundamentals when it comes to running a business. If it’s a university or not for profit foundation, they do things very differently, and they have strong links to their local communities, but also they don’t run by ICANN rules.
They can set their own match rules. They can set their own games. And they have their own set pieces, their own plays. We did promise a corny little few lines. So you can enjoy that, but yeah, I mean it really differs across the different European spaces and one of the things to note here is that just because you’ve got a specific measure in one country, like Denmark, does not mean if you put that exact same measure in another country that it will perform in the same way.
Speaking: Chris Niemi
Got it all right. Well, at the halftime of every game, a lot of times we do the highlights and highlight reels or in some case low light reels. Carel, do you have any thoughts on some of these folks that maybe aren’t quite where they want to be yet? They’re not quite at the top — do you have thoughts about what they’re doing or, what effects they’re having?
Speaking: Carel Bitter
Well, if you look at across the board, like what Georgia just said, if you look at the numbers here, there are more than a thousand TLDs around and even the lowest ranked European one is still in the top half of the ranking.
As you know, I’m from the Netherlands. We have people here in soccer always talking about the left row and the right row. This goes back to how the Premier League is displayed on TV when the standings are presented. Basically everybody here, everybody from Europe, is in the left row, which is the good part. They’re all doing quite well.
To continue on what Georgia already said, I think an important thing to realize here is there’s also a certain maturity with the European ccTLDs. They’ve been doing this for quite a long time. The European ccTLDs were among the first made available to the countries. The first who at larger scale started to hand out domains or sell domains to entities in their countries. They’ve been doing it for way longer than some others, than, let’s say most of the African countries. Another interesting thing to look at is the scale. So, for example, Germany is at the top of the screen with just over 16 million domains. France is a big one with almost 4 million. The EU itself, the .eu TLD was a little bit of an odd one out, but with over 3 million domains is not bad either.
And I think the Netherlands has over six million. Those are all quite large numbers, there are many gTLDs that don’t even come close to having this many domains in their zone. And with that volume comes a certain maturity. It’s like the soccer team that’s been around for a hundred years. They’ve been through the ups and downs, and they’ve had good trainers and bad trainers, and good players and legendary players and they’ve seen it all. And as a result of that, they are better prepared than some of the newer teams that entered the scene.
If you start examining it, like, the work that the Georgia’s colleagues have done, you ask, “Why are they better?” There’s just so many things where you can see… yes, it’s almost logical, the bigger news might actually be when you say, “Hey, why isn’t everybody else better?” Because these people have been doing it for so long.
I’m not aware of any EU ccTLDs having specifically a big problem. The ones that I, in my work, encounter the most are basically the European ones that have opened up to the rest of the world, meaning that, you don’t need to be specifically tied to, for example, the Netherlands.
It used to be in the Netherlands, back in the days when I bought my first .nl domain, I needed to fax documents to the registry to show a filled in form and a copy of an ID and all those kind of things, which is completely unimaginable these days. But they have progressed on from that very closed, highly verified process to basically opening it up, not only to people who are not Dutch, but also to registrars who are not Dutch.
And whenever we see larger sets of problematic domains, and this goes for Netherlands, but also for Germany or other countries, I’ve seen it with .eu as well, it’s usually not the registrars in that country that are the source of the DNS abuse. It’s usually registrars outside of the country that are the source of those kinds of things.
Again, it sort of ties into the strong geographic tie that the ccTLDs have, or the moment you give it out to somebody else for registration.
Speaking: Chris Niemi
And then we talked the other day about some interesting sort of dichotomies like with .ee, that ccTLD for country of Estonia that is almost entirely online, and all of its kind of activities, yet, it’s sort of at the bottom of the ranking. So, do we have any ideas on that?
Speaking: Carel Bitter
Yeah, so I don’t know if Georgia has anything to say on that, but that’s a really interesting one because one of the big things in dealing with domain abuse in general is always has been around KYC, know your customer, and doing a verification of who buys the domain.
And Georgia, maybe you can answer the question. Do you know if Estonia has a tie in for their electronic ID (EID) to the domain registration?
Speaking: Georgia Osborn
Yes. They’ve had EIDs for a long time. They’ve been really spearheading the EIDs for a while.
You find some surprising ccTLDs that are either lower than you might expect or higher than you might expect in the rankings. You mentioned earlier Carel about how it’s when they open up to the rest of the world, that’s sometimes where you find some problems.
Well, it’s interesting and I think it warrants investigation as to why things are the way that they are. Belgium, .be for example, I don’t think you need to be a citizen of Belgium to get a .be domain. So, it’s always interesting because I think they’re ranked second, or they’re ranked in the top four right now.
It’s an interesting sort of finding and I think it warrants investigation as to why things are the way that they are. I think showing it in a league table really gives you a perspective of like, okay, so it’s not necessarily all these measures, EIDs don’t necessarily equal low abuse rates. Opening up to the rest of the world doesn’t necessarily equal high abuse rates. It could be a mixture of measures.
And like I said, I’m going to use a really corny analogy, so apologies for non football fans out there, but you put David Beckham, who was a Manchester United player, and you put him in Spain in Real Madrid, he struggled. And I think you can’t expect the same measures to perform in the same way when you put them in a different team.
So this is, especially in different context, it’s very much dependent. And I think it’s something that we should all investigate further as to why — what measures are they doing and why is it not matching up or lining up to our expectations?
Speaking: Chris Niemi
Yeah, that’s great.
I recently watched that Netflix show about him and that was really interesting to see his career. So, I put in a plug for that for you football fans out there. Anyway, so to go into that those top couple EU ccTLDs, we wonder, “How are they being the goalkeepers? How are they keeping the abuse out of their nets or their TLDs, if you will, do they have something more than good gloves, like we were talking about?” Cyprus, .cy, like you said recently, that had shot up. Do we have any ideas about that one?
Speaking: Georgia Osborn
I can go ahead and take this one. So, it’s not just about having a safe goalkeeper, but also who the striker on your team is. It’s having a good set of measures, a combination of measures, not just leading, not just having one single measure do all the work for you.
So for example, all these EU ccTLDs have different measures in place, usually a combination of measures, which is what the key finding of the report that my colleagues did last year was that, really, it’s a combination of measures and not just one that makes for a high ranking on this league table.
Also, it’s ad hoc, it’s putting in ad hoc measures. Sometimes, it’s if you have the infrastructure. EIDs, you know — Denmark has EIDs, has ad hoc measures and has a combination of all sorts of things going on. And obviously, it’s the golden cup of ccTLDs right now. And I’d say it’s consistently so.
Now, what was surprising to me was how Cyprus shot up in the last couple of weeks. Again, it warrants further investigation. I looked on it, just speculatively to see what I would have to do to buy a .cy domain name and cost matters.
When I checked last week, it was around a hundred euros annually to buy a .cy domain name. Now that’s interesting because cost does matter — you’re not going to get a load of criminals or spammers buying .cy if they have to pay, have to fork out 100 euros yearly to do so. So, it’s an interesting little finding that the cost matters, and so, when you look at Denmark you have to look at what they’re doing. They ask a registrant to provide VAT number or tax ID, and they do have EIDs there as we mentioned. You don’t have to be a citizen of the country, but they do implement quite heavy steps on verification of registration. And they have sort of intense measures around anything that has been flagged as suspicious. They have a grading system if something goes into that level of suspiciousness, which I haven’t looked into that grading system, but I think again, it warrants further investigation. These are all things that I think this league table shines a light on. There are some surprising players who were doing really, really well here, and also some surprising players that you might expect to be doing really well that may not be performing as well.
I think what’s key here, though, as a takeaway, is that it doesn’t always have to be like this. You can change your position. This league table is real time, it’s powered by our dap.live platform that the DNSRF has created. It’s live and the fact is that it changes weekly.
It doesn’t have to stay the way it is. You can, as a ccTLD, perform better and have lower abuse rates. You don’t have to be at the lower level, you can also play at the top leagues.
Speaking: Chris Niemi
So those that are on the bench, aren’t necessarily going to be there all the time. Like they might get subbed into the top 10 eventually.
Speaking: Georgia Osborn
That’s right. Yeah.
Speaking: Carel Bitter
And that’s really great because sometimes the best defenses get breached, and in this case, it’s all about how you deal with it afterwards. If let’s say for some reason, there’s 10,000 bad domains created in .dk next week… if .dk finds that out and says, “Hey, yeah, there’s definitely a problem here. We’re going to take care of that,” then they will dip one week, but the next week they’ll be back up. And so there’ll always be movement in the rankings. I think a really important thing is that this will hopefully motivate people to take action, say, “Hey, I’m dipping. Let’s investigate. Why is this happening?” Like when Georgia said that the data sources that are being used are quite open, anybody can figure out what’s going on there and everyone can take a look and see where is this abuse coming from — what’s driving this — and take action on that.
Speaking: Chris Niemi
Great. All right. So football, I mean, it sounds like a simple game. There’s a field and a ball and people kicking it around, but it clearly has a bunch of strategies involved. What are we thinking in the grand scheme of things, of the current Xs and Os out in the world that are going to affect DNS abuse rates? As we start going forward, what are some of these broader ideas or things that are out outside of maybe the DNS system proper?
Carel, why don’t we start with you and then Georgia can follow.
Speaking: Carel Bitter
So, I think one of the most important things in the end is the whole KYC process, knowing your customer as a registry. You should know who you’re doing business with and that whatever data that’s provided to you is actually correct and is representing the entity that you’re doing business with. Building that sort of verification into the system increases the trust because people say, “Hey, if a business these measures (let’s pick .dk because they’re on top), they should get some praise here.”
If a business uses a .dk domain, people start to know, “Oh, that’s good, that’s verified. Somebody took that extra step to make sure that really is the business.” That way, it’s not just anybody off the street that can go and buy a good looking domain name.
I think that trust is something that has been sadly lacking on the Internet for way too long. I think that’s really important and that’s something that the registries and registrars can built if they’re willing to take an extra step of doing an extra verification.
I think there’s a lot of value they can bring to the table — when they start building the trust that the people are who they claim to be — are actually somebody who’s certified, that this business is actually this business. And I think that will be great for everyone, but there’s just so much to be gained in that area, because especially in the space, there’s not that much KYC going on. Especially in retail registrars, it’s a thin margin business, it’s all driven by volume. So yeah, that’s usually not the space where those kinds of things can flourish. Whereas, if you, to Georgia’s example, if Cypress sells each domain for a hundred euros, that actually leaves a fair amount of money on the table to make sure that if a business is ordering a domain, that there’s some budget available to either by hand or with some automation check and verify and ask, “Hey, are these people who they say they are?”
Speaking: Georgia Osborn
Carel, you totally hit the nail on the head for me. My background is in law enforcement, I came into this industry, and my first thought was, “Why isn’t more tracking going on?” Because there are a lot of things that would suggest that maybe the gTLDs could do more, and maybe should do more.
And KYC is one of those things where it’s not a silver bullet, but it is the main thing that law enforcement, the first step that law enforcement needs or looks for when checking anything. So ultimately if anything’s gone wrong, it’s either effective or ineffective KYC that either helps or hinders the case, and the domain name industry doesn’t always see that. So, I think that’s the first thing I want to be very straightforward about — that my background is in law enforcement.
I think it’s key to note, because we’re doing a paper on KYC at the moment, the importance of looking at it as something that really does help to provide a safer and more transparent space for the user. But also for the domain name industry itself, we want to look at the domain name industry to trust it.
And when you’re looking at, some of the things that the gTLDs are doing — and by the way, we’re looking at some potential regulation coming down the tracks — we’ve got this NIS2 directive coming in, which has new obligations of verification. And I understand that the verification discussion around domain names is fraught, it’s difficult.
Validation and verification are often interchangeably used, yet they aren’t always the same. So when it comes to good KYC measures, I think the gTLD space can really learn a lot from the ccTLDs. It doesn’t have to be the most extensive, like EID checks, that really hits the nail on the head. You can employ a risk based approach that looks after human rights as well, that values human rights and you know, values the user experience, and for any business that also worries about costs, understanding the costs that can come into play with KYC checks as well as an industry.
I think we have to get to grips with the fact that this regulation is coming. It may not come tomorrow. The deadline is supposedly October, but let’s see how that one goes. But, it is coming. And I think you’ve got different industries coming in with different measures. For example, one of the things we looked at in the paper was, “How are different industries going about KYC?”
So, we looked at the banking sector, we looked at the online dating sector, which is currently not regulated. So the online dating sector have deployed various different measures of KYC. Tinder in the UK checks your passport and then you have like a blue tick and then users can decide whether they want to talk to somebody without a blue tick and take that risk of being catfished or having a potential spammer.
And I think when you look at other industries, particularly non regulated ones, you look at how voluntary measures can really make a difference in terms of how much abuse is going on. In the case of the league table, how many red cards are handed out, how many people are thrown off the pitch, or goals scored?
In the case of dating apps, it would be how many romance scammers are getting away with thousands of pounds, but I think also the domain name industry, it would be a case of how much money is being lost through scams and how much could be prevented or, after the act has taken place, then looking at KYC measures.
Speaking: Chris Niemi
Wow, that’s fascinating stuff. I never thought I’d associate dating profiles with domains, but anything’s possible in 2024. All right, well as we’re starting to wrap up and think about our final thoughts in this 2024 season, what are the trainers doing? Are the coaches, the managers, the people, are we pulling towards the win? Or are things still in trouble? What are your thoughts? Let’s start with Georgia, then we’ll follow up with Carel.
Speaking: Georgia Osborn
Yeah, so, the EU ccTLDs are performing as world class players. At the moment, comparatively to other groups, when it comes to domain name abuse, they’ve got a real mix of good practices and good measures, and they’re top of their game.
We can learn a lot from some of these star players, and I think that’s my main takeaway from looking at the EU ccTLDs, but also that, this can change —that it’s not static. I think the year’s going pretty well, it’s this new start for football season, but I think there’s plenty that we can do in the domain name industry to sort of change the rankings and bring gTLDs up with us.
Speaking: Chris Niemi
Great. Carol, your thoughts?
Speaking: Carel Bitter
Since we’re talking soccer anyway, I’m going to make the connection to my local soccer team here. They got demoted last year and worked really, really hard, and got back in the Dutch premier league this year. And, basically, to what Georgia was saying, look, if you put in the work, you too can be at the top. Obviously, there’s always a little bit of luck involved, and you may not always have control over your entire destiny, but, as domains go, each TLD, even within the ICANN space, there’s a lot of the rules you can shape yourself.
And, and yeah, my hope as a European, I’m very proud of this result here. I think as Europeans we’re doing quite well, this is great. This shows that as a society, we’ve got things in reasonable shape here. And I would love to see some of the lesser players get inspiration from this and try to get better.
But the flip side may also be that clearly there’s a lot of knowledge on how to do this right here in Europe. And again, let’s go back to soccer. You will see European soccer trainers all over the world, one of the great expert products of European soccer is not just the game itself, but it’s the players and the trainers that get to work all over the world.
So possibly, the TLDs here that are on the screen, European ccTLDs can export some of their knowledge and know how to the rest of the world and be be a little bit more vocal and say, “Hey, we actually know how to fix a lot of these problems that you’re having. We can help you bridge some of the gaps and some of the issues you may have.” Clearly, There’s lot of talent on the field here.
Speaking: Chris Niemi
To echo what you just said, I know that at ICANN 80 in Kigali, Rwanda in June, there was a specific session of the CCNSO, it was called the R. A. and R. A. A. amendments. They asked, “What can ccTLDs learn and share?” And it was some of the bigger registrars in the gTLD space having conversations with ccTLD registries and vice versa. I think there’s this definite idea of “Let’s share best practices. Let’s approach this.” ICANN’s taking it arguably more serious than perhaps they have in the past, by codifying the actual definitions of abuse and so forth, and starting to do ICANN compliance issues around it.
I think, for our clients to take away, obviously DNS abuse is still a large issue. It’s still gonna be a thing. It’s a thing we’re gonna continue to fight. But there’s definitely some hope in that the parties are working together and we’re definitely going in the right direction.
Questions and Answers
On that note, I did see there are questions.
All right. So the first one, I think this is probably going to be more towards you, Georgia. It says, “Can this data be broken down by number one category of abuse? Two second or third level registration? And three, source of the abuse report?” I don’t know if you want to comment on your data and what you want to share in that regard.
Speaking: Georgia Osborn
Yeah, so, if you look at Denmark on the league table, and you click on the down arrow where it says “number of domains,” you’ll have a little bit more information on some of the data, which sort of gives you an idea of what we use in the dap.live platform. But really this is, live, powered by the dap.live platform. So you can have a look at the dap.live platform yourself, which if you sign up on our website, you can have a little look, and it will tell you quite a lot of details. In terms of the specifics, I wouldn’t know until I looked at the specific one. But I think it does break it down as much as we can feasibly with the data that we have. Of course, we anonymize any data that we want to protect.
Speaking: Chris Niemi
Great, let’s see, there’s another question that asks, “Is there an ability to separate this by malicious registration versus victimized registrant?”
Speaking: Georgia Osborn
I’m not sure if we can break it down with that level, but I can definitely take that back to my team. I’m not sure we can check that one out.
Speaking: Carel Bitter
That’s a really good question because malicious registration is something that the registry or registrar can take action on and probably should take action on if there’s sufficient evidence where, as a victim, somebody’s website gets compromised, as many DNS are compromised, that’s a whole different ballgame where in the end you’re not looking to suspend the domain, you’re looking to have the online infrastructure be fixed or remediated in some fashion.
It’s interesting to mention that I know of one European ccTLD, which is not in here, because depending on how you view Europe, they’re either in it or not, which is Switzerland. They have some very strict regulations on domains that are the victim of some sort of compromise, either like the website or DNS or something, where if the end user that’s responsible for the infrastructure does not fix it, the registry is allowed to actually take the domain out of the zone to in certain cases protect internet users, even though the registration itself is not malicious. So, that’s a really strong measure they can take. I don’t know how often they actually take it. I don’t know if there are any statistics on that available, but it’s definitely something where the Swiss have taken a quite strong approach to towards safety in the end, which I think is to be applauded.
Speaking: Chris Niemi
We just got another question in. “In terms of KYC and verification, these are very interesting points that have been raised. The discussion seems to be focused on differences between TLD registries, but shouldn’t the emphasis also be on registrars to do better ID checks and pass accurate ID info onto registries?”
Anybody want to start with that one?
Speaking: Carel Bitter
Absolutely. I mean, if you ask me, they have the relationship with the customer. Usually the customer registers the domain with the registrar and registrar deals with the registry. So the registry usually does not own that relationship with the customer.
So yeah, it’s the registrars that should do that KYC, but it’s probably the registries that should force the registrars to do that, because probably if they don’t, there will be plenty of cases where on the budget side of things, people say, “You know, it doesn’t really fit our budget model so maybe we’ll not do it.” I think to go back to soccer, to level the playing field. If you’re asking people to make some extra effort to do this KYC process, it should be fair and you should have the same rules for everybody.
Speaking: Georgia Osborn
Yeah. I mean, I totally agree with you, Carel. And I think you raise exactly the sort of points that they are the ones with the relationship with the customer. And it would be strange for a registry to suddenly reach out to your registrant, when they had no connection to them and say, “Hey, we need to check your ID.” It would just be very strange. But I think, there’s another point here, which is, the NIS2 regulation or the directive. It doesn’t clarify about verification — who’s responsible, how the verification should take place, what’s needed. It doesn’t clarify. It leaves it very much vague. I can see what the NIS2 directive is trying to achieve, but in practice, I think it might make it more confusing for registries and registrars in terms of what should be done, who should take responsibility for putting in the measures.
So yeah, I mean, in practice, it should be the ones who have the closest relationship with the person who registers the domain name. It’s going to be a tricky one, especially for smaller businesses who may not have the resources in place to kind of put that in.
And by the way, there’s always going to be a cost. You’ve got to balance the cost with it. And that’s something that the CCTLDs being non profit sometimes don’t need to worry so much about. So I think when it comes to looking at the broader scale of things, regulation is coming. How we implement it… I think the next stage would be voluntary verification and determining how that takes place. Is it going to be a checkbox exercise where it doesn’t actually make much of a difference who scores the goals or what’s going to happen as long as you just check the box? Or is it going to actually make a difference and bring you up higher in the rankings and you can actually see it?
I think the league tables can actually hold people accountable a little bit as well as incentivize people to, or TLDs to do better. So we have another question, which is more of a comment, but, I think it speaks to the difficulties about trying to make broader generalizations here.
Speaking: Chris Niemi
Another comment we received: It says “.cn, so China’s ccTLD, has a real name verification requirement, which is analogous to KYC, and yet they’re number 545 on the table.”
I think China over time has had a lot of different issues that played into its history of number of registrations versus how much they’ve regulated things versus releasing regulations versus perhaps different takes on application of trademark laws and other things along those lines, but I don’t know if you guys have any other thoughts on how a ccTLD like that might be towards the bottom even if it does have verification.
Speaking: Carel Bitter
Georgia has said it before, there’s no silver bullet. If there was, then everybody would apply it because it just makes life so much easier. KYC, I think is important, but it’s not going to fix everything. And, in terms of the Chinese issue, I’m intimately familiar with a couple of threat actors who operate out of China, mostly targeting Japanese businesses and using many .cn domains for that, which is one of the big reasons why .cn scores the way it does. It’s hard for me to verify if the names that are in the WHOIS there, if those are the actual true names. If they have this verification process, I assume they’ve actually followed the process, although, there’s no guarantee for that, but let’s assume they did and let’s assume that whatever’s being presented there is the real data. But there are other things you can look at, and Georgia already said it earlier, I think it’s really good to also take a risk based approach. You don’t need to verify everything, but it’s not that hard to find within all registrations, a group of domains where you say, okay, here, I should take a closer look at what’s going on.
If the registrant is really what who claim they are, maybe the infrastructure being used to host the domain is somewhat of an indicator. What other domains does a registrant own? How old is this profile? There are many things that can be done.
And one of the entries on this list, I know they built an internal system that helps them do that. Basically, to do a verification of each registration and give it a risk profile. Saying, “Okay, this is on the good side or the bad side.” And, for the people who are interested in it, they’ve done that together with the University of Leuven in Belgium. And I’m sure that with a little bit of searching, you can find the paper that was published on that. It’s not just KYC, and I think that it’s really good that this example was brought up because that illustrates the fact that, yeah, even KYC doesn’t fix everything.
Speaking: Georgia Osborn
I’m just going to follow on Carel. I’m just gonna say I totally agree. Coming back to the point I made earlier about all of these being slightly higher in the rank this week — because there’s been something happening in the gTLD space in the last week, just maybe one or two gTLDs, maybe there’s been a bulk load of registrations and a little bit more activity and that’s caused a little bit of a change.
These things warrant investigation sometimes, and that means that you’re lower or higher on the ranking depending on the specifics. So, Carel mentioned the specifics of a couple of cases of some activity going on .cn and that there could be multiple reasons. And so sometimes you just have to look at the league table and dig a little bit deeper as to why that’s the case.
Speaking: Chris Niemi
Great, there’s one more kind of comment, it brought up this notion of blocking services like GlobalBlock, and I think those can have some effect on DNS Abuse in the sense that in the trademark holder space, people utilize blocking services are sort of taking a whole swath of domains out of circulation, if you will. I think that is a classic example of things that people can take into account — there’s an overall strategic approach to domain management, but I don’t know if that necessarily is going to have a huge amount of effect on the league tables or not.
Conclusion
All right. Well, in regard to that, it looks like we touched all the questions. Thanks all of you attendees who put stuff in the chat. That was a really I think a great interaction we had there. With that we’ve come to the end. No need for extra time. No need for a shootout. I think we’re we’re wrapping it up, but hopefully we got the wind for all of you who tuned in.
I’d just really like to thank my co analysts who’ve helped talk about this challenging and interesting topic of DNS abuse. You both deserve a domain golden boot in my world. Thanks so much for your help and for having a good time with a tough subject, I think we tried to have fun with it.
So, in the near future, we’re looking to collaborate on a follow up white paper piece that we’ll also release talking about this issue, so be on the lookout for that.
Until next time may your goals count and your wins mount. League table talk live signing off. Thank you