The Internet Watch Foundation (IWF) recently published their Annual Report for 2018. There is a lot in there but here I want to focus on one small part of it. I have written about this particular topic a lot so I apologise if I sound a bit like a broken record, as we used to say in the days when vinyl was the only way to listen to pre-recorded music on demand rather than being, as it now is, the first choice of audio fashionistas.
In 2018 the IWF identified 105,047 urls containing child sex abuse material (up from 78,589 the previous year). 80% of the 2018 urls, 84,055, were concentrated within only five top level domains: .com, .net, .co, .ru and .to.
84,055, and 105,047 are very small numbers relative to the total volume of urls but the point is behind each url there could be anywhere between one and tens of thousands of child sex abuse images. However, if everyone did what they were supposed to do there wouldn’t be any at all, or there would be far fewer. Read on.
The worst offending domains are .com and .net, containing 40,424 and 17,744 urls respectively. Added together they make up over half of the total or 69% of the top five.
.com and .net are examples of Generic Top Level Domains (gTLDs) and are both owned by the same, highly profitable business, a Registry called Verisign. It is domiciled in Reston, Virginia, metaphorically in sight of the White House (driving into DC from Dulles Airport you have to pass the exit for Reston). Verisign is a company quoted on NASDAQ in New York and nominally it is externally accountable to ICANN but the key word there is nominally. Last time I checked Verisign was, by a country mile, ICANN’s largest single source of revenue, providing it with about 30% of its annual income. Few rush to bite the hand that feeds them and ICANN is no exception.
The other three domains were within a category known as Country Code Top Level Domains (ccTLDs). In these cases the companies or organizations which act as the Registries are appointed by and are accountable to the Government or a governmental agency in the country concerned. The three countries and the number of urls found are: Colombia (.co) 9,339, Russia (.ru) 8,714 and Tonga (.to) 7,834.
I haven’t checked to see if the beneficial owners of each of these ccTLDs are not-for-profits or businesses like Verisign. There is something singularly repulsive about building “shareholder value” out of the sale or distribution of images of children being raped but I am not sure if one is in a hugely morally superior position if you only do it to pay your staff’s wages and the rent on the office space you use.
So there we have it. At the cost of untold misery to an unknowable number of children three Governments and a publicly quoted company have presided over a situation which is wholly avoidable.
There shouldn’t even be one
Why is it avoidable? Simple. In order to obtain a domain in the first place or on its renewal, somebody has to provide their name, address and contact details and these are meant to be verified. It is hard to imagine there would be even one url with child abuse material on it if that was happening. It is possible a small proportion of the urls were on sub-domains that had been hijacked by malevolent third parties but what we are seeing here is a pattern of some antiquity. The numbers quoted above and their distribution are not a fluke or a one off.
Now it is true that because of its history Verisign is not in exactly the same position as other Registries but all Registries have identical moral obligations. Verisign is failing its on a spectacular scale.
Time to act
The Colombian, Russian and Tongan Governments should tell their ccTLD Registries to insist on the robust verification of all entities acquiring or managing domains within their purview or else risk losing the contract.
And what is to be done about Verisign? ICANN? See above but if ICANN won’t act why aren’t the legal and political institutions of California doing something? Can that be fixed? Watch this space.
What about the US Federal Government and the Attorney General, Governor, and Legislature of Virginia? Can that be fixed? Watch this space.
Shareholders? I will return to them in another blog but obviously they have not, hitherto, stirred themselves sufficiently to insist that steps are taken to reduce the levels of criminal abuse of the company’s systems. Could that be because this might eat into profit margins and therefore hit returns? Probably not. I suspect it is largely ignorance and the inertia which it breeds. Can that be fixed? Watch this space.
Desiderata 