Measures taken by registries to help tackle COVID-19 related online abuse

Blog 04-05-2020

In the past few weeks, we have received questions about what ccTLD registries are doing to help fight criminal activities that have surfaced in the wake of the COVID-19 pandemic. As technical operators, ccTLD registries are restricted in what they can do, but we thought it would be interesting to get an overview of the types of measures we see across the CENTR membership. This is not an exhaustive list, but it gives a good overview of the processes and collaboration with national authorities we see across Europe.


A country-code top-level domain (ccTLD) operator manages or administers a country-specific top-level domain, such as .si or .eu. ccTLDs operate a technical layer of the internet’s infrastructructure that makes sure websites and applications are accessible to citizens and businesses via the Domain Name System (DNS).

ccTLDs are at the core of the public internet, safeguarding the stability and security of the internet as we know it today. The majority of European ccTLDs are SMEs or non-profit organisations, providing an internet infrastructure service in the interest of and in close cooperation with their local internet communities (i.e. registrars, end-users, rightsholders but also in cooperation with CERTs and law enforcement authorities).

Since the beginning of the COVID-19 pandemic, ccTLDs have been closely monitoring the numbers of domain name registrations, especially related to COVID-19. As our previous research has shown, the COVID-19 pandemic has had no significant impact on the DNS, including on the level of associated abuse by rogue actors attempting to benefit from the pandemic. The confirmed number of the abovementioned abusive cases in the ccTLD space remains relatively low.

When it comes to the domain names typically involved in some type of abusive use, there are two different types of cases to distinguish between. The first are conflicts where the domain name itself is at the crux of the dispute, and the second are conflicts where the domain name is involved because it leads to disputed content.

In the case of domain names being used to spread disinformation or sell fake equipment or medicines in relation to the spread of COVID-19, the problem is the content disseminated by the help of a domain name, not the domain name itself.

Removing illegal content from the internet is the only effective solution that avoids it being accessed and consumed. ccTLD registries have no access to website content and neither do they host or transfer content through their managed infrastructure at any time (for more information on the role of registries, see CENTR’s paper on Domain name registries and online content).

Nevertheless, the continued stability, resilience and security of the internet's infrastructure is at the core of the service provided by ccTLDs, including their cooperation with local competent authorities to keep rogue actors out.

As the managers of top-level domains, ccTLDs are technical operators that do not have control over the content of websites. They rely on close cooperation with public authorities in responding to COVID-19 related abuse. In estimating the real harm and risk to the public, only competent public authorities can assess whether an activity on a website is illegal or not and have the mandate to act accordingly.

Some of the common practices that are used to respond to malicious domain name registrations amongst ccTLDs have been identified below. The following practices are based on concrete policies in place within ccTLDs for them to be able to take action against malicious registration within their technical remit and within the limits of their local jurisdiction. The list of practices is not exhaustive.

Any approach to dealing with illegal content should be respectful of fundamental rights, including due process. It is also important to respect the principle of proportionality when assessing the proposed action mandated from a technical actor like a ccTLD.

Examples of current ccTLD practices

Monitoring newly-registered domain names

In Estonia, the registry manager for .ee, the Estonian Internet Foundation (EIF), has put together a non-exhaustive list of COVID-19 related names or keywords and is manually observing registrations. From the 1st of January 2020 until the preparation of this blogpost EIF has kept track of approximately one hundred COVID-19 related domain name registrations.

DNS Belgium, the ccTLD manager for .be, keeps track of new registrations on a daily basis and regularly sends that list to FPS Economy (the government agency that deals with e-commerce and consumer protection among other things).

The Italian registry manager for .it contacts registrars for domains that could be considered as ‘potentially suspicious registered domain names’ and requests a confirmation that the registration data is complete and accurate, asking them to provide missing information and correct inaccurate information if needed.

Nominet, the .uk manager, has observed an increase in .uk domain name registration using words related to the pandemic. Registration themes are not always a cause for concern. The online world is a mirror of the offline environment, and domain name registration usually follows trends that are aligned with national and global events.

EURid vzw, the registry for .eu (and its variants in other scripts), pro-actively monitors newly-registered domain names, involving its machine learning based APEWS (Abuse Prevention and Early Warning System). In order to protect end-users from possible misuses of domain names associated with the current COVID-19 pandemic, EURid has implemented a set of measures in agreement with the European Commission. The APEWS system was adapted to prevent the registration of suspicious domain names, and EURid performs additional checks on the registration data of newly-registered domain names that contain keywords relating to the current pandemic. EURid has been monitoring COVID-19 related domain names since January 2020. The checks include COVID-19 related domain name registrations and websites into which they may resolve and that sell COVID-19 related products. So far, EURid has observed that most of the websites of registered domains are parked. EURid will be performing additional checks on the registration data of both existing registrations and newly-registered domain names that contain keywords relating to the current pandemic.

Sharing lists of newly-registered domain names with authorities

In Denmark the local registry operator for .dk, DK Hostmaster, supplies a national police unit with a list of newly-registered .dk domain names every day. This is done with the explicit and mutually-accepted purpose of enabling the police to assess whether a registration is in some way linked to a crime or potential infringement of any kind relating to the COVID-19 pandemic, based on secure evidence and after having conducted an investigation. The .dk operator has furthermore established a process where they can quickly carry out court or administrative orders received from local Law Enforcement Agencies or National Regulatory Authorities.

In Norway the right of use of a domain name can be seized pursuant to the Criminal Procedure Act. There are specific guidelines on how law enforcement should proceed when seizing a domain name registration, developed by Norid, the registry operator for .no, in collaboration with the prosecuting authority. Norid has also created an informative guide for law enforcement, police and people working in the judicial system - ‘Domain conflicts in the legal system’. When the new Consumer Protection Cooperation Regulation is transposed into Norwegian law, similar guidelines will be created for the nine different authorities that will be given increased powers to act upon content on the internet. Due to the special situation concerning the spread of COVID-19, Norid is in dialogue with law enforcement and the Ministry of Local Government and Modernisation on whether there is a relevant public authority that should receive lists of newly-registered domain names, in order to follow up in case they are used to spread illegal content. As this would be exposing the holders of all new domains to governmental scrutiny, it needs to be based on the law (e.g. on the emergency laws regarding the protection of public health).

The Swedish Internet Foundation provides the Swedish police with the registrations of COVID-19 related domain names on a regular basis. This information is already publicly available as the zone file for .se is public and available for download.

DNS Belgium and FPS Economy have a long and fruitful cooperation and join forces to keep the .be zone as safe as possible. To that end, DNS Belgium sends a list of all newly-registered domain names to FPS Economy on a daily basis. FPS Economy uses this data for their own research and feeds it into a crawler that scans the internet for fake webshops and related problematic usage. Based on their research, DNS Belgium receives lists of .be registrations that may be used in a problematic way on a regular basis. Sometimes DNS Belgium uses the data to look for corresponding .be domain names (belonging to the same user). For all reported registrations an in-depth verification of the registrant contact data is initiated. This can lead to the activation of the “bad whois” procedure.

Data verification requests

Norid requires all domain holders to be either registered in the Norwegian Central Coordinating Register for Legal Entities or in the National Registry. Norid then regularly checks that the domain holders still exist, according to the Central Coordinating Register for Legal Entities. Domains held by legal entities that have been disbanded are automatically slated for removal.

In accordance with requirements in Swedish legislation, The Swedish Internet Foundation maintains a register of domain name holders. They manage and control the registration of COVID-19 domains according to normal routines. If the registration data is incomplete or incorrect, the Swedish Internet Foundation has the right to suspend and remove a domain name within a short timeframe.

DNS Belgium keeps a track of all incoming registrations and verifies the registrant contact data on a daily basis. This verification is a quick scan to pinpoint obvious fraudulent or inaccurate registrant contact data. However, certain types of registrations (e.g. domain names containing the brand name of banks) trigger a more indepth verification. Registrations with attached contact data that seem to be problematic lead towards the initialisation of the “bad whois” procedure. The registrant is given 14 days to prove their identity and to update their contact data. If the registrant does not follow up accurately, the domain name registration is deleted.

In Estonia, the registry for .ee (EIF) has a high standard regarding the validation of registration data. All of the registrants’ identities are verified with state-provided solutions (QES level ID-card, QES level Mobile-ID) or private solutions (QES level Smart-ID, bank verification or PayPal Verified account). Thus, a barrier for registering a domain name for the purpose of malicious activity is created in the first step of registration. This barrier has effectively proven to reduce malicious registrations in the .ee zone.

In Finland, the registry for .fi, TRAFICOM, may remove a domain name (COVID-19 related or not) from the domain name register and the .fi root if the information of the domain name holder/user is insufficient or defective, and if the data has not, regardless of a request, been corrected or complemented, according to Section 169(1) of the Act on Electronic Communications Services (unofficial translation of the Act in English).

In Spain, the operator of the .es domain has contacted registrants of a list of ‘potentially suspicious registered domain names’ to request a confirmation that the registration data is complete and accurate, and to ask registrants to provide missing information and correct inaccurate information if needed. If no information is received within 10 days; the registration is suspended following standard procedures.

Nominet takes a proactive approach in preventing .uk domain names from being used for phishing. At the point of registration, Nominet conducts a number of automated checks to identify whether the domain name is likely to be used for phishing. If a domain name is flagged in this process Nominet will temporarily place the registration on hold whilst the registrant is asked for more information to conduct extra due diligence. Nominet's support page provides information for registrants under Preventing Phishing in .uk.

Registrants of .eu (and its variants in other scripts) domain names containing detected keywords relating to the pandemic are required to validate their data and to submit a statement confirming that their domain name was registered in ‘good faith’ within seven (7) calendar days.

Cooperation with health and consumer protection authorities

DNS Belgium and FPS Economy signed a cooperative charter at the end of 2018 and put in place a so-called Notice & Action procedure. When FPS Economy notices certain types of presumed illegal activity in combination with a .be registration, it can activate the N&A procedure. Upon receipt of the N&A notice, DNS Belgium will send a breach notification to the registrant and set up a re-direct. Instead of landing on the website of the registrant, internet users will end up on the warning page of FPS Economy. If the registrant takes appropriate action, the functionality of their domain name can be restored. If not, the re-direct is maintained and after a couple of months the domain name is deleted.

In Estonia, according to the .ee Domain Rules, section 6.1.7, EIF may refuse to register a domain name or suspend it only with good reason, including, first and foremost, if a relevant justified request is forwarded to EIF by a competent government agency. According to the Estonian Consumer Protection Act, section 622 subsection 4, EIF is obliged on the basis of an order issued by the authority, to disable access to a domain or to delete the registration of the domain name specified in the order, or to allow the Consumer Protection and Technical Regulatory Authority to register the domain name. EIF has also concluded co-operational contracts with the police and Border Guard Board and the Estonian Information System Authority to publish information about registration data and to suspend domain names at the request of the government agencies.

In the .uk namespace, using a domain name for criminal activity is a breach of the registry’s Terms and Conditions of Domain Name Registration. They work closely with UK law enforcement agencies to suspend domains being used for criminal activity, for example when the associated website is selling counterfeit goods or medicine. Nominet provides information for registrants on their support page and public reports on its statistics page. During the COVID-19 pandemic, Nominet is continuing to work closely with its national law enforcement partners, especially the Medicines & Healthcare products Regulatory Agency (MHRA).

EURid continues to regularly analyse COVID-19 related domains, and reports suspicious domain names to cybersecurity and law enforcement authorities as well as consumer protection agencies.

Cooperation with national cybersecurity agencies

In Finland, TRAFICOM provides a list of COVID-19 related domain name registrations to NCSC-FI/CERT. NCSC-FI/CERT examines the listed domain names under its own authority. NCSC-FI/CERT shares the list and possibly its more detailed findings to its trusted partners such as the Finnish National Bureau of Investigation. The .fi registry has examined user information of some of the listed COVID-19 related domain names that have been pointed out by NCSC-FI/CERT.

In the UK, Nominet’s approach to mitigating risk and addressing the malicious usage of .uk domain names related to COVID-19 is built on existing practices to prevent phishing and address criminal activity. This approach relies on collaboration with their local UK law enforcement agencies and National Cyber Security Centre (NCSC). Nominet considers COVID-19 related domain registrations as high risk, requiring extra due diligence. As there are also many legitimate and important uses of domains using terms such as “covid” and “corona” it would be disproportionate and counterproductive to completely prevent the registration of these domain names. Nominet provides more details on their approach in a blogpost.

In Spain, the registry for .es identified a first list of domains containing COVID-19 related keywords, based on a database query and a reverse lookup to find the owners of those domains. This list has been shared with the Spanish national cybersecurity organisation, that has analysed possible malicious registrations with different tools.

EURid continues to regularly analyse COVID-19 related domains, and reports suspicious domain names to cybersecurity and law enforcement authorities as well as consumer protection agencies.

Published By Lydia Pernal-Stoddart