Transcript: Technical basics everyone should know before discussing online content control
EuroDIG 2016 BRUSSELS, BELGIUM TECHNICAL BASICS EVERYONE SHOULD KNOW BEFORE DISCUSSING ONLINE CONTENT CONTROL WS 3 9 JUNE 2016 14:30 ROOM 213/215
Services provided by: Caption First, Inc. P.O. Box 3066 Monument, CO 80132 1 877 825 5234 +001 719 481 9835
This is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in Order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> We will start momentarily. We are trying to figure out if there is remote participation for this session. Does anyone know?
>> I should be better moderator.
>> But you're not remote. [Laughter]
>> So I guess we can start the session now that we know that there is remote participation. And let me say hello to the remote participants. My name is Thomas Rickert. I represent an association in Germany with more than 900 members from more than 60 countries. And I've been invited to mods rate this joint workshop so that we can all better understand the technical functionalities of the Internet because there is so much talk about content regulation what can/can't be/should not be done by the various technical providers when it comes to enforcing or implementing/operationalizing laws or restrictions there are when it comes to delivering content. And some of these side effects are undesired, some are desired, at least for some, and that's quite a controversial debate for 20 years or so since the Internet started, people have been talking about how to limit the accessibility of content to contents or services that are desired by certain parties. But what's even longer in place is fundamental misunderstandings about how all this works, what the limitations for those attempts are and what should and what should not be done. And therefore I think it's very applaudable that they have decided to offer a workshop where you are, including the remote participants, get firsthanded information about how the DNS, the Domain Name System works and what the role of the different players are and where interception or content regulation can be done technically. So basically what we're going to do in this afternoon is have a discussion that is structured in a way that might be a little bit unfamiliar for all of you, including myself. First we're going to hear Peter von Ross they. We had Malcolm but he cannot be with us. Should he be with us remotely, hello, Malcolm. So we're going to hear about the technical basics first. Then I will give all of you the opportunity to ask technical questions in case you didn't understand properly what Peter was talking about. And after that, we're going to have fire starters. And I'm using two cultural references in my introduction. Maybe you find out what they are. But they're going to make initial statements to spark off a discussion. He's not going to be one of the fire starters so you can safely say we didn't start the fire but maybe some of you will put yourselves into the queue and add their own views to the discussion. So, first Peter then we're going to hear some fire starters making statements. And after that we're going to invite all of you, including the remote participants, you can write something in the chat and we'll make sure that it's been conveyed to all of you so that we can have a discussion. And the idea is that we don't have that with a Q & A with the panelists or with the fire starters, so that's not the idea. But the idea is that you put forward your own ideas, suggestions, thoughts, so that we can hopefully all evolve some thoughts on this very important subject. And now, without any further ado, I would like to hand over to Peter.
>> PETER VAN ROSTE: Thank you, Thomas. So, yes, I won't start a fire but, still, I hope to bring some light. My name is Peter van Roste, I'm the general manager of CENTR, and I'm a lawyer. And rather than having a tech person explain this, they are so enthusiastic about this topic that they typically wouldn't get further than the first 10 slides of this deck so they asked me. And I'm very happy to oblige. Practical things. Questions at the end, please. Are we going to have a very fast ride through the next 30 minutes from the plug in the wall to how the Internet works, the role of the different players. So in order to keep track of the time somehow we're going to take and allow 10, 15 minutes of questions at the end. If you have questions later, always be free to reach out to me or to my colleague, Nina, who is standing there. So who is talking to you? I'm here on behalf of CENTR, we're the organisation for exchange, dialogue and exchange of country code domains of Europe. We're the.de we have all the European countries plus more. The dialogue part is what we're doing now. We're engaging with conversations with European stakeholders, policymakers and we're providing training and education. We do plenty of things for our members. Some of these are relevant for you, as well. We have reports ICANN and ITF meetings and ripe meetings. They are mutual reports on what is happening there. They're open for everyone, so they are public access on our website. They have five, 6, 700 readers. And I hope you you might find them useful. So what are we going to cover? What the Internet looks like, what IP addresses are, how they connect and talk to each other, how networks work, including Internet exchanges, why we need the DNS and how it works, a bit about root, who does what in the technical areas on the Internet and what blocking is and why it doesn't work. If I'm talking about layers, then have a look at the graphic that we put on your table. It is one presentation. Look at other representations and you'll see minor differences and interpretations. The idea is that by the end of the session, at least sort of technical layers, you would have a pretty good idea of who each of those stakeholders is, what their role is and how important they are to the Internet ecosystem. So, surprisingly, the Internet is built with carrots. It's a very important principle. The Internet is not built with sticks. All the protocols, most of the technical details I'm going to share with you are agreed within for such as the ITF and IAB. And people use them because they work. People use them because it helps their networks connect to networks and billions of other Internet users. And there have been examples where people be didn't think the carrot was interesting and they did their own thing. A large Italian ISP end of the 90s built their own roots so you could use different addresses. You could go to dot hotel and dot golf at the end of the 90s. It didn't work because the people who had their websites on dot hotel or dot golf wanted foreign users to get access to that content, as well. So very important principle. There is almost there are almost no obligatory standards. And everybody who is interested in doing something different is completely free to do so. Everybody knows these boxes in their offices. They connect your local network. Typically you'll see some device in there which can be a router, a fire wall, the WiFi box will be attached to this box. From there, if you're one of the upper floors in parallel with the elevator shafts, the cables go to the street. They typically will connect in suspiciously looking gray boxes on the corner of your street. And from there it goes to larger boxes somewhere in the centre of the quarter where you're living. These cables and these network points get connected by cables in between cities. Railroads where one of the early adopters of networking, of building the networks because they realized they had a very precious asset; that is, they have an almost straight line between two major cities. Telecom providers, ISPs have been crucial in providing the investment to put the copper, the fiber in the ground. And more and more these days to make sure the 3 G, 4 G, 5 G networks work. There is satellite connectivity. There is obviously transatlantic cables that provide connectivity between the continents. At the moment, between Europe and the U.S., about two dozen large cables are operated. The typically run by telecom companies and ISPs, but you see that this starts to change. Last week, Google and Facebook announced that in cooperation with Telefonica affiliates, they are going to operate a cable connecting Europe, bill because, to Washington, D.C. In case this is a question I get during these trainings, cables are put into the ocean bed by plowing a ditch and then putting the cable in and then covering the ditch. So they are not just resting typically on the sea floor. So what do these cables do? They connect devices, every single device, whether it's wireless or it's through the ethernet cable that you plug it into your computer, laptop and the office. And they connect these devices with data centres. Huge data centres. The cables are split when they enter those rooms. And they're connected to racks. And in those racks you'll find huge data storage facilities. More and more these data centers are ready made. Plug and play shipping containers that literally require big power supply to make sure that the cooling works. And a couple of cables from different operators to make sure there's redundancy and connectivity. But this is how they're shipped. And they are so redundant that even at 50 percent of the material, the equipment in there stops working, it's still good to go for another couple of months. They are hardly opened. They are ready made. And the expectation is that these containers will get smaller and smaller and smaller. And to paraphrase Bill Gates that in a few years from now, everybody will have one of these data centres sitting on every desk in every home. So, we have devices. We have data centres. We have the physical network, whether it's wireless in waves or whether it's copper and cable and fiber. The equipment on the network needs to be able to identify each other. And in order to do that, they need a unique identifier. And through standards set by the ITF and IAB decades ago, we're using IP addresses. IP addresses are unique identifiers. On your own network, you might see that the identifiers at the moment used in your networks are unique, but you will find the same IP addresses used on your laptop at home, for instance. But the moment you get on the Internet, the moment it's connected to the rest of the world, these identifiers have to be unique to work. So you can imagine that with all those devices, laptops, mobile phones, data warehouses, you need billions of IP addresses. So how are these managed? Who keeps track of what is where? That is the role of IANA, the Internet authority for assigned names, numbers. The IANA function splits the existing amount of IPV4 addresses, I'll come to IPv6 in a minute, and hands them out to different regions. For Europe, it's ripe, Izoo, IP opian, who is managing this block for Europe. And ripe, then, splits up the large block they get for Europe and hands it out to ISPs, to research institutions, to governments, to large companies, to allow them to connect their devices to the Web and also to do R & D. Importantly, and this comes back particularly in the privacy discussions, there are two types of IP addresses. There are the static ones. Typically servers connected to the nets, data centres, information that needs to be always on. And there are dynamic addresses, typically handed out to consumers for the very simple reason to optimize the use of the limited block of IP addresses that everybody gets assigned. On IPv4 there's shortage these days, as I'll explain in a minute. So that means that if you check your IP address every week, you'll probably see that you're getting assigned a different IP address every time. That has a significant implication for whether it's considered to be personal data or not, until a week ago. Some of the policy debates are directly affecting this technical explanation that I'm sharing with you on the Web because these addresses, as long as they were not considered to be personal data, could be used by everyone to monitor the networks, to control the networks, to track behavior of users in case of criminal activity. But the advocate general of the European court of justice last week wrote in his opinion that because of the ever increasing use of "Big Data" sets, also dynamic addresses would be considered to be personal data. So two different IP addresses, static and dynamic. Difference between IPv4 and IPv6, this type of address is probably quite familiar to all of you. These you see more and more. Uptic in Europe I learned yesterday by a presentation by ripe is quite good, better than in the rest of the world. Benefits of IPv4, it's compatible with all equipment. Also with equipment that is still there sitting in a cupboard from 10 years ago. Your WiFi router at home might be one example. The advantage of IPv6 in particular is there are many more. IPv4 is running out. Ripe is still holding on to the few last million IPv4 addresses to make sure that they're still being used to those who most need it to start up a business or to do some particular bit of research. IPv6 is at the moment almost unlimited. Mind you, that when I started working about 20 years ago, the same was said about IPv4. But I think if you'll look at the scale of IPv4, which assumed that we compare to golf ball and IPv6 which can be compared to the sun, I think we should probably be good at least for my lifetime. So, we have equipment. We have network. Your equipment, you can very easily identify what your IP address is. So you go to your properties of your network infrastructure and there will it say what your IP address is. You can do the same thing for the information on the other side of the Internet that you're trying to reach. And I use the example of the central website here. There is a very simple way to find that out. There are many ways, but this is probably the easiest one. Go to the comment prompt in your windows. Yes, it's still there. Looks very much like back to the 80s but it's still there. And you use a command that is called NS lookup, name server lookup. And then the website, the address of the site that you're trying to reach. And it will respond with two things. It will respond with an IPv6 address and an IPv4 address. We'll use the IPv4 address for the rest of this exercise. So we have these two, we have me devise, we have the website. How do they communicate? First of all the thing that I didn't mention when I was talking about that infrastructure and the network and the WiFi, is if the story would stop there, then you would only be able to communicate with the other customers of the same ISP. If in Belgium you're a customer, the former incumbent, you could probably talk to half of the Belgiums on your network and that would be it. There would be no reach to the rest of the Internet. But this is what the Internet looks like from probably standing on the moon. These are all the networks and how they're connected to each other. This picture dates from October last year. So what you see is that there are millions of connections. It probably looks pretty much like the synaptic connections in a brain. Some of these are much bigger cross roads than others. And these are the Internet exchanges. They're crucial. They make networks talk much more efficiently to each other. And in Belgium, we have BNix, it's located about a kilometer from here although now they have three sites, I heard. And it's a place where literally you have all the ISPs and the telecom operators with their cupboards against the walls. And across the room there are the connections between the networks. So bell hock comm with all its cables, then they can peer, that's the term called for connecting with the other networks, there is no financial transaction involved, by the way, it can peer with the other networks. The peering is an important principle because it means that operators joining, connecting to the Internet are okay to get traffic from other networks and hand it over. So there is no financial transaction involved. And it's very easy to find an example that shows differently. That's mobile connectivity. With your mobile, you're roaming, then there is financial transactions when you're crossing borders for the Internet. There isn't. Without.
>> ITALY: Probably wouldn't work as efficiently as without it, it probably wouldn't work as easily as it does. So the Internet exchanges. This is the picture from DeCIX, the Internet exchange in Germany and in Frankfort. The best thing is that it's actually possible to see how traffic hops around the Internet. Everybody can do it on their own laptop. And it's by using the trace route command. It's trace RT. And I worked in the office an quick demo. So if you do a trace RT for the central website, then you're actually asking your machine: How am I connecting from my machine to the machine, wherever that, where that website is on? So it starts again with identifying where "that machine" the content that you're trying to reach is, the central web site and then the hopping starts. Here we're still in the office. The IP address of my machine is the address of our firewall. And this is the helicopter box in our hall. Again, the cables are parallel with the elevator shaft to the street, the gray boxes we mentioned in the picture overview there. This probably somewhere near where bell hop comm's area hub is for our office area. Another bell hop comm on their network. And then you end up already at the telenet server, which is another network, a competing operator in Belgium. And you can even see where it is. It's in Benix. In the crucial point where networks hand over their traffic to each other. So from then on we're on a telenet network: And we keep on hopping to eventually reach the destination, which is an open minds network. Open minds is the provider or host where the central website is located. But the nice thing is that one can visualise, and you can do this exercise, by the way, for content that is across the globe and you'll be hopping from Europe to the U.S. and then to South America and eventually end up on the website of an Argentinean newspaper. But you can actually visualise how it works. Importantly do this exercise twice within seconds and very likely you'll see differences because it is unpredictable where the traffic goes. There is no set route. It will use the route that at that moment is the most efficient, the quickest, where there is no delays reported. So we have our equipment, we have the network, we have IP addresses. We've seen how traffic hops along. We're gradually getting to the point where I will explain what blocking is. But first we need to add one more layer and that's the DNS. So why do we need DNS? How does it work? What the root is and what is the Top Level Domain? So why do we need DNS? And I appreciate that this probably does not make sense and I'm sure you can't read the white. These are IP addresses. These are the destinations that we're trying to reach. None of these addresses should mean anything to any one of you. And if it does, then I would be a bit worried. But these are strings of numbers. Nobody will memorize them. All of them are the most popular websites in Europe. Importantly, they can also be the IP addresses of mail servers. If you send an email, you're also sending content to particular IP address, the IP address of that machine that hosts the mail server. You wouldn't want to remember all those addresses, so you have (off mic). Ah, so there is somebody in the audience who can read IP addresses. So but the majority of this room probably thinks that DNS is very useful to rem destinations on the Web. So remembering the address is probably the prime reason. There is another one. And it's flexibility. So I showed the pictures of the data centres. Those data centres have an IP address. Sometimes some things happen. Electricity is cut off. There's a fire. The disk crashes on which the information is sitting. You want, as an information provider, you want to be able to switch immediately to your backup. If it wouldn't be for the DNS, what you would have to do is to tell your millions of customers "my IP address changed from whatever to something else." That wouldn't scale. So with the DNS, you don't have to tell your customers anything, your customers even won't notice. Your customers will still use the address that you've provided them with or that they know, and the underlying IP addresses change without a glitch. So flexibility is a really important reason. Security is also one. It makes the network more stable. It allows to do some traffic management. And there are tools in addition to DNS such as any cost, goes too much in detail to explain that now. But that would allow providers to divert attacks or at least to mitigate the impact. Also fourth reason, I think in every single room at EuroDIG, at least one person will mention the Internet of Things. One of the problems with the Internet of Things is that at the moment, there is no strong agreement on the standards that are going to be used. One of the standards that's already there, that's already been tested for three decades, a bit more, is the DNS. The DNS could provide the basis to operate some of the Internet of Things applications. I'm going to give you a quick example. So nominate, our UK member running dot UK amongst a couple of others, has a fabulous R & D department. One of the things they do is they play around a lot with high tech stuff. And sometimes that high tech stuff starts very basic. It starts with the idea that there is a lot of connectivity that's no longer being used and that's the white space. And the white space is the wavelengths that were used by the broadcasters, the television broadcasters so that antennae, probably makes you think back of 70s, 80s, maybe some early the 0s, but that space is available. And in the UK, it is not commercialised, it is not sold, it is not licensed, but people can use it for R & D purposes. So nominate started thinking about what can they do with that space? And one of the things that they did is they connected devices. These are very simple sensors with very basic equipment. This is a router that connects this thing, actually it's here, too. And broadcasting signal. It's stuck in some this device is stuck in a waterproof housing because they put it under bridges. And once stuck under a bridge, the only thing it does is measures the distance between itself and the water level. When the water level goes up, it's a signal that downstream in a couple of minutes, hours, depending upon the situation from now, they will see more water flowing through that river. One of the big problems in the Oxford region is that there is traffic congestion because roads get flooded. With this very simple device, and obviously stuck under plenty of bridges, it becomes possible to predict flooding downstream. And the data is shared in an open way. If's open data. And people have already built, nominate, as well, have already built tools that help interpret the data and give drivers nice maps to allow them to drive around floodings in their area. So it's a very practical example. So where does the DNS fit in? Here. If you stick these devices under bridges and they have numbers, the moment something goes wrong and I can assure you with a device stuck under a bridge there are plenty of possibilities where things might go wrong. Could get wet. You need backups. And so there is more than one device under a bridge. If one breaks down, they can switch to another one. They're using the DNS as a basis, as a reference point for these devices. And so as a user, the only thing you would be interested this is the name of the bridge. And you don't care about the IP address of the underlying device. Another one I heard yesterday or two days ago on the news was that people are now building in sensors in umbrellas. And these sensors capture the sounds of the raindrops on your umbrella. And the rhythm of the raindrops is a good predicter of how much rain is falling in that very specific area. The signal's sent to your mobile phone. The mobile phone sends it to your weather forecast system or whatever system you're part of. The thing is that these sensors at the moment do one thing, but they could be doing much more. But because it's a closed system, the only information that is being used from that sensor is for that specific application. If you build open standards and you use DNS to support access to that device for other providers, you could also pick up sound pollution from a specific area with that same sound recording sensor and use it for different applications. So that is the fourth reason for the DNS. It's an open standard that is stable and secure and could provide a scalable solution for Internet of Things applications. How did DNS technically works? There's a really nice video. By centre, don't check the address but if you go to Internet and look for CENTRDNS, not the rock group. But if you look for this, that's one of the first hits there. So we understand why we need the DNS and what it does, but how does it work on the high level? What time is it? We have the root that is the place of all wisdom for everything that is below in the following layer. To explain when you're typing in a domain name, by the way, who knows about the hidden dot? Three, four people. When you're typing in an address, you're typing in www.CENTR.org. What your browser understands you to actually be asking is www.CENTR.org dot. There is a final dot there. But your browser knows that it's lazy so it adds it yourself. You can try it. Feel free to add the dot. It might confuse your browser for a millisecond or two and then probably realise that you've been in a training or you're a techie. But the final dot says to your browser look up this address in the root. And in the root, the information is kept that will tell your browser where the top level domain files are hosted. So it's a hierarchical system where one level, the upper level, refers to the level below. The upper level has no idea of what's here, definitely not what's here. The rootzone is maintained by IANA. IANA is at the moment is a part of ICANN. It's currently under transition, as some of you might have heard. But it is the maintainer of the rootzone, so that top level. The second level, and I'm using the dot EU example here, is run by a TLD registry. And in this case for dot EU is EURid. It's a not for profit organization that has been appointed by the commission and just got renewed for I think another 10 years. It's also our host. The domain itself, so europa.eu is run by the commission. None of this has to do with this. It's a very important principle and that will show early on. This is what the root looks like. It is probably the most disappointing picture from the slide deck. But let me tell you first that there are two things. There is the zone file, which is the thing your machine will read. And there's the zone database. We're talking about who is, we're talking about human access to that type of information, people will typically consult the root zone database. There is no personal data in the zone file. You will find the names and contact information of the owner of the website in the rootzone database. So the rootzone has 13 identical copies, authoritative name servers. For redundancy reasons, they're run by different organizations. And two of these organizations are European, ripe is running one and net nod. Ripe is Belgium and Netnod is Sweden. Four of these are hosted in Brussels by telecom operators. At the moment, the U.S. government, the department of the U.S. government, oversees IANA. And you can imagine that IANA is pretty important since it is managing the root zone file. So what does that look like? This is what it looks like. So I already told you that with that final hidden dot, your laptop, phone, knows that it should ask the root where can I find .eu? And this is what the root will answer. It will give you a list of name servers, and it will give you, with this list of name servers, a range of IP addresses where you will find the information for the next level. I told you about the levels. You understood that the different levels only have information about the level below. So when I queried the root about just tell me where can I find these .eu name servers, they hold identical information, but for redundancy reasons, there are many more. You'll see that some of them have an IPv6 address, others have an IPv4 address. Very briefly, the difference between ccTLDs and gTLDs, so if you look at the Top Level Domain, the .eu example I gave you as a country cold, .eu, country codes, they're all part of a list. The people that came up, that developed the DNS had a really good smart idea to make sure that they did not get anywhere near deciding what was a country and what wasn't. So they used a United Nations organisation, the ISO, international standards organisation, as a reference point. And so the list that the ISO came up with is the list that decides on what is a country and who gets a country code and who doesn't. So in total, there are about ccTLDs these days. The last 50 that have been added are the non Latin scripts. It's Korean, it's simplified Chinese, it's quite a few of the Indian languages. In addition, we have now probably just over 1,000 gTLDs. When I was drafting this presentation last week, the 1,000th gTLD was added to the zone last Tuesday. There might be two or three more by now. How do you get the gTLD? You apply at ICANN. It's a pretty costly process. It's about $200,000 to send an application. And the next round might be open up in a year or two from now. The biggest difference between ccTLDs and gTLDs as I already mentioned, ccTLDs are typically not for profit but they serve a local Internet community. So they're stuck with the policies that serve that community. And they're obviously respecting local laws which will different from. NL or .SK. GTLDs are under contract with ICANN. And you might have heard a lot about the privacy implications of that. But for instance for the who is access, there's some discrepancy between the requirements in the contract and European laws. So on the second level and this is a copy of the not the roots and file but the database. So where we have the personal information of the registrant in this case, for the domain europa.eu, again for the name servers for the email and for the website and the alternative addresses in case, for redundancy purposes. So now we're looking again at the practice. So we went through the theory. So hierarchical system, one level points to the next. So what happens when a user types in a domain? The querying starts. So your laptop is going to ask where can I find an IP address, for example, dot eu. Your laptop is not going to ask it directly. It will ask a very powerful friend, that is your access provider's DNS resolver do the querying for you and then send you the answer. So the access provider will first queer at this root. The hidden dot. Lit ask where do I find dot eu? The root is going to an respond with an address that I just showed you on that list. And then the access provider is going to question the dot eu providers. Where can I find example dot eu? That information is stored in that file. It is returned to the access provider's DNS resolvers. And then you can query example.eu for where www, their web site is based. You could also have asked again for their SMTP, which is their mail server. Only then you get a response back that will be able to identify the location where the content is actually hosted. So this is the eighth step how the DNS works. The querying happens step by step. You get a response. And then with that response you can access the content. Now that you know how it should work, let's look at DNS blocking. There are a couple of ways in which DNS blocking is in post typically through court order, sometimes on a voluntary basis, but let's just assume through a technical perspective, we're looking at blocking that is commissioned, that is ordered by a court. So the court could tell your access provider, your ISP if somebody asks for WWW.example.eu, don't answer him. So hell hock come didn't access providers of this world they have to respond there is no such domain. That is one way of blocking. It's important to realise that this type of blocking will only affect the customers of this ISP. Find another ISP that is not covered by the court order and trust me I've seen no court orders that were successful in covering all ISPs. And I'm talking about Belgium court orders. So there is a scalability problem with this one. There is another example where the courts tells the ISP, "don't ignore or don't tell the user that you don't know where it is. But give them a fake answer." So the user wants to access example.eu. The ISP says sure, it's that way. And they point to a server hosted buy the law enforcement. And on that server, and if you go to piratebay.se in Belgium, and probably from this room, you will get this. So that is information hosted on a server by local law enforcement. I need to bit of side step but I want to read something to you because you can't. So the information that you receive there is obviously blocking you from accessing the content that you want. But then "you have been redirected to this stop page because the website you are trying to visit offers content that is considered illegal according to Belgium legislation." All good for now. But then "if you are the owner or administrator of this website and you consider to be wrongly redirected, you can report this by fax." 'And then a telephone number. So I think it's a really clever way to make sure that they don't get too much complaints about that. >> Audience member (comment off mic). [Laughter] >> PETER VAN ROSTE: All right. That takes away a bit of the fun of the joke. You're absolutely right. But it would have been nice to have at least a couple of alternatives. So this is a stop page but it's a good point, Peter, thanks. This is a stop page you would get when your ISP is supposed to lie to you. There's a third way on how blocking is implemented. And that is not the ISP. But the registry.eu gets a court order. And the court order tells the registry to pretend that it never heard of that name in its zone file. So these are the three most, there are a couple of others, but these are the most commonly used blocking mechanisms in commonly used. In court orders today.
>> AUDIENCE: [Inaudible]
>> PETER VAN ROSTE: Yes, indeed. But there are a couple of technical flaws in blocking. Before even going to the technical flaws, it is crucial to understand that regardless of whether it is blocked in an ISP level or on a registry level, the content is still there. The content doesn't disappear. And as I'm going to show you there are plenty of ways that even without becoming or crossing the lines will legality, you can still easily access the content. The most easy way that the pirate bay has been very successful in the last two, three years is just to make minor changes to your domain name. The pirate bay changed through the French hat, it changed to the Dutch, it had a site which was called dehydra. The idea was that cut one head off and another will grow. So that is the simplest way for content owners who still want to make sure that their content gets online to make sure that it does. And the time it takes to get a new blocking order probably makes it a very inefficient method. So you just ask for the IP address for a copy of that website and you're going to get access to the content. The other technical flaw which you understood from the whole trace route thing that I showed it doesn't always work but most will be hosted on a dedicated site so it will have its specific IP address. So you type in the IP address in your browser. And rather than doing the lookup, the NP lookup and the querying, you immediately get access to the content because you know where to look for it. Many companies run their own DNS server so they don't use this one. They have their own. And a really fun example is when I was asked to give a training at the commission and do an example of blocking there, I had to circumvent the major problem that the Commission didn't block anything that was requested in Belgium court order. [Laughter] So within the buildings of the Commission it was impossible to find an example of blocking. And then to show them that I can circumvent it. So we VPN'd out to the central office. So to be back in the real world and then from there we went outside. [Laughter] So, yes, the DNS resolver will not be subject by the court order. And you will just get the same querying three levels and eventually ending up with access to the content. You can use third parties. Don't use your access providers. You are not a company. You don't have your own. Then you can simply use, for instance, Google's. Everybody can remember it. We didn't use this example, but you can change this to 126.96.36.199. And you will not be affected by any of the blocking restrictions in your jurisdiction. Okay. So that basically just explained what I already did. Web proxies is I think a fourth or a fifth by now alternative to getting access to content without being affected by these court orders. You can go to a proxy website. It will be hosted outside your jurisdiction. There you type in the name of the information that you want to reach, and the proxy website will get it for you. That will be completely unaffected by the blocking order.
>> AUDIENCE: [Inaudible]
>> PETER VAN ROSTE: So the proxy server, sometimes it's a service that you will pay for, but you will also find them for free because they like to sniff your traffic. So I wouldn't personally advise to I don't them. But a proxy server will help you in getting information from somewhere else on the Internet without identifying yourself. That's what most people use them for. But it also, as a side effect of that, it bypasses DNS blocking. I'm not even going to go into these because they are quite technical to understand how they work, but if you have heard about Tor or OneSwarm, they are other alternatives that probably mean for many years that blocking is completely infective. So what are the conclusions? DNS blocking is a technical term. It's a procedure, it's not an outcome. Because the outcome is quite often that the information is not blocked at all and it definitely is not going anywhere, it's still there. The important thing and if you take one thing away from this presentation is on a technical level, it is almost impossible to prevent people from accessing content if they want to get there. But DNS blocking might indeed be efficient to make sure that nobody gets across something without them wanting to. DNS blocking will prevent my dad from by accident stumbling across the pirate bay. It will not stop my 18, 19 year old nephew from getting access to the pirate bay because if the user wants to get to the content, he will. So that's the big difference. Time to wrap up. Internet is built with carrots. We talked about infrastructure devices, how they're connected and how you can see the hopping over the network. Explained why you need DNS and briefly how it works. So the hierarchical system. One layer is in charge of the information for the layer just below it. And we discussed how DNS works and what the how blocking works and how there are some technical flaws in blocking. It's important to note that some corners were cut during this presentation to fit it all in 40ish minutes. Thanks to Malcolm Hutty who couldn't join us. But I used his fancy slides. Thank you if he's online. Thank you for listening. [Applause.]
>> THOMAS RICKERT: Thanks so much, Peter, I think it was a great presentation. Let me add my thanks to Malcolm for visualising all this difficult to understand stuff. Do you have questions for Peter? So now we would like to ask for non policy related questions but questions on the technical basics. You have one?
>> In Italy, from the SP association, in Italy, it is a country where we're blocking. I think anyone can go to the court or to legal ailed and say yeah, I want to block this. And basically there are two kind of technology used, DNS blocking or IP blocking. The technical legal question is: I've been told that while IP blocking can be considered a real breach of the freedom of people because, really, you block in a very effective way access to content, DNS blocking is not considered legally the same things because the ISPs is not really breaching the access to a point of the net, but it just refraining to make a function, to make something. Do you see do you have the same legal view on this?
>> PETER VAN ROSTE: In theory this is true. I mean, these are two different things. And it is essential to see that most of these bypassing technologies that I've demonstrated very briefly for DNS are also applicable to IP access. Blocking will only work if you are as close as possible to one end of the information stream. So if it's between me and the central web site if you're almost sitting if you're almost blocking right when my Internet access enters the bell hop comm get work, you will have a chance of actually blocking my access to that information. And the same, if you would give telenet or open minds an order to block access to that particular IPS on their side. So only when you're on the extremes of the communication the IP blocking will function and will be more effective than DNS blocking. But everything else in between can be circumvented in similar ways.
>> Please use the microphone for the benefit of the remote participants.
>> So that the explanation I got, that technically in the DNS case the ISP is not really preventing communication; it just refraining from doing something? This is the legal explanation? So it's not doing. It is abstaining of doing? Okay. And this is why there is this legal discussion whether there is a breach of freedom of speech or not. So I wanted to inform this.
>> PETER VAN ROSTE: Thank you so much. There is another question.
>> THOMAS RICKERT: Let me walk through the room.
>> Just maybe quickly, Peter from the dot eu registry, maybe a comparison with the other real world example will work here. DNS blocking is tearing up the yellow pages or the white pages. So you can't use the name to find telephone number. IP blocking is making sure if you type in the telephone number in your telephone that it doesn't work. So there is a difference in practice how you do this. One prevents you from finding out the IP address, the telephone number, to make the call. The other one prevents you actually from making the call. So there is a difference in practice. What that translates to in legal, and as I'm lucky having a very techie hat on here, I don't even want to go in there what legally is different there, but technically there is a huge difference between DNS blocking and IP address blocking. One indeed makes sure that you can't find the IP address, but if you know it you can still make the phone call. The other one is even if you know the phone number, you can't go there.
>> PETER VAN ROSTE: Thank you very much for all of us to take away. You can block IP addresses. You can block names. And you can even go to greater level of granularity going to step level domains, fourth level domains or to directories to the left and right of the so it depends on how nuanced you want to establish your filtering or blocking. We have another question.
>> Yeah. And actually I will be greedy. I have two questions. Mark from ripe. First question very technical one. DNS et cetera, what influence on that on this strategy? Second question, totally not related is you very much focused on the side of things, the resolver side of things. What if people look at other elements of the DNS and in Peter's words, what if you talked to the printer of the yellow pages rather than ripping up the yellow pages.
>> THOMAS RICKERT: We have three questions. Peter do you want to take all of them?
>> PETER VAN ROSTE: I'll take the second. Peter maybe you can talk about the DNS applications because my answer would be it breaks but I can't explain why. It breaks. So the answer to the first question is DNS sec would be broken by the re direction. Peter will expound on that. On the second question, what happens if you talk to the printer? It's almost, it's almost a policy question. It is not a technical question. But that's the whole reason why there is such an enormous, long lasting, detailed discussion on the stewardship of IANA. We want to make sure that now everybody seems to trust U.S. government. Although adverse note might have given people different perspectives on that. But U.S. government has been doing a good job in consistently applying a set of rules and running and overseeing IANA who is maintaining that zone file. Now that at this time's transitioning, we want to make sure that the new people who will be overseeing it will do an equally good job. And so it will be a multistakeholder effort that is not dominated by any of those stakeholders, that is definitely, one of the specific requirements from the U.S. government when handing over that, will not be dominated by any governments with potentially completely different moral views on content, for instance. So at the moment, we've avoided the problem that the printer of the yellow pages would be subject to pressure from anyone. And we intend to keep it like that.
>> I wish I knew more about that, Peter wanted to expound.
>> PETER KOCH: I work for the DENIC EG, the top level registry. We have been talking about blocking but there was the one stop page with the funny fax number there. DNS sec is a security technology that is designed to prevent or at least make detectable tampering with the DNS data. So when you ask a question to the domain system you get a fourth response, this will usually be suppressed when it comes to the user. That was not designed with law enforcement or anybody else in mind, but that was an attack that was exploited on the Internet. And it's just securing the protocol and enabling the protocol to be used for future applications like the Internet of Things and so on and so forth. However, the security measures there are intent agnostic. That means whether that's law enforcement or an organised criminal changing the responses doesn't make a difference for the technology. It detects a change. No mat where the intent was. That means that any change of the responses that is applied by the ISP or by some other intermediary will look to the system like an attack. And it will act accordingly. Which means it will drop the response. And that actually helps, blocking in that particular case, because you don't get the response and you can't connect. However, it will avoid this re direction things where somebody's setting up a honey trap or honey pot so that the police or any other interesting law enforcement or whatever, what other agency you might have in your country, hopefully not, that any other agency can actually connect or collect the interested parties. That won't work. But it doesn't really interfere with blocking because it suppresses the fourth response with the effect that you can't connect to the website, anyway. But it's not a helping technology, either, because, yeah, we come to that later.
>> PETER KOCH: No, not really. It looks like it helps the blocking but it definitely breaks this quote, quote, education part. And that's a good thing, of course.
>> THOMAS RICKERT: Thanks, Peter. Anymore questions?
>> Thank you. I'm from the Dutch youth. I've got a question. How do hotels, for instance, prevent people to use their okay, let's rephrase. How do hotels prevent users to get access to the Internet before paying? How does it work? Do they block IP addresses or DNS?
>> THOMAS RICKERT: Want to take that?
>> In various nonstandard ways. My name is Oliver for the Internet Society. In various nonstandard ways. In general what they do is work with a captive portal which basically sends all the traffic, often by DNS replacement, not always but often it does, tries to capture the traffic and redirect to a payment site. And then after that, they open up the traffic streams. Not standardised. But it is a methodology for blocking and filtering, in fact. So, yeah, that is true. While I have the microphone, may I [Laughter]
may I make a small plug? There is a document called RFC No. 7754, technical considerations for Internet service blocking and filtering. That's a rather technical document that describes what happens in terms of scope, granularity, efficiency of IP level blocking, domain name blocking, HTML blocking, all the different types of blocking that happen in the Internet. It's very technical. But if you want to know some of the technical background of how the Internet how things work on the Internet, that might be a fairly comprehensive start for looking at it.
>> And if I'm not mistaken, you wrote that document?
>> Oliver: I was one of the editors of the document. This is an IEB document, the Internet Architecture Board. That means I have written a few paragraphs but it's a collaborative effort.
>> Thanks very much. But actually your question was an excellent one because it allows us to introduce another dimension of filtering and blocking to the discussion. What we've heard about our measures that are taken that are not controlled by the user. So basically the ISP or some other instance is doing the something. But the hotel tries to protect its commercial interests by not allowing its visitors to use the Internet for free. And so could parents for their children or companies for their staff? So actually you can do filtering and blocking on a user autonomous basis as the account holder. And that's different to filtering and blocking that is imposed on the user without the I don't remember being able to change the settings. So unless there are more questions from you with respect to the technology or the technical aspects that we've heard of so capably from Peter, I would like to give the floor to the fire starters. And first fire starter is going to be Gregory Mounier. So close. He is head fire starters to Euro pole.
>> GRÉGORY MOUNIER: Thank you, Peter for inviting me and all of you. Yes, so I'm working for Europol, which is the law enforcement agency, it is healed in the Hague, the Netherlands. We help the police, all the law enforcement agencies in Europe to connect their investigations. So basically we've got a number of criminal databases packing our headquarter. We have a number of criminal analysts as well. Cyber crime, trafficking, economic crime, as well. And we get information from the national investigations. We run it in our database. We run it with our analysts and then we try to connect the dots. And once there are similarities or once we find out that the Dutch police is working on the same target, then the German for instance, then we will invite the investigators around the table and then we ask them to open their cases and we try to run a transnational investigation. So that's core business we have. Now, we're talking about blocking. Yes, indeed, law enforcement is using various blocking techniques that Peter very eloquently explained. Basically we use the DNS blocking and the ISP blocking depending upon the type of crime. And we use those techniques for two different types of crime in general. The first one is child exploitation. And then in that case we usually work with ISPs. And then for intellectual property violations, then we work usually with registries. What I want to make clear from the beginning. They are not very smart. They are pretty dumb. But they know that the techniques of blocking are not super efficient. We know about it, of course. Our main task, and that society has been given the task and government, is to protect the citizens, to go after criminals and try to keep society safe. When you take the example of child sex exploitation and that's probably the easiest one because there is a broad global consensus that these types of materials should not be accessible by everyone because this is a crime. And there is no big discussion about it. Then in that case, you wonder why if it is illegal, if it is prescribed by domestic legislation that these materials are illegal, why should it be accessible freely to everyone? So that's one question. What I wanted to say also is that our main name, we are investigators. We are not into censorship. We are going after criminals. That's our main goal. We try to investigate. We try to attribute crime and individuals that are behind. And that's very difficult online as you know. And so blocking and we don't really like the word blocking because we know about its limitations. We call limitation of access, rather. It is just a mitigation activity that we do. If you can go after somebody who is producing child abuse material and then you prevent that person from posting it online and sharing it online, then you don't really need to block any website because your website would be there. So really our first objective is to get the guy. Then of course once the material is online, then it is our duty to prevent that everyone has access to it. And you might disagree with that. That's a compromise that society has made. This is our job. We know that there are technical limitations. We know of course that when we ask a registry to block the access to a specific domain names, it's very easy to register a similar domain or to use a ccTLD. And then of course the impact of that measure is very limited. The same applies with ISPs, of course. You have always ISPs that are based in jurisdictions that are not compliant. Or they just don't care about what's the French police might be telling them if they're in a country which is not compliant. So in conclusion, really, we're stupid but we know about the limitation of the system. On the other hand, society has given us a task. We're trying to do it as best as we can. And we are asking you, the big brain, the takees. Those who really know how the Internet work, Peter that's my question to you. How can we as a society ensure that content that suggests child abuse material is not accessible to anyone? Of course I agree with you if you really want to have access you will always have access. But I think it makes sense that the largest part of society doesn't have access freely to these type of illegal material. Thank you.
>> PETER VAN ROSTE: Thanks so much. If you permit, I have one followup question. You mentioned in a half sentence that you're going to the registry when it comes to intellectual property violations and you would go to the ISPs when it comes to CSAM. Can you elaborate a little bit on why you make that distinction?
>> GRÉGORY MOUNIER: I knew you would be asking that question. When I was preparing and speaking to my colleagues because I'm not an investigator myself, but I work with them all the time. And to prepare this talk, I went to see them and to speak. I think one of the main reasons is that for to work with the registries and to request a block domain names requires a heavier legal procedure. So in most countries you would probably need a court order. Whereas when you go to ISPs, depending upon the type of information you will be asking, then sometimes and in some countries, ISPs are happy to, for very obvious illegal content, to play ball basically. I think that's one of the main reasons. So speed. If you gather a list and send it to an ISP, they might just remove it. Whereas for registry it might take a bit longer. That's why the U.S., ICE the agency we're working. We're working with another operation. We do it every year. Last week they had to like they blocked about a thousand websites that were distributing copyrighted materials, stuff like fake medicine and everything. And they've got very good relationship with Verisign, for instance. So it's easier to remove domains., for instance. I know it's not really answering your questions. But with my limited knowledge on this I'm trying to get there.
>> THOMAS RICKERT: Thanks so much. Let's move to the next fire starter. Where is Maryant? Advocacy manager with EDRi. And you're going to be the next to start the fire.
>> MARYANT FERNÁNDEZ: I'm Maryant. I work for Human Rights. To make sure there is no censorship. There is the right to privacy, personal data and Seoul Freedom of Expression and any other rights including [Inaudible] So as a fire start ever, I would disagree on certain aspects of what the previous fire starter said, but I would focus on what I had prepared. So the first point I would say is that blocking without a legal basis thankfully to the regulation there was adopted last year on open access is and should be prohibited. We see a trend currently that instead of asking for court orders, there's a trend for voluntary blocking that is not predictable, that it does not respect the principle of necessity, of proportionality, of legal predictability, of the fact that we need review mechanisms, that transparency mechanisms in place, an assessment of any counterproductive effects that these measures would be taken are not being in place. So this is the first point. Voluntary blocking should be illegal. And we definitely would discourage said practice. Then I would also plead that we should not think about as a solution that one fits all solution is the solution. I don't know if I explained myself correctly. I refrain. So we have different policy problems. So one of them is to combat child abuse, another is to combat terrorism, copyright infringement and many other public policy objectives. But that doesn't mean that we need to take the same solution for all types of public policy objectives. And what we see is that there is currently from a state and government perspective, there is a push for companies to do more. And then there is a push for them to actually take responsibility, take the lead to actually block or remove content that might be legal or not because the assessment has not been done according to the law but according to the service. And this is in clear breach of the charter of fundamental rights and any other Human Rights obligations such as the universal declaration of Human Rights, for example. So an excellent example of this breach, I would highlight the regulation on Europol that was recently adopted which says that, for example, Europe poll should help actions in identifying crimes and make Internet referrals to the only service providers. However the Internet providers would consider what to do with these referrals. And the authorities do not commit to actually assess these on the basis of the law but on the basis of the terms of service. So we see a big problem with regards to the rule of law with the democratic society that we have and all the laws and caselaw that we have seen. And I think that's it for a fire starter. [Applause.]
>> THOMAS RICKERT: Thanks so much. Next is Peter Koch. You've already heard Peter. Peter is with DENIC and policy adviser with the CC registry.
>> PETER KOCH: Most of the remarks I have prepared have now vanished already or are used which is good so we can go to the orderly discussion. I'd like to highlight some of the points here that we probably want to look at in the upcoming discussion. It's very important to distinguish between content that the user is explicitly seeking to access versus content, or I could say software, unwanted content in contrast to illegal content. So there are some advocates of DNS blocking or filtering for mitigating malware, for example. That happens very close to the user and already somebody mentioned. Anything that is happening at the edges is probably deemed to success. But it has certain granularity and a certain scope. And the closer it is to the user, in cases where the user is consenting to that measure, I guess these are the cases we do not need to talk about. We are talking about the unconsenting user being blocked from access. That's the one point. The position of the user and the intent or their desire to get to the content. Everybody's happy being blocked for viruses. Unless you are a virus investigator. So even in that case, there are some cases that you might want to think about. To the scope and extent and the granularity, that's an important point that I guess Oliver mentioned when he was referring to that RFC. Doing things on a domain name level is not really granular. It's like wiping out the complete village from the map because you know there are some shady areas there and you want to protect people from going there. It doesn't help but ill also prevents people from going to the nice, whatever museum or fountain in the middle of the village. So the granularity is missing at the DNS level definitely. You have a URL usually that is maybe www.dub maybe something else, dot domain name slash, et cetera. Not all of the content is necessarily bad. By avoiding the translation of the domain name, you're preventing anything that is behind that translation from being accessed. And that's, of course, something to weigh in on. Let me see. Yeah. As a top level domain registry, we are on the far side of what Peter had on his slide on the right side. We would usually not talk about blocking. Blocking is something that can happen at the exit side. We are sometimes approached to take down domains. Because there's something bad behind that domain. Now, there is nothing bad behind that domain because the domain is just a string that is translated into an IP address or into some other identifier. We've already learned that could be a mail server. It could be something in the Internet of Things. So I get extra bonus for mentioning Internet of Things twice now. Or something completely different. We shouldn't well the Web is dead. We should think further ahead. There's much, much more than a single website behind a domain name. Domain names actually work as identities or can provide identities because you have your mail address behind them. You have your web server still there. You have your phone system behind them. And maybe you have all of your smart home stuff behind your own domain name. Now main imagine your domain name is taken down. Yeah, okay. Your problem, if you engage in criminal things, think so? Well, a domain translates into multiple IP addresses. You can have multiple names under them. And all of a sudden one of your web services is compromised. Somebody's placing bad content on there. And next comes somebody saying to the registry take down that domain because there is some bad content under some translation of that domain name. Okay. So we launch that rocket grenade into that 15 story building. And of course the sniper is gone. But unfortunately the 60 people in the building are also gone. So collateral damage is a significant risk here. And I haven't seen that being addressed to the extent I'd like to in those discussions. And the rest I get. We already covered. So time for the fire extinguishers. Follow Tom thanks very much, Peter. Our last fire is Lawrence Siry from the University of Luxembourg. There you go.
>> LAWRENCE SIRY: I take a different approach because we've seen how blocking affects the governmental and the police, how that they do that, how they take the technical and put into force what governmental policies that we've all agreed on, especially with child abuse images. My research kind of takes a different approach, which I think is equally fundamental and possibly more dangerous, to a certain extent, and that is self censorship on the Internet. And in particular I'm looking at some cases that are coming up. One of them is actually a case and the other is an example that just comes from today's use of Facebook. And I will pick on Facebook because that's what we all know and use and probably is up right now as we speak. The first case, what they come out of is when we have the governmental regulation, we also have self regulation. But then we also have a layer of fear that I would say. And that is the fear that we don't want to offend. So we will remove content that offends our sensibilities, our standards within the community. And in particular, this, for me, poses a problem or a danger because the discussion within these digital town squares becomes more limited. The recent case from the court in Paris, I don't know if anyone heard about it, but it was the posting of a professor posted a picture from the Orsay, a painting and it was Laura Jean du Monde. It is from 1866. It's a painting of a vagina. And it's a bit of controversial painting throughout its existence, but what Facebook's response was: It's nothing to do with blocking. What they did is they closed his account. He sued. He sued in Paris. And this is where it becomes relevant, I think, because the liability for those platforms was always governed if they were American or if they were from California by the terms and conditions that come out of the northern district or I think it's the Northern District of Illinois California. So you'd have to go to California to sue. I don't know. I'm in Luxembourg. Love to go to California. But I doubt I'd do it because they close might Facebook account. However, what the court just held on the fifth of March is that that clause, within the terms and conditions, is an abusive clause, particularly abusive because it effectively shut down this individual's right to redress in the cords individual's right. There is no jurisdiction in the court in Paris, therefore there is no remedy. And what the court in Paris said: Not so fast. That that's an abusive clause. And for the purpose of jurisdiction, we haven't even gotten to the merits of the case, for the purposes of jurisdiction, the case can go forward in Paris. I think that's significant because the conundrum for places like Facebook or snap chat or any of the social networks is that they have to they're global. And they have to comply with the individual national laws, or EU legislation or American legislation. So they are trying to water down what is acceptable in order to not piss off anybody. And I think that that's dangerous. It's dangerous for another of reasons. Ms. Fernandez mentioned that when you have regulations, they have to be transparent and they have to be with certain aspects of fair process. And that seems to be what's missing from a more surface analysis. In other words, for the user who is posting or the user is opening an account. But I think it's also very important for two reasons. First of all, because it directly affects the Freedom of Expression, especially in countries where you have a private right to challenge a private company on the issue of Freedom of Expression. Or the right to privacy. It's applicable horizontally, I think. Secondly, it's dangerous for the companies themselves because as it is less transparent and as these clauses perhaps are truly abusive in that they limit the right or redress of the user themselves, they will not be honored particularly in places like France or in the European union and the Member States. So that's my I wasn't sure if it was fire starting or bed wetting. So you can be the judge. But to throw it out is that the Freedom of Expression can come can be challenged at a more scientific or a more technical place definitely, but it also, when you open up your smartphone and check your Facebook page, it's also being challenged there. Okay. Thank you.
>> THOMAS RICKERT: Thank you so much. I'm afraid our time is already eaten up, so we're going into your coffee break if I'm not mistaken. Nonetheless, I would like to take one or two questions or comments from the floor and then we're going to wrap up. So Oliver is going to go first and then Alex.
>> OLIVIER CREPIN LEBLOND: I'm president of EurolSPA, one of the cohosts of this today. One comment for EurolSPA, when it comes to what I wanted to say, EurolSPA is the European ISP association. We are representing currently more than 2
>> OLIVER SÜME, we are representing 2,500 ISPs. And we're very happy to cohost webinar today. About blocking child abuse or child abuse or child misuse is one of the most common justifications for blocking. And I think there are some things that I'd like to add to what you said. Everybody whether agree that nobody wants to have access to such kind of content. But I think the social responsibility is far more than blocking access. I think the first responsibility is to avoid such content being on the Web. And the most important thing to know about blocking came up very clear after this presentation here is blocking is nothing else than putting a curtain about something that you don't see anymore, which doesn't change anything, that it's still existing. Not only the pictures or the movies or whatever in terms of child misuse are existing, even worse is that the crimes are happening. So what we see here on the Internet is unfortunately only the peak of an iceberg about something really disgusting that's happening in the middle of our society. The discussion about blocking, particularly when you talk about blocking of child abuse material, to my experience very often leads away from the main problem, which is the source on the Internet. And we should not regardless on how you stand for blocking and what your opinion about blocking and filtering is, the first and foremost, the challenge is to remove the content from the Internet. And that is something that is happening very successful in many cases. You may know that many ISPs are operating hotlines where people can notify such content and the hotlines are also cooperating with many law enforcement agencies all over Europe, not only to follow the crime but to delete these content at the source. And this is a very successful system. So successful that in Germany where I come from, we are not blocking child pornography anymore because we experienced that these hotlines are working so fast that on an international level, we can take down the content within some hours, at the latest within 24 hours, which is far more effective than any blocking measure you would try to start. So even if you discuss blocking and filtering measures in terms of child pornography and child misuse, let's not forget the main purpose and the main action, which should be to take down the content. Thank you. [Applause.]
>> THOMAS RICKERT: Thanks very much, Oliver. Just wait for the microphone for the remote participants.
>> Thank you very much. Enlighten me very quickly. What's the difference between the police sending a URL to an ISP to ask we say blocking, we with like to see removal and most of the time it's removal and what you were saying, hotlines and police does exactly the same work. We are for removal, definitely. We were not for blocking at all. That's much more efficient. So on that completely. And blocking and removal that's only a mitigation. We want to prevent that crime from happening at all.
>> THOMAS RICKERT: Thanks very much. Last intervention from the UK?
>> Hello. My name is Nick Surey. I'm from the UK government. I'm just going to kind of throw an idea and a question out here at the same time, following something that has been mention today me previously on a similar topic mentioned to me. So continuing in this in the child sexual exploitation scene. Let's say there is CSE content that is hosted online on a web server that's hidden behind sort of a layer of proxies. So basically you can't identify the location of the server or it's in a location that you can't take down. A domain name is used to resolve to that content. For example, it could be like child sex images here.eu. Law enforcement attempts to take down that domain and they're successful. But then as we've heard, the people behind this register a new domain name child sex images here.net. And it's this case of whack em all. Now, obviously agree that the priority has to be to try to locate that content and take that down. That is the best action, the best solution. But that domain name is kind of it's almost, it's advertising potentially that sort of service, that type of content, maybe. So my question is: Do registrars or registries already proactively restrict registration of such explicit sort of URL strings or domain names there? If not, should this be something to consider doing? So rather than sort of we've been talking about blocking. And it kind of seems to me when we want to try and sort of block domain names, it's kind of like an after the fact thing where it exists. So my sort of question is phrased around should we maybe are we sort of taking a proactive approach to stop explicit streams being entered into the DNS already. Or should this be something that we should consider doing. To whoever fancy answering.
>> THOMAS RICKERT: I'm afraid that there are more hands going up. This is eating into your coffee break. Just two sentences, okay? And then I go to Peter to wrap up.
>> Techie from dot eu. Child pornography.eu, you would not want that domain name to exist I would an presume but not what the child pornography organisation. That if you have a you carve out all the rest as well. It is difficult to do in an ultimate way. Everybody would have to do a conscious evaluation of what the domain name is used for. Talking about content then again. Bad boys don't obviously use obvious names like that. Nice pictures.eu or something like that. So it's not that easy. I agree with you but it is not that easy.
>> THOMAS RICKERT: Thanks very much. I think we could continue for hours and hours. But I suggest that you continue the conversation over coffee. Peter, quick wrapup before I close the session.
>> PETER VAN ROSTE: It's an answer to Nick's question. >> So it does happen that there is a black list of names that will not be used in a zone file. So they will be stopped upon registration. But that black list is typically ordered through court order or it is part of law. For instance some financial laws, in one of the Nordic countries, I don't know if there are any Swedes in this room, but I seem to remember that the Swedish government has imposed some restrictions on the use of the word "bank" in a name. But you do not want, I think, a private entity to start up making rules of what is allowed and what is not allowed. But if these black lists are have a legal background, then I think you already see some of those examples in practice. I think from a technical perspective, from an organisational perspective, it is highly debatable if this is scalable. If you have 100, 3,000, that's fine. The moment you run into hundreds of thousands of names it would probably become a bit problematic.
>> THOMAS RICKERT: Thanks very much, Peter. I guess this is an excellent starting point that you will continue over coffee and when you go home and talk to your peers in your respective communities. I think what we should take away from this conversation is that different technical methods to do filtering and blocking. There are different impacts that these measures have. There are different collateral damages there might be depending on what you deploy. And then there are a lot of policy questions surrounding it. For what type of content or services do you want to see filtering or do you not want to see filtering? Who does it? Is it the ISP having acceptable use policies where doesn't allow his customers to do certain things? Or is law enforcement authorities or is it any other third party that might want to impose blocking or filtering? Then once you've deployed those technologies and I think this is something that we haven't yet discussed, if you install something, technical infrastructure that allows for blocking and filtering with the best intentions, these infrastructure can be used for other measures. So we need to carefully discuss what transparency should be applied when it comes to those filtering technologies. I know of cases where URLs are and IP addresses are added and added and added to filtering and nobody looks whether the name still exists or whether these entries should still be there. So there are a lot of implications. I think we are all on the same page in terms of protecting children from abuse, but let's not forget behind a lot of those images, there is real abuse, potentially ongoing abuse. So I couldn't agree more with Gregory that the first call for action should be to find the perpetrators and prosecute them. And when it comes to filtering and blocking, there should be very carefully considered for all the implications that we've discussed today. I think what's encouraging is to see all the feedback from you. It's great that we have such great attendance. Again, let's continue the conversation at a later stage. Thanks to Peter for the introductory presentation, also to Malcolm and thanks to the fire starters. Have a great day. Thank you very much. [Applause.]
This is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in Order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.