These are unedited transcripts and may contain errors.

Anti-Abuse Working Group

Thursday, 16 May, 2013, at 2p.m.:

BRIAN NISBET: Start the Working Group session. So, this is the Anti?Abuse Working Group session for RIPE 66. If you thought you were coming into routing, you are in the wrong room, but hopefully none of you will leave at this point in time.

So welcome to Dublin. I have, it's been absolutely fantastic to have the meeting here this week and it gives me great /PHRAOUR to be a ?? slitly less /PHRAOUR to welcome you here to the Working Group session. We are the two co?chairs /SA* we have quite a bit of stuff to get through this afternoon, hopefully very interesting things. Some policy, some talks and bunch of other stuff. As I was just saying, no short presentations from Paul /REPB /TKABG, no European Commissioners dialing in or anything like that so hopefully we won't run over too long.

So, thank you to our wonderful scribe and chat monitors from the NCC and the fantastic home?grown Stenography, which I know I say this every single Working Group session which constantly amazes me with their ability. There are microphones, if you are speaking at one of them, state your name and affiliation, whatever made up affiliation you want to have at that given point in time. The minutes of RIPE 65 were circulated. There might have been one correction but certainly nobody said very ?? anything very much. So unless there are any objections in the room now, we will note them approved and move on.

The agenda has been published. We made a couple of tweaks to that but we advertise that had to the mailing list so I am not aware of any late breaking items that we haven't incorporated, but if you have anything now is a good moment to warn me and Kaveh is running to go the mic possibly. The agenda finalised, we will move on from there.

So, recent list discussion, we were talking back in February about the charter and I have a slide on that and a couple of things just to mention on that. I am not aware of any other list discussion we need to talk about here. There has been some of it and some useful information on dealing with abuse and finding the people who are doing the naughty things on the Internet but I am not aware of any other list discussion that we need to specifically bring upright now. And you all appear to be agreeing with me, so excellent.

A few updates: The clean IT project has presented at this Working Group on a couple of occasions, famously in Amsterdam last year. And the project was very time limited and it closed in March, yeah, a close?off meeting in Brussels during which the final document was certificate moanially handed to the Commission and there was some discussion about the contents. I am not going to go into it in great detail here, we mailed the mailing list with the URL to the document. It is ?? I hesitate too be too decollartive on what ?? it's there, it's a document, I don't think it's particularly going to do very much. It is ?? it's very, very loose. The one good thing that does come out of it and it's very important point to note, is the document explicitly states that they do not believe that filtering blocking URLs, etc., etc., is any way to deal with on?line terrorism and then the promotion of terrorist activities which is what the CleanIT project was trying to solve. I don't think they really came up with any way particularly of achieving their aim but at least they declared certain things were verboten, which in and of itself was positive. But myself and Tobias got to go and wear suits in Brussels, which I think was worth the price of entry for anyone who saw us at this point in time. This is not our usual attire. So I don't know if anyone has any comments on that. We said we would report back on the process and that is the final report on it.

So, the charter. Every so often Working Groups decide to navel gaze and think about their charter. This cropped up in the mailing list so I said we'd discuss it here. I don't plan spending huge amount of time on it, but we'll see how we go. I think I have some proposals on what we can do and to take away to look at. Of course, all of you are intimately familiar with the Anti?Abuse Working Group charter and I am sure you can all recite it by heart. The aim of the charter that we wrote was to try and non?exhaustively define some areas of abuse that the Working Group would look at and then identify some activities. The activitys are still there and we are not really discussing changing them but on the mailing list, it was suggested further definitions of abuse and some words which are ?? ah ?? did I not upload that, that is very foolish of me. There was another version of the agenda which I clearly didn't upload. My fault, absolutely. Which had the words that /RO*EPBD had written. The aim was that he would like the charter to state that the Working Group would work towards essentially punishing those who abused network resources by closure or deregistration of the LIR or the people in question.

However, to do this, it's predicated on the existence of an agreed definition of abuse. Now, I would not aim to speak for anyone who deals with anti?abuse ?? ah, I did ?? so, yes, this group may or shall work towards the goal amongst others of seeing to it that the use and/or registration if any in all forms of Internet number and resources should be denied to and any and all parties engaging in abuse of the Internet."

So, this is quite a tall order, I feel, especially seeing as it's predicated on actually having a definition of abuse, which everyone grease to. I believe in many possible things, I dream. The Internet arriving at an agreed definition of abuse is too far even for my wild optimistic speculation. Equally, I think we do a lot of this already; we work with the NCC on these matters, we have spoken to them about the deregistration enclosure documents, which Athena has presented on here before and it's been talked about, and law phonement about all of this, so I think a lot of this are things we are doing (enforcement) albeit I think Ronald would like us to be more active, particularly. So, yes, what I am ?? what I am proposing is, rather than us try to word Smith in a Working Group session, which would be insane, that me and Tobias, Tobias didn't realise this, will review the charter, we will look at the non?exhaustive list of abuse, which is a little out of date, I will admit; it was something we put together in Berlin, which was a number of years ago now, in fact Sander is wearing the T?shirt so it's RIPE 56 we came up with those definitions, they are out of date now or at least they are not as relevant as they were. We can look at those and changes those. I think the core principles of not wanting to look at things like copyright theft or otherwise, are definitely still there. The Working Group has not objected to some of the content we have had and some of the discussion we have had in relation to things like the presentation we had in Amsterdam about fake clothing and that kind of thing, and indeed the fake farm ma presentation that we are having later on today so I think we can maybe see if there is a form of words there that can widen the scope a little to include that, while making very, very certain that things like the /TKEPBLG digital Mel enyum Copyright Act remain far, far away from this Working Group. I have no intention to embed a definition of abuse. I have much, much better things to do with the rest of my life. And I think we will continue to work with the NCC on the documentation and the closure and deregulation and and all that have whole process and indeed to continue to work with the LEAs, as we have on all of that as well.

So, does that sound like an idea? I see some nodding. I hear no ??

MICHELE NEYLON: Seeing as you don't want to be talking to yourself all the time, black night. I think reviewing the types of abuse is very, very important, I'd also be very supportive of keeping well away from pure intellectual property copyright, all that. It's completely ?? it's a fascinating area but it's not something that we should really try to solve. I think you should recognise, I think you should put something in there even as a footnote to say we explicitly decided not to get involved with this.

BRIAN NISBET: That is in the charter, which I you know.

MICHELE NEYLON: I am fully support over reviewing the types of things but I would be wary of other things like fake clothes, for example, I am not too sure how that is important. Fake farm ma is something different which I will be talking about later. Thanks.


AUDIENCE SPEAKER: I have no major issue with this Working Group defining what they think is abuse but I do have a massive problem with this proposed charter update. This would take a part of the RIPE community a part of the RIPE community that works towards making the RIPE NCC an enforcer of content, in order a censor and as long as I am a member I will fight that.

BRIAN NISBET: I think I understand your objection and I think we can phrase things to make sure that we are not saying that. And I think that is important. But, we'll come up with a form of words, we will circulate it to the Working Group and people can have a look at that and if there are objections, there are objections, but I do not wish to attempt and I use the words very carefully, to start making this Working Group try to force the NCC to be a sense /SOR or any or form of Internet police or anything like that at all because that is not what I am looking for.

PETER KOCH: DE?NIC. Could you get back to that proposed charter text that was a suggestion kind of, right?

BRIAN NISBET: Yes, that was one of the things on the list.

PETER KOCH: I like this work to go towards the goal to eventually sometimes start ?? world hunger, world peace. The part I have been missing, probably I wasn't paying attention enough, so what is the actual problem with the current charter, what are people to proposing to do that they are not able to do within the current charter and would like to do?

BRIAN NISBET: My understanding given the conversations with Ronald is that he would like the Working Group to be, you know, to say, if you abuse the network, your resources are ataken away, you are closed down, that we act very pointedly against ?? well, spam is his particular bugbear but all forms of network abuse. So, what I'm saying is that that is too far, as far as I am concerned, for this Working Group to go, because it does lead to us going, yes, the NCC should be shutting people down a lot more often other otherwise. I think he is looking for a form of action, which I am unwilling to suggest we take.

AUDIENCE SPEAKER: So is the suggestion to broaden the charter to pre?empt the decision on a proposal that I am decidely not going to comment on?

BRIAN NISBET: There is no proposal.

AUDIENCE SPEAKER: Well that is part of the problem. So why widen the ?? change the charter if there is no ??

BRIAN NISBET: Well, there was the question of whether we should, so this was on the list, I said we would take to the mailing list, I agreed there was parts of the community who were asking for it, so what I am saying now is, this is what was asked for so what I am suggesting is we are already doing some of that, we are not willing to push towards the sharper end of it but. It's timely anyway for myself and Tobias to take a look at the charter and maybe broad answer couple of things, send it to the Working Group for review and see where we go from there. But, not to take as many steps as was initially suggested. Does that make sense?

AUDIENCE SPEAKER: I have exhausted all my diplomacy this week already. And there wasn't much, as you know. No, seriously, I'd suggest that if there is ?? if there is a proposal and that proposal has, say, significant support to have any chance to survive and people feel that that is not exactly in the remit of the Working Group because the current charter is too constrained, then a charter be reconsidered, but changing the charter in a way that is, kind of unintelligible to me here.

BRIAN NISBET: I am not suggesting changing the charter with any of these words whatsoever. What I am saying is this was asked for; I do not think it got significant support. However, in conversation, I said OK, well, we will take a look, maybe we will make a few small changes to update some things, not to insert this text at all and we will do so. What I am saying it's not going to be a huge change at all or any sort of fundamental change, but this was mentioned so I felt it was germane of me, this was a conversation on the list so it was the appropriate thing to do was to say it here and say what the Chairs' response was going to be to it.


BRIAN NISBET: So anything else on that? No. Cool. Then we will move on.

So we have two policies, which will have some very brief discussion on them. I am actually going to deal with the second one first because the NCC have a brief update on 2011?06 which is the Abuse?c. 2013?01% openness about policy violations, which Sander sent to the mailing list, to a very vocal welcome. He slacked a lot. Shane has also slacked a lot. So, the agreement, the last time it was mentioned was that they would come up with a new draft, I believe they are writing that draft as we speak. Clearly, they should be paying attention to me. So, there will be another draft of that and that will be sent to the mailing list. But 2011?06. So Denis.

DENIS WALKER: The business analyst for the RIPE NCC database group. We were asked to just give a quick update on where we are with the Abuse?c policy that was agreed some time ago.

Just a quick review: We publish an implementation plan and impact analysis on RIPE Labs some time ago. We did a detailed explanation of how to implement Abuse?c, that is also on RIPE Labs. And announcements were sent about this to various Working Group mailing lists. This is all now been fully deployed and is operational.

A quick outline as to exactly what this is, because some people have been asking me questions about what is it and what isn't it. This is what it is. The first six months we are focusing on the allocations made to LIRs. The requirement is for to you add an abuse mailbox to a role object, an existing one or you can create a new one, it's entirely up to you. Then you need to reference that role object with the new Abuse?C attribute in your organisation object. That is the one which the RIPE NCC created for you when you became a member and the one that has the old type LIR.

All the allocations that are made to an LIR, already references this organisation object, so that one action will provide an Abuse?c which covers your entire network. You can provide fine?tuning if you want part of your network to be covered by different Abuse?c, that document on RIPE Labs explains exactly how to do that. By the end of quarter 3 this must be completed, that was what the policy required. So basically, by the end of September, all the organisation objects with type LIR must have an Abuse?c attribute. Again, the explanation, what happens in six months for those who don't is explained in those documents.

Just to give you a quick update on where we are right now with this:

These are the allocations currently with abuse?c. We see that the number of IPv4 allocations, we are looking at 25% now have an abuse?c attribute. For IPv6 allocations, 24% now have abuse?c coverage.

In terms of the size of IPv4 allocations, those now cover 36% of all the IPv4 addresses that the RIPE NCC has allocated to members.

In terms of number of objects, this is INET num and INET six num that are covered by these abuse?c. We are looking now at 13% of the total number of these objects. In terms of number of LIRs who have added this to their organisation object, we currently looking at 17%.

Any questions?

AUDIENCE SPEAKER: I am Pat from OFCOM, this is a bit of a newbee question. What is the outfall if you didn't fill in the abuse?c contacts, what are the consequences of that?

DENIS WALKER: The requirement was that by the end of September, all LIRs must have added this. If not, we will add the LIR contact e?mail address which the RIPE NCC has and we will create the abuse?c for you. But then of course, you can change it to anything you want. But the requirement is there must be an abuse?c and it must have an e?mail address.

AUDIENCE SPEAKER: It could be that e?mails concerning abusive behaviour would end up to the network team that manages that allocation.

DENIS WALKER: Yes, that is not the one you want it to go would you need to change using the LIR Portal.

BRIAN NISBET: The idea is if you are ISPA and one of your customers hasn't filled this in, your knock address or whatever address you have might go in there and that will hopefully act for you as encouragement for you to encourage your customer to fill in their correct details and we have some more on data verification in a few minutes.

KAVEH: Just wanted to give you a quick outline, as Denis mentioned by end of September, all the LIR organisations will have an abuse?c contact. In the meantime, every month and we have already sent out the first round of e?mails or it's being sent out as I am speaking, every month we send a reminder to LIRs who don't have added abuse?c. And the second phase of the project will focus on PI space because of the nature of the addresses and not having the proper contacts and all of that for some of them, we have assigned a one year deadline for that.

BRIAN NISBET: Thank you.

AUDIENCE SPEAKER: David RIPE NCC, I have a question from the chat. If from Sebastian from Net Connects: If abuse?c on an object with an e?mail and abuse mailbox, do they expect to use e?mail attribute or abuse mailbox attributes of the abuse?c?

DENIS WALKER: The policy says that the abuse role object must have an abuse mailbox attribute and the and the abuse mailbox value is the intended e?mail address for abuse. But this policy doesn't define what you send to that so, this policy was only about creating the set?up within the database, giving you a single place to put an e?mail address, and that single place is the abuse mailbox attribute in a role object.


BRIAN NISBET: So, anything else for Denis? No. Thank you very much.

I clearly need the exercise of climbing up and downstairs.

So up until yesterday morning there was nothing for Working Group interactions, and then myself and Tobias came up with a crazy plan. This was largely discussed in database yesterday morning so I am not going to go into it in huge detail here. The idea is that we'd always said once 2011?06 was in that we would like at data verification, so we are now going to look at data verification. The idea is that we will put together a policy to be presented probably in database, possibly in NCC services but we will let Wilfried and Kurtis have a fight about that or something, with the aim being to start doing regular data verification of the abuse?c details to begin with.

We don't have text, I am not going to start saying exactly what it's going to write at the point in time so please don't ask me too many detailed questions but the basic concept we talked to the NCC and from the point of view of implementation but the basic idea would be there would be an automated check to say, is someone ?? is someone reading this e?mail? Tick a box, reply to an e?mail and that would go out at a frequency, which would be to be agreed.

The next step after that is to rationalise the admin?c and text?c in a similar way to the way abuse?c is now organised. And then the step after that is to put in data verification for abuse?c and text?c.

There is implementation detail here, there will be lots of it. I am not going to go into it right now but that is the basic thrust. We were also talking about IRT objects in the same conversation although we didn't mention that in database yesterday and we will be writing along with the NCC, looking at some proposals to IRT objects as well but this is to flag here that we are going to start doing this work now and while it will be in database, obviously we will keep the Anti?Abuse Working Group informed of our progress.

So that is all I have to say on that, unless anybody has any questions about it. Kelly.

AUDIENCE SPEAKER: It's not a question, it's just more a point of information. Under the 2013 REA which I kind ?? registrars will be entering into they are introducing a lot of verification and validation of similar data points, so it would be logical to me that maybe the NCC could actually talk to ICANN as well just to see if there is some kind of data sharing they can do in terms of methodology, because ICANN has exactly the same problem.

BRIAN NISBET: If there is prior art, absolutely, so Kaveh, I think, from an implementation point of view when we get that far we should note that that is happening. And Sasha.

AUDIENCE SPEAKER: I thought this was the Anti?Abuse Working Group and now you are proposing to spam all the LIR contacts, not just that, you have to reply to it, too.

BRIAN NISBET: No, I am saying, I am letting you know, as this was mentioned elsewhere, that your two co?chairs are writing a proposal to submit to the database Working Group. If the community does not want us to do that, all the community has to do is say no. I don't see this as certainly not these days, and certainly not in the conversation we are having with law enforcement and things like this, as unnecessary spam and it's something that we were, is there any sort of necessary spam? No. I do not see it as spam and it's something we did flag that we would like at. But it's a proposal, if people don't like it, you know, object and it won't go through. Anything else? No. In which case I will move on.

So, the NCC and the RIPE community in general has been doing a lot moreover the years, a lot more interactions with law enforcement, as Paul mentioned in co?op and NCC services yesterday, we had a very suck successful meeting in March. I think it's great, it's continued to be great, we have Richard Leaning here from BC3 who will be talking in a short while, and this sort of thing is to be encouraged. And Marco from the RIPE NCC external relations team will do a quick update now as well.

MARCO HOGEWONING: So, I work these days work in the external relations team and, Brian only allowed me five minutes, I am going to be really brief. The one question that we always get asked is when people find out we are talking to law enforcement and working with them, is why? Well, over the years we saw a great deal of increase in the amount of inquiries we get, both for formal and informal requests for information. Almost always related to information we don't have, asking, oh, I have got an IP address, who is the user here or completely non?relevant stuff like, oh, here is an IP address, can you tie this to an operator. Stuff like that. A lot of these things were not signed off by formal document, I will come to that in the final bit of my presentation, but basically we only accept search formal requests when they are signed off by Dutch court and we thought to improve efficiency on both sides.

We document all our governance and provide more information and, I didn't put them in the slide but in 2009 we saw 33 requests, so at that point we started becoming active. In 2010 we were down at 23. 2011, we got 15 of such requests and in 2012 all of a sudden we have got 21 again. We are increasing. We need to do more.

And one of the things that we are currently focusing on in our outreach is actually using the available tools, because what we found out, if we can answer the question, information is publically available, it's there in the database, we can point law enforcement to the right operator. And any further detail on who is that user has to come from them. And the same goes for routing information. Which network is originating this spam or where does this phishing website live in? It's routing information, we have got RIS and RIPE stat, you can retrieve that from our website. Theoretically, we don't have to be involved. And for specific details they have to go to the operator. So why talk to us and to give you one of the pointers there, is OK, so we require a Dutch court to sign it off, and in law enforcement terms that is Mutual Legal Assistance Treaty, and to us techees, those processes is really old?fashioned in the vault faxes and letters and usually take a few weeks, they have to file it all to the Dutch court and everything and in the end we enter and three months later they get the answer, sorry, the operator you were actually looking for that can give you the data is around the corner. That causes a lot of frustration. So that is why we decided to move into this space and basically all we are doing is capacity building, explain who we are and what we do and especially teach people how to use public tools, explain that this registry is public and they can retrieve a lot of information from the RIPE database from the other tools we produce.

And also, the other thing that we are stepping into is explaining the technical impossibilities, because a lot of times people are trying to seek like, hey, can you block this user and take this IP address off?line so this is the other part of our capacity building.

Now, in terms of outreach activities and venues, a dedicated meeting concerning E congress in London, since 2010, Brian was there, we invite a few people but in general this meeting is closed, this contradicts the open transparency nature of the NCC in terms of building a trust relationship we started off with doing these kind of closed events because apparently that is the easy way to get them in. If we do closed event all of a sudden they all show up. What I find most important is that after doing this a few years, we do ?? they do work and we try to open them up and they figured out we are not that scary and likewise, the other way around and we are both signature here at an opening meeting and Dick is presenting after me. I do think these closed meetings have a function although they are not really closed but we do invite other experts incourting with RIRs here. They had a great tutorial at ICANN meeting with we had loads of law enforcement people and we ran down routing and RPKI stuff. Europol, Interpol and what we are also looking at is cooperation at the IGF, the Government's forum and Eurodik and Paul mentioned yesterday in Services Working Group, they are really a valuable partner in underlining the importance of having an open and robust registry so we are working with them on how to interact in terms of public private partnerships and cooperating with law enforcement.

We are doing some training courses, that was by popular demand. When I was still a trainer involved in developing this, together with SOCA, the UK agency, and it was actually also for us a real learning curve, understanding what questions policemen have and trying to figure out how our tools and our public data can actually help them in achieving their goals. So?so far, three courses delivered, we did a pilot for some UK agencies, we did one in Europol and recently did one in the United Arab Emirates and we are looking further in further cooperation, as Paul mentioned we are building relationships with agencies around our service regions, also to do the repeat of this and to intense fee our capacity building effort. So that was being set in terms of interaction.

As I said in my opening, one of the first steps we did was to write much more governance document and document what we were really do.

Recent addition to that thing is you may have seen the announcement on the mailing list, document 588 and this was one of the responses to the court case we had last year when the police came down for the DNS changer case. Handling requests for information, orders and investigations from law enforcement agencies, and what this basically says in three bullet?points is that we committed to protect the members' interest, that we only execute legally binding orders and importantly, we will judge each order on its own merits. Although we do have a document governing it, every single request gets due diligence, we will look into it and will be careful on what we will or won't say and how to respond to this request.

I guess that was my five minutes, so unless there are any questions. If you allow them.

BRIAN NISBET: I am not that nasty. I for /WURPBGS would like to say I am very happy that 588 exists and I am very happy with the NCC's decision on this, I think I have commented on this previously but I think that that is the right choice and it's the choice the community have asked for so thank you for that. Are there any other questions? No. In which case thank you very much Marco.

And so, now using a very fancy presentation, we have Richard Leaning, from EC 3, the European cybercrime centre.

RICHARD LEANING: Afternoon. I am the law enforcement officer you have been hearing B please, don't give me a hard time. A bit of history of who I am and sort of puts in context where we are now.

I know I don't look it but I joined the police force in 1984. And on my decks was a typewriter, carbon paper and Tippex. That is my background in this computer age. That was my technology.

Through my career, I have dealt with murders, rapes, armed robbers, chasing drug dealers around the world. They were using telephone key /OS, pagers when they came, and massive big bricks called mobile phones. In my wildest dreams we never thought we would be dealing with what we are dealing with now. The reason I mention these traditional crimes as we call them, they all have a presence on the Internet. Every single crime that happens around the globe, has a presence on the Internet.

Now, that could be crime that is only committed because of the Internet, or drug dealers speaking to each other on the Internet. That is where we have trouble. We can do a mobile phone ?? we can deal with mobile phones, we have long history of dealing with them, we have no history of dealing with the Internet. People communicate and how ?? what they are saying and where they are going and what they are talking about. This is all new for us. Typically for law enforcement, we are always playing catch up, you guys are so dynamic and you are making things happen so quickly, we just can't keep up with the new technology because we are bogged down with legislation back in our own jurisdictions.

Also, guys like me, I have got three 0 levels, 5 O levels, I never went to university, I haven't got your technical ability to understand how the Internet works. The same way when I was dealing with murders, I have been to so many autopsies, I know what a pathologist does it doesn't mean I can do it but he does that for me, and your guys help for us to help and save ?? look after the citizens of our countries to make them safe from cybercrime.

So it's not ?? it's no point me learning all this stuff if you guys assist in the room, advice us how we do our business.

I have been here all week and it's been very interesting and what I find very interesting about it is how pass NAT you are about your business, which is good because I am passionate about what I do and that is to keep people like my mum in the 82 years she has never been a victim on the Internet ?? buying E books, first time she has become a victim of crime, that can't be right, we need to do something about it.

I did do a big presentation but I want to cut that down and talk about the EC 3, this new organisation that only started in January. Then I just want to comment on some of the presentations that have been going on, especially from the RIPE NCC, Paul Marco, something that Brian said earlier as well. So if I can work this gadget.

I apologise for this presentation, we have got a new piece of kit at work and I was told this was lovely. But it makes me seasick. Let me just flick through. While flicking through, Paul did give me one piece of advice, was not a wear a suit because I do not wear a suit and he said the community would not like you looking like a cop. So I have tried to look like Paul. I haven't got those bright shiny sneakers that he wears either.

This is already on the ?? on your database. Here we are. EC3. We realised at very early stage that in cybercrime, we try to do it sigh load, country by country by country. And it was obvious from the start that we can't do it that way; it is global, we need to work together. And that is hard for us as police officers because culturally, we do not like sharing, we have information and we like to keep it for ourselves. In the cyber environment, we need to share, that is the only way that we can do what we need to do. And by sharing, we realise that we could not arrest our way out of this situation. The way we look at cybercrime, and I will come back to what Brian said about what is cybercrime, what is computer?enabled crime, what is abuse, we have many, many definitions, is that we look to prevent, disrupt, and if possible, arrest, and I choose those words carefully in that order. Prevention, disruption, arrest.

After a bit of consultation with the EU, it's decided that we need a coordination unit for the law enforcement agencies within the Member States to assist and support their cybercrime investigations. After a bit of toing and froing it was decided we will have the EC3, which is the European cybercrime centre, I always thought cybercrime was one word but it's now three and it will be housed at our poll in the Netherlands, because Europol had been in existence for a number of years and good building there and had the facilities and that is where it was. We have only been live since January this year, so we are still very young. We have 30, 40 staff, but like everywhere else, even the EU are cutting back on their funding so we have to incrementally increase that staff and hopefully by a year, two years' time we will be over 100.

So, this is roughly our mandate. The only word I don't like in there is "organised". Are the criminals on the Internet organised or they are so fluid that they will work with anyone at any time whoever can give them the best opportunity to commit crime on the Internet?

In traditional crime we called it organised crime because it's a group of individuals who have known each other from school or work that work together and they trust each other, but in the cyber environment, they don't know who it is that working with and they don't really care, as long as they can deliver what they say they will deliver, they are not that interested who it is.

That is quite obvious, this one. A bugbear of mine in the UK. We call it child abuse, children are being abused. Other parts of the EU, just because the legislation, they call it child pornography, this is not really what it is, it's child abuse. We don't know where to sit that at the moment, because if we concentrate our efforts on child abuse, and this other establishments that are dealing with that in the EU, that is all we will do, because once you start a child abuse investigation you cannot stop, for obvious reasons.

That speaks for itself. We do a lot of work with certificates, trying to do more and understands what they do and what we do, how can we help each other.

And these are the sort of inclusive approach that we are having. We are not the experts by no way are we the experts. We need you all to be involved with us, with these partners.

These are the people that look and we engage to make sure we are on the right track and that we are doing the right thing or advise us, say no, you are doing this wrong, you should be looking at this. What I would like to see in there is the RIPE community, RIPE NCC, RIPE community, we need people like you to help us to do our job properly.

Number 5, RIPE NCC, RIPE community, ICANN, whoever it is that can help us and assist us, we want you to be part of what we do.

These are the core functions that we are dealing with. I will let you read that because I am running out of time, I will flick through a couple of slides and then go back to the comments I wanted to make. This is basically what we do within the EC3. So training, which is held by RIPE and anyone else that we can bring in, like the big industries, Googles, the Facebooks, help to us do our training, research and development, some of our investigators do not have the tools they need to do their investigative work, they can't afford to purchase the tools they need, so we help them with that and make them for them and we will dish them out to them. Outreach and communication sincerely where I am from. Strategy, communications, we help to assist Member States conduct their investigations.

I will stop there because I can come back to this. I just want to make some comments about what has been happening with our environment and I will tell you what my particular role is. My particular role is in the outreach department of the EC3. My role is to engage with the Internet community to see how you can work, to see how you operate, to see things that you discuss and for us to introduce ourselves to you to see if we can help you in your issues and see how you can help us. We now call it ICE, it's the Internet community engagement. I just came up with that name yesterday because there was a few names that we are trying to work and my colleagues at RIPE NCC came up with a few names for me which I can't mention in this open forum. None were very good. That is what I do. My role, what I have been doing for the last three, four years is my previous organisation was SOCA, serious organised crime agency. I used to run the crime congress in London that you have heard about, in March of each year which RIPE NCC have been to since 2010, and we have a great, great working relationship. We have ARIN in there as well. I have seen Leslie walking around the building, absolutely terrific. I have been doing ICANN for the last few years and I see John Curran standing there with his cat on again and we have a great working relationship with ICANN. With the compliance units, with all the different communities within the ICANN we are doing really, really good stuff, and someone made a comment about what we have sort of influenced for the GACs at ICANN or the new RAAs, it's definitely something that maybe should be considered in what you guys I want to you do here, because there is no point in reinventing the wheel, if it's already there stick with the good bits out of it. It's taken us a long time to get to this relationship with ICANN community and RIPE NCC because, being cops, four, five years ago, we knocked down ?? we nearly did ?? knocked on the door and said let us in, we are the police, you need to speak to us. Completely wrong way of doing business. We know that now, and I have apologised to Paul many times for that. We want to be more engaging, it's a bottom up community, we want to be part of that community and work together and see where we can go.

We don't want to change what you guys do. The registry or the database, I have heard it called many times, if it's in existence, make it accurate, that is all we are asking. If you have already got it just make it worth doing it, making it accurate. Because that helps us. If it's accurate we don't have to keep speaking to Marco about can you tell us how to do this and that because we believe what is on there, then we can go and take our inquiries from there. So that things like we are not here to change; we just want to enhance and help what we do.

What with ?? work closely with your community and we will run events at Europol in Den Haag when you can come and speak from your jurisdictions and we will do that because we only cover 27 Member States, it might be 26, depending what the UK decides shortly but at the moment it's still 27. And we will get Interpol involved to bring in the other parts of law enforcement community that we don't cover. And we can have a good, good adult conversation about everyone's needs, wants, what we can do, just like Marco was saying earlier, we were naive what we thought RIPE NCC could do. We have now been educated and now know, or some of us know, what you can and cannot do. The reason I mention traditional crime, is that some detective at Scotland Yard who is investigating a murder or armed robbery or drug deal doesn't know about the Internet at the moment so he is the type of guys that you are going to get phoning you up saying where does this IP address go. What we are trying to do is mainstream and let them, let us educate them in how the system works. So it takes the pressure off you, you don't get those strange phone calls, we will be the point of contact into the community.

I think I have only got a couple of minutes left so, please, if anyone wants to ask me a ?? not too technical question.

MICHELE NEYLON: It was predictable I suppose. Thanks for the presentation; it's nice to see somebody from law enforcement trying to talk more casually and more socially, I suppose, about some of these things because some of the engagements can be quite painful.

On your ICE idea, I like it except I think the US government already have a rather large federal body that is called ICE so they might not like that.
A. I have Googled it and International Civil Engineers they call themselves.

MICHELE NEYLON: ICE takes down websites in the US, part of customs administration and US security so the exact opposite to trying to do.

RICHARD LEANING: If anyone can think of a better name.

MICHELE NEYLON: I do like the idea that you want to engage with the Internet community and for a company like ourselves, the problem we have is that as our government doesn't both Eireann gauging in a lot of these things it makes it quite hard for us to find a way to engage with you, because we don't have the GAC member, we don't have that route but I do go to ICANN meetings and Brian does engage.

JAAP AKKERHUIS: Tively. Thanks.

RICHARD LEANING: Is there a show of hands how many have contact with their law enforcement? Not many. But some. If you feel that you need to engage with your law enforcement community please come to me and I will reach out to whoever it is and it will be someone trendily that will come and speak to you.

AUDIENCE SPEAKER: I live in Russian Federation so I don't fall to Europol jurisdiction, but I have a technical question: Russian police department, is not very well?known for suck successful cybercrime prevention or ?? but very well?known for abusage of their powers they have in signer space. So how you are planning will be controlled by European Union citizens? How you are being watched ?? anti?abuse will not abuse your power, your abilities and so on. I must do these questions because I like to get new experience in Europe in trying to bring it to Russia, so what are you planning to do this.

RICHARD LEANING: Europol and the EC3 do not have any executive powers. We are there to coordinate, support the Member States, the Member States use their own jurisdiction, their own legislation to conduct their inquiries so they have their own governance, the EC3 we do not go out as EC3 and arrest anyone. We don't have any executive powers, we are there to support and coordinate investigations by the Member States.

BRIAN NISBET: If there is no other questions, I want to say it's great, it's great to have you here this week, it's great that you are not only here today but you have been here all week and it's fantastic to see that continued cooperation between us operators and you guys, because we would far prefer to you ring the doorbell than kick the door down. So thank you very much.

RICHARD LEANING: If anyone wants to speak to me, contact me here or ?? Mr. Rendek ??

PAUL RENDEK: I actually just wanted to say, Dick, thank you very much for coming to present here and presenting yourself to the RIPE community. I think a lot of people here have probably, if they had been around the scene, have seen Bobby from the FBI doing his work and outreach stuff and it's so great to see the European Commission and you know, Europe and the EC in general is reaching out and wanting to engage with our community here in the RIPE service region and I have to thank you I have had a few years of great cooperation with you, so thanks very much.

AUDIENCE SPEAKER: I wanted to frame the question of what is next? Like, obviously this is a good introduction and the conversation is started now, is it one or one or organisational engagement?

RICHARD LEANING: The idea is if you have me, I would like to come to this group in Athens, I think is the next one and to the RIPE meetings so I will be here at every other RIPE meeting. This is my day job. It's a hard job but someone has to do it. So I will be here. So you can either speak to me in the bar later, because that is where I probably will be or e?mail me or just come and drag me out of the coffee shop. But please, just come and speak to me and we can, you know ?? I am here.

BRIAN NISBET: I think this is very much, it's a long?term engagement. Thank you very much.

And that was actually a short presentation from Paul Rendek. So, the last presentation we have today is from Michele Neylon and ?? Michele are you going up as well. Michael from ASOP is here as well.

MICHELE NEYLON: I am going to be talking to you a bit about fake Pharma, and part of the thing, the idea is to try to make you all aware of what is going on and also to introduce you to Mike Isles, who is sitting there, from ASOP EU and also a few other initiatives and it's all about stuff which is illegal in a lot of countries. And that is all about me in case you are bored.

Welcome to the information superhighway again. I get to reuse my photos, it's great. The Internet, you can get all sorts of things on?line, including drugs, at great bargain prices. So how about getting prescription drugs nice and cheap. Fact: 97% of the websites selling drugs on?line are completely illegitimate, they are fake. If you do a search for cheap Viagra, which is just such a simple one to do, you will find pretty much every single one of those websites is illegitimate, it's fake, in some cases you will find that if do you another search and go further down the page you will find there is cracked websites, nasty little Java Script redirects, all sort of other things. I am yet to find an actual legitimate results for cheap Viagra.

This graphic gives you an overview of the legal situation with respect to the over?the?counter medicines and prescription only medicines within Europe. So it's three different colours, so you have green, both over?the?counter medicines and prescription medicines are allowed; yellow, only over?the?counter; and yesterday, absolutely no on?line sales allowed. I think some of the legislation in some of the countries but this just gives awe general overview. The other thing this doesn't go into, is legally speaking if you are in one of the countries where no on?line sales are allowed it also means that actually you shouldn't be receiving them either. Or if you are in a country like Ireland where it's only over?the?counter stuff in, if you start getting prescription stuff in from the UK or anywhere else, you are breaking the law.

Happy pills, if I could get this video to work, this may or may not work. This of course is typical, this always happens to me at presentations.

There is a bit of audio with this normally but the visual should help. Yeah. I thought scheduling this presentation straight after lunch, I was wondering what the reaction in the room would be like. The reality is that a lot of the drugs you buy on?line, if you see something which is a prescription drug in Ireland costs ten or 20 euro for a pill, if you see it on?line for one euro, there is probably a very good reason for that, it's probably made from some kind of weird and interesting ingredients, it might not have the right amount of the active ingredients, it could be wrapped in God only knows what and you could be putting yourself at risk.

And also, there is a real issue as well, that if you are buying through a lot of these websites you are actually to support other on?line crime, some of the criminals that are up to other interesting and charming things that we all love. I mean you wouldn't give money to a fake doctor so why on earth do it to a fake website? Some of the facts is, it's easy and cheap so 23% of adult Internet customers have bought a prescription medicine on?line. I am not too sure what the exact figures would be in Ireland but I am sure not that different and you are running the risk, you could end up killing yourself as is happening.

At any time there is over 30,000 fake pharmacy sites and I would say that is a really, really low figure. I am sure those of you who are sitting at laptops there could chuck in a few key words and get back much larger number and again they are not legitimate.

Now, what is happening this is the bit we are trying to engage with all of you. How many of you in the room here with hosting providers? How many of you in here are registrars for any extensions? A couple of you. A few hands going up. Registries? You might look at this stuff and go, this isn't our problem, this is a kind of content thing, this is a problem the police need to sort out but ultimately, you know, you can get involved.

So some more facts: Seizures of counterfeit medicines are up, if you are based here in Ireland, a bit of coverage of it in the Irish media about all sorts of interesting things going on. The sites look professional. That is just one of many examples. A lot of them aren't as professional looking but a lot of them are ?? a lot of them are very, very slick and have all the nice little logos, you will have the SSL and the trust marks and might even a privacy policies and cookies and all those lovely things but they won't have anything real. The guys in the European alliance for safe on?line medicines or, did I get the acronym right? They decided to test this out, just to see what was actually happening so they put together a fake website, similar to one of these ones you can find quickly and easily in Google and it got over 360,000 hits, but became the third most line on?line pharmacy for certain key boards and it would have made 35 million euro in sales. How long that was project running for, Mike?

Mike: That ran for nine weeks, and 35 million ?? that ran for nine weeks and we just said if 21 percent bought once in three times, about 15 euro and 34, 40 euros, we extrapolated up from that basis and we got to the 35 million. So it was really conservative thing and don't say we are in the wrong business.

MICHELE NEYLON: OK. We were looking at this ourselves internally, Mike flew over from the UK and came down to our offices in Carlow and myself and a couple of our staff were going through various things trying to explain how hosting providers and ISPs and registrars and registries and reg strands and resellers and IT service companies and all these fit together. As we were going through this we realised that there was massive amount of money to be made in this, some of these ones are paying out 25, 30, 50 euro per referral, all this kind of thing. So, here in Europe, as often happens, we are a couple of years behind, over in the US a lot of the big Internet companies, a lot of domain registries of the big registrars, hosting providers, credit card companies, search engines and companies involved with on?line advertising have been working together under a number of different guises but in Europe it's been the last 12 to 18 months so introducing ASOP EU, on?line safe pharmacies in Europe. Mike is here, my role partially today was to kind of introduce Mike. And these are a list of some of the various companies and entities that are involved. If you look at the logos you will notice there is a bit of a gap. There has been some engagement from a couple of registries and a couple of registrars but there is still a gap and still stuff people within this space could do.

There is a list again now of just the various different aspects of what it's at. So the thing is this: How do you all fit in? Obviously, they have to get on?line, they have to ?? they are putting websites up and registering domain names and abusing your services. If you look at the spam going through your e?mail servers in many cases it's to do with this kind of stuff. Come on, how many of you have not got an e?mail about Viagra in the last two years? For the record, there are no hands are going up. How many of you have not got an e?mail offering to enlarge various parts of your anatomy? So this is something that you can all do. Mike, I will hand ?? do you have anything else you want to add?

Mike: I will just say a few words.

MICHELE NEYLON: I will hand you over to Mike very briefly and I will go and sit down quietly over there.

Mike: I feel a bit of an outsider, actually. Why do I feel an outsider? I am holding two ?? I am the only person in here with a notebook, I think. I do have a Mac, but I still rely on this, a bit like Richard in terms of my ability to get into the digital world. I have been giving this out feeling an absolute Charlie. I will just gave website out in the future. We believe we are trying to do an important role here because when you get cancer patients who feel they can buy their medicines more cheaply and the medicines that they get are inactive and therefore they are actually progressing their illness far more quickly, then I think that is absolutely tragic. We are all about trying to raise public awareness and if you like, collaborate with as many people as possible so what Richard was talking about, I really shall you know, had a lot of empathy with. It's all about all of us getting as joined up as possible and actually acting (all of) for the common good.

So, I was very interested to hear what Richard was saying about these public tools are available, sorry, the previous speaker, so we are, I believe, making good progress, we have about 70 participants, we don't call them members, they are participants and you saw all of the stakeholders in that space there. And we are just on the road, if you like, the equivalent in the US is doing very good things, they are actually presenting at a big meeting in Japan in about a week's time. It is a global issue and it's going to require a lot of concerted coordinated action and I know that the interference of freedom of speech and the Internet, I am absolute believer in that but we have to have a balance of what philosophically is right versus allowing the superhighway just to exist without any speed limits at all.

MICHELE NEYLON: Thanks. So does anybody want to attack me since I don't want to attack more Mike?

BRIAN NISBET: Any questions, points, offers to get involved, to help out?

MICHELE NEYLON: Or did you find that all terrible and want to murder me?

BRIAN NISBET: That is a little extreme.

MICHELE NEYLON: I don't know. There is no reaction.

BRIAN NISBET: No? We have shamed Peter into saying something.

PETER KOCH: Peter Koch, DE?NIC. So, first of all, I am so sorry about the ?? poor aninal died of these fake pills. But seriously, I wonder, so we heard, yes, you can help and so on, and it's illegal, it might be harmful. What is the expectation here? I mean, if it's illegal, yes, let the police go after it. What is the exact engagement that we are asked or ?? sorry, expected to ??

MICHELE NEYLON: I probably speak to that as somebody who has been trying to engage within this. Nobody is saying you know, you are going to have to change everything you are doing and start pulling down websites or change your modus operandi entirely. The kind of things that would be helpful would be to agree on certain things. I mean, for example, you might not like the idea of taking somebody off?line, but I am sure that if somebody was to start abusing your Whois server, you are going to take action against it or are you telling me that you wouldn't. I assume you would take action.

PETER KOCH: I refuse to state.

BRIAN NESBITT: Anyway that is not fair. Come on. The reality is the Internet is resource, we all have to play nice in the playground to a certain degree, the thing is this: That, for example, we, as a company, have voluntarily decided to do certain things when it comes to dealing with fake Pharma. So we have signed an agreement with LegitScript, but that is what we decided as a company. I am not asking any of to you do that. I am asking you to engage, though, if you can, and raise the issues that you have problems with and maybe there is some things that there is some common ground on, I don't know. It's a dialogue.

PETER KOCH: You are right, the previous response was bad and inappropriate, so if there was abused or Whois server we would do ?? we would enact the appropriate measures to protect the interests of our customers in need boundaries that the law makes available to us.

How is that for a change? But, I do not see the immediate link between these two here. The abuse or, say, overuse, whatever, violating the AUP into our Whois server, isn't immediately related to this. Of course, we are not encouraging address harvesting but that is true so much for this kind of ??

MICHELE NEYLON: Peter, with all due respect, as I am not familiar with all the ins and outs of the DE?NIC policies, I use the Whois server as a simple enough example. I mean, what I was trying to get at is more along the lines, OK, you said AUP, prime example. You have an AUP and your terms of service. I am sure there is nowhere in there that it says, DE?NIC will allow people to break the law of Germany.

PETER KOCH: Even if it did, it would have no effect.

MICHELE NEYLON: No, but that is the kind of thing, is that it's more a case of engaging and working, how much you want to do is up to yourselves. I don't know. Are we going to have this conversation later over a beer?

PETER KOCH: Absolutely. Seriously.  ?? I am not only playing stupid, I am just really ??

BRIAN NISBET: From my point of view, why I was interested in this and in this coming to the Working Group today, from my point of view, is that this is something I never really thought about. Now, from my point of view as an operator I am fairly sure none of my universities are running fake pharmacies or selling cheap Viagra ?? well, possibly the odd genetics lab, but I think in general, that is not a problem that I have personally. But I think it's also something that a lot of people may not have thought of, as okay there is certain very obvious categories, be it child abuse or things like that, that are a big problem, and then I had not thought about, OK, yeah and this stuff potentially kills people, so you know what, let's bring them along to the Working Group, have a chat, maybe some operators will go, actually, you know, I can engage in that and keep a closer eye on that or it's something I should react more to than I previously have. I should prioritise it above other things in the point of view I how I react to. Maybe most of those interactions will be just following the course of the law and informing the police and the police going and doing other things. From my point of view, it's as much just to raise awareness of the fact that ASOP existed and maybe there might be people that wanted to start a dialogue on that.

PETER KOCH: To that extent it was very informative and I appreciate the presentation.

AUDIENCE SPEAKER: Benedikt: Train and con suggest. I really like to talk but I think we are probably going to risk to miss the actual problem. The actual problem we have here, for so long we don't have to worry about new whatever, new laws, new procedures, whatever. The big problem we have here, to my understanding, is that this is a very international thing, so that is not ?? that is a lot of work to do for Richard and other people, and the other point is, that if you want to deal with this, we should address the actual problem, we are talking about organised crime here, not in the sense that Richard mentioned but basically people who make money out of this. So if you want to do anything about it, just chatting object websites won't ?? on websites, won't help anything. What we need to do is make it more expensive or less lucrative and more dangerous for the people doing these things and that is a completely different game but that is where we actually have to go. I don't know how much the community here can do about it, but as long as we don't do that, people will just come up with funny ways to work around whatever we try to do and we will always lose that game and we will be just trying to catch up with people doing these things rather than actually solving the problem.

Mike: I think that is a very good point. I think what we are trying to achieve, though, is by involving as many people as possible. It was interesting, I am rather shooting myself in the foot here but I was with a very senior P and G guy the other day and he said it's going to be our children's children that sort this problem out because one of the areas that we want to really highlight and maybe the EU will be able to give some money for national, for European public awareness raising is that this is not known, like I don't know how many in the room was aware of this kind of the multiplicity of these websites, a lot of it is going to be about educating the public and making them realise that the stuff they are buying isn't real and moreover, very well might have their credit card frauded at the same time

AUDIENCE SPEAKER: Patrik, I am from OFCOM. Do you know the distribution of Pharma sites which are on conventional hosted platforms, i.e., virtual servers and those which are a product of Fastflux networks, i.e. infected BotNet hosts?

MICHELE NEYLON: I wouldn't have the exact breakdown, but what I have seen is ?? based on what I have seen, there is a mixture, because some of the sites aren't the actual end distributor, well a lot of them are, it's a complex affiliate network. So let's say you have vendor over here who might be shipping the actual product and then you have all these affiliate market terse sitting in front of them and they are putting up one or two?page websites, sometimes, but we can't know for all cases it's going to be that way, so a lot of them are using the bulletproof hosting type thing, they are using providers who will kind of look and go, this isn't a breach of our terms of service and you have got the others who are hosting in places where you know, you guys can have no sway other things, law enforcement has no real sway, the western ones. In terms of the domain name distribution, some country codes are attractive to them because they are low cost but you probably see the biggest concentration is going to be in .com and .net.

BRIAN NISBET: Cool. If there is nothing else, thank you very much, gentlemen. Very informative.
(Applause) right.

Right. So, AOB, we have and just to prove this is a Working Group, Shane and Sander have sent a new version of the text to the Working Group Chairs, Emilio has just left the room and hasn't rised this but wave new text so we will be working with them on that and publishing that on the mailing list in the near future.

Any other business? No.

And so again, this is the traditional early call for agenda items for RIPE 67 in Athens in October of this year. As always, mail myself or Tobias or just mail the list and we will contact you from there if you have any agenda items you wish to raise. And I think that, then, is from the ?? from the only Irishman who has been chairing a Working Group at this Irish RIPE it has given me great pleasure to be able to host you all here, from Tobias and I, thank you very much for your participation, and we shall hopefully see you all in Athens. Thanks.