Five top level domains accounted for 80% of all webpages identified as containing child sexual abuse images and videos, according to the 2016 annual report from the UK’s online reporting hotline for child sexual abuse, the Internet Watch Foundation, released today, with 57,335 URLs containing child sexual abuse imagery and these were hosted on 2,416 domains worldwide.

The 5 TLDs are .com, .net, .se (Sweden), .io (British Indian Ocean Territory) and .cc (Cocos (Keeling) Islands). Verisign is the registry operator for .com and .net, the largest and fifth largest TLDs globally, with 126.9 and 15.3 million registrations respectively, according to their latest quarterly Domain Name Industry Brief, as well as the backend registry operator for .cc. On a per domain basis, it’s clear the operators of .se, .io and cc need to do much more.

Criminals are increasingly using masking techniques to hide child sexual abuse images and videos on the internet and leaving clues to paedophiles so they can find it. IWF has identified commercial child sexual abuse websites which only display the criminal imagery when accessed by a “digital pathway” of links from other websites. The pathway is like a trail of breadcrumbs; when the pathway is not followed or the website is accessed directly through a browser, legal content is displayed. This means it’s more difficult to find and investigate the illegal imagery. It also means that criminal enterprises online are receiving legitimate banking services, as checking their website won’t automatically reveal the criminal content.

When IWF first identified this technique, they developed a way of revealing the illegal imagery, meaning they could remove it, and the websites could be investigated. But the criminals continually change how they hide the illegal imagery, so IWF’s expert analysts adapt in response.

Europe now hosts the majority of child sexual abuse webpages (60%), with North America moving to second place (37%). In contrast, UK now hosts less than 0.1% of child sexual abuse imagery globally, and this is due to the zero tolerance approach the internet industry in the UK takes. Breaking this down further, 92% of all child sexual abuse URLs identified globally in 2016 were hosted in five countries: Netherlands (37%), USA (22%), Canada (15%), France (11%), and Russia (7%).

Unsurprisingly, the criminals behind child sexual abuse online have also taken to the new gTLDs. Registration numbers in the new generic top level domains have jumped almost 8-fold to 29.034 million today from 3.722 million on 1 January 2015 and 2.6-fold from 11.230 million on 1 January 2016. And so has the child abuse that has used new gTLDs. In 2015, the IWF took action against 436 URLs on 117 websites using new gTLDs. In 2016 they took action against 1,559 URLs on 272 websites using new gTLDs – an increase of 258% from the year before, or 2.3-fold. Of these 272 websites, 226 were websites dedicated to distributing child sexual abuse content.

Recognising that new gTLDs are also used for hosting child sexual abuse, the IWF has partnered with leading registries to help prevent the use of gTLDs being used to show children being sexually abused. They utilise Domain Alerts to help their members in the domain registration sector to prevent abuse of their services by criminals attempting to use domains for websites dedicated to the distribution of child sexual abuse imagery. Several registries and registrars are members of IWF, including Rightside and Nominet.

Rightside has been particularly active and playing their part, becoming an IWF Member in September 2015. The IWF annual report gives as a case study the work Rightside, registry operator for .ninja, in attempting to take down domain names that host child abuse content. In 2016 Rightside received Domain Alerts relating to two .ninja domains. These domain names were found to be associated with 138 items of content depicting child sexual abuse material.

Rightside considers the IWF as a trusted third party notifier; this simply means that given the IWF’s unique mandate from the UK authorities, to actively seek and take action on criminal online content worldwide, any Domain Alert report received from the IWF, is taken at face value. Rightside’s Abuse Team can proceed, confident in the knowledge that the IWF’s trained analysts, have investigated, evidenced, and reported all findings to the relevant law enforcement authorities.

Rightside has implemented rapid internal processes for best managing IWF Domain Alerts. They are especially sensitive to the possibility of hacked websites, or situations where their domains are being used by legitimate businesses who may have thousands of users, with any one of these users being potentially responsible for the illegal content. As a registry, Rightside wants to ensure their actions don’t cause further harm, working quickly and decisively to identify the best way to remove illegal content, with the least impact to those not responsible.

“We believe that the IWF partnership provides an important protection, not only for all of Rightside’s registrants, and the general internet user, but protects the well-being of Rightside’s own Abuse Team in processing such reports,” said Alan Woods, Rightside’s Registry Compliance Manager.

“Rightside, as one of the first new gTLD registries to partner with the IWF, sees the benefit of membership in establishing gTLD best practices to protect all web users worldwide from malicious actors. Working with the IWF has been a great partnership in notifying us immediately when a site, using one of our domains, is being abused so we can take action to disable the domain in question.”

“Criminals will attempt to abuse new technologies for their own gain – in this case it’s using new domain names,” said Susie Hargreaves OBE, IWF CEO.

“As a Member of IWF, and the registry for .NINJA, we’ve seen first-hand how Rightside shares our zero-tolerance of child sexual abuse material. We appreciate their commitment and hope the rest of the industry steps up to ensure that criminals distributing child sexual abuse material can find no refuge in gTLDs, only swift and immediate action to stamp out these channels.”

The IWF Annual Report 2016 is available here:
https://annualreport.iwf.org.uk