The recent TF-CSIRT meeting in Zurich included a talk by the Swiss telecoms regulator (like ours, called Ofcom, though their ‘F’ stands for Federal!) on the law covering websites in the .ch domain that distribute malware, normally as the result of a compromise. Under this law a designated authority can order the temporary or permanent suspension of such a domain; where the domain registry has evidence of a problem it may itself suspend a domain for up to five days though a warning is generally given first and suspension will usually be shorter if the site owner removes the malware. This has proved successful in reducing the prevalence of malware on Swiss websites and the risk to users from threats that their anti-virus systems do not yet detect.
Unlike proposals by Nominet to use registry contracts to deal with malware and other alleged criminal activity in the .uk domain, the Swiss scheme is based in specific Telecommunications law, giving it a very precise scope and objectives. In Switzerland, unlike the UK, domain names are considered “addressing elements” so the telecoms regulator has the same power to regulate their use as, for example, telephone numbers. Telecoms regulation can, however, only be used for objectives that are within the remit of the telecoms regulator; regulation of domain names used unlawfully in areas such as banking or medicines would have to be done by the regulators of those sectors under their designated powers and objectives.
The Swiss Ofcom’s duties appear similar to those of the UK’s, which are set out in section 3(1) of the Communications Act 2003:
- to further the interests of citizens in relation to communications matters; and
- to further the interests of consumers in relevant markets, where appropriate by promoting competition.
This means that although the Swiss telecoms regulator could, if it wished, propose laws addressing other types of harmful content, it could only do so where the harm relates to communications matters. Malware that infects citizens’ computers clearly does, wider forms of content-based “censorship” that some in the audience were concerned about wouldn’t.
I’ve always felt that the operation of the Swiss anti-malware scheme struck a good balance between the interests of domain holders and those of internet users. It seems that its legal basis also gives clarity to the registry while limiting the possibility of mission creep.