When the IWF warned US-based domain registry company XYZ that sites registered with their top level domains (TLDs) were being abused as locations for sharing child sexual abuse material (CSAM), the company was swift to take action.

Between 11 October and 7 November, the IWF took action against 12,233 reports which were related to 75 domains registered with XYZ. XYZ’s response was emphatic and, within hours of being notified of the issues, they had suspended the offending domains.

“Having a fast response to suspending domains being abused to host “evil and heinous” child sexual abuse content is a matter of principle for the company.”

“We have a zero-tolerance policy for CSAM because it is the right thing to do. The creation of CSAM content is an evil and heinous act, and we will do our part to stop its consumption. XYZ’s entire Anti-Abuse program is based on the same philosophy – that it is the right thing to do.”

Jocelyn Hanc

Vice President of Operations at XYZ

Ms Hanc said the company “heavily invests” in its anti-abuse processes, but warned that “bad actors” can still “easily re-connect with any other top-level domain in a matter of minutes” even after having their .xyz domain suspended. 

She said: “We report the usage to our registrar partners so they can review and ban the customer account. Ultimately our actions cannot stop the bad actor from continuing to abuse on other platforms.”

According to Ms Hanc, the XYZ Anti-Abuse Team operates the company’s proprietary Anti-Abuse system daily to review and take action on confirmed user submitted reports, internal research, and data from cybersecurity partners. When they receive a report of child sexual abuse material, they escalate the report to the IWF for review.

The Anti-Abuse Team also receives notifications of child sexual abuse material from the IWF and takes action as necessary. Ms Hanc said these reports are treated as a priority.  She said close cooperation between registries, registrars, and groups like the IWF is essential in stopping criminals “in their tracks”.

She said: “We have a zero-tolerance policy for child sexual abuse imagery and materials. Our first thought is to act quickly to disconnect the content from the internet. That is what happens when XYZ suspends any domain for violations of our Anti-Abuse policies.

“That being said, shutting down the domain is the least effective method of stopping a criminal. The domain is merely the vessel used to orchestrate the crime and once it has been suspended, the criminal simply finds another vessel to facilitate the abuse. This is why XYZ strongly believes that the registry, registrar, and cybersecurity organizations should work together altruistically.

“The registry has no direct contact with the registrant, and can only suspend the domain and notify the registrar. If all parties act in harmony - the registry receiving information from experts in cybersecurity and notifying registrars of suspensions, we can help stop criminals in their tracks.”

Ms Hanc said most TLDs are unrestricted and do not require pre-qualifications for registration of a domain name.

“CSAM is hosted on a server, not on a domain,” she said. “The only entity that could easily monitor the files is a hosting provider. The bad actor can connect that content to any domain they control - and then change that connection to any other domain in a manner of minutes.

“The domain is just a convenient address or handle to give to others to access the IP. Content can even be accessed at an IP itself without a domain. This is why we report suspensions to the registrars, so they can be aware of their customer’s intentions.”

Ms Hanc said XYZ is “very public” about their stance on abusive use. She said she hopes this sends a message that abusers know they will not get far using a .xyz domain.

You can find out more about being an IWF Member on our website.

Corporate, in-kind support and grants Previous
Our reporting portals Next