The .cc internet domain for the Cocos (Keeling) Islands should be claimed by the Australian government to stop it being abused by scammers and people hosting child abuse websites, Australian National University researchers have said.
Under the system that governs domain names on the internet, the .cc suffix was set up in the 1990s for the Cocos (Keeling) Islands territory, far off the coast of Western Australia.
Due to it being one of the cheapest domains to buy websites, the .cc suffix is one of the most commonly used top-level domains for hosting child abuse material, the ANU lecturer Dr James Mortsensen and the PhD researcher Samuel Bashfield wrote in Policy Forum on Tuesday.
The Internet Watch Foundation ranked .cc in the top 10 of most-abused top-level domains in 2019 for hosting child sexual abuse material but it dropped out of the top 10 in 2020. Mortensen told Guardian Australia the lack of significant regulation and the ability to look like other website names made it attractive to scammers, too.
“It’s also very short and visually similar so the dot com,” he said. “So it’s always been good for spoofing somebody else’s website.”
In 2011 Google removed 1m addresses from the subdomain .co.cc from its search results due to the number of spam sites associated with it, and a 2016 global phishing report found .cc was one of four top-level domains that accounted for 75% of malicious domain name registrations.
Mortensen said Australia claiming responsibility for the domain and killing off abuse and spam website names would not take those sites down but would make them harder to find.
“Child exploitation on many levels is a business, and if we can remove their shopfronts, we’re doing our part,” he said. “The Australian government is proud and should be proud of cleanliness of dot au.”
The Australian domain name authority auDA regulates .au, overseeing the websites issued with the suffix and ensuring they meet Australian standards. There is no local authority charged with regulating .cc.
Top-level domains were created for the Australian territories in the 90s – .cx for Christmas Island, .hm for the Heard and McDonald Islands, .nf for Norfolk Island, and .cc for Cocos (Keeling) Islands.
The .cc top-level domain was sold from a private owner at the turn of the century to the US technology giant VeriSign through an Australian subsidiary, eNIC, which manages the domain to this day.
Mortensen said there wasn’t a clear path for Australia to claim the domain – it could be bought from VeriSign but it was unclear how much it would cost. He said the Australian government might be able to convince VeriSign to hand it over.
“I believe it would be the Department of Infrastructure [which] would be able to make the approach make the case and successfully get this digital territory which is essentially its sovereign to Australia delegated back to a responsible agent.”
The Department of Infrastructure told Guardian Australia it was a matter for the Cocos Keeling Islands shire council. “If there are concerns about any breaches of Australia laws in the management of the .cc country code top-level domain, these should be directed to the Australian Federal Police,” a spokesperson said.
The council signed a memorandum of understanding with VeriSign in 2008 stating that the sites under the .cc top-level domain should be in compliance with Australian law, which predates the findings from Google other organisations about the level of abuse of the domain.
A spokesperson for Verisign said its role as the registry for the .cc domain had the endorsement of the Australian government and the shire council, and the organisation removed domain names used for illegal purposes when notified.
“Our endorsement from the Shire includes contractual commitments to work with Australian law enforcement and security agencies, including the Australian Government’s Computer Emergency Response Team (Cert), to prevent and address cybercrime and malicious activity in the .cc TLD,” he said in a statement. “Whenever we receive credible reports from trusted third parties of domain names for which we provide registry services being used for illegal purposes, we share these reports with the appropriate legal authorities.
“And, when requested to do so by the appropriate authorities, we can – and do – then take action against a domain name to remove it from the zone file.”
Guardian Australia has sought comment from the shire council.
Christmas Island residents reclaimed administration of .cx in 2006 from a private owner after the infamous Goatse website, shared as a form of trolling on internet forums in the early 2000s, was initially hosted on a .cx top-level domain, before eventually being kicked off in 2004.
