Set deep within the Indian Ocean, the Australian territory of the Cocos (Keeling) Islands has become an unlikely haven for online child sexual abuse material.
Key points:
- Websites that contain child sexual abuse materials use the islands’ domain
- The Australian territory was given its own internet domain through a fluke of history
- There are now calls for Australia to take responsibility for the domain
The string of postcard-perfect coral atolls topped with palm trees and fringed with white sand thousands of kilometres off the coast of Western Australia has a registered population of less than 600.
Yet, despite its small size, the Cocos (Keeling) Islands’ internet domain regularly appears in the list of domains that account for most of the web pages identified as containing child sexual abuse images and videos.
Through a historical fluke, the Australian external territory was given its own “.cc” internet domain name in the 1980s — at the same time as Australia was designated its “.au” code.
How this came about is a complex, winding story of how the internet was made.
Arbitrary decisions cooked up decades ago, from when the web was young, continue to shape the sprawling beast of the present.
It’s also a modern tale of the difficulties faced introducing regulation to a system that was initially designed to transcend governments and international borders.
But now there are calls for the Australian government to “regulate or reclaim” the domain so it can be held to a higher standard.
How the internet got its domain names
Our story begins in the late 1980s, when the now-familiar architecture of the internet was being built and a heavily bearded computer scientist was handing out country code domain names such as “.fr” and “.uk”.
A domain name is the address that you type in the browser URL bar to visit your website.
The bit at the end of that address, such as “.com” or “.net”, is called the top-level domain (TLD).
In the 1980s, a man named Jon Postel working for an organisation called the Internet Assigned Numbers Authority (IANA) delegated what he described as “country code” TLDs to persons willing to operate those registries for the benefit of the residents of that area.
The idea was to expand global connectivity — to get more people on the internet from more countries.
The “.au” country code TLD (ccTLD), for example, was initially assigned to a man from the University of Melbourne (governments generally weren’t interested in the internet at the time).
And here’s where the decision-making became a bit arbitrary.
Perhaps not seeing what problems it would create down the track, Mr Postel assigned ccTLDs to remote islands or other isolated geographies that were already part of an existing country code delegation.
For reasons that are not clear, he decided that a small archipelago about midway between Australia and Sri Lanka and with a population (back then) of less than 300 should have its own ccTLD.
The Cocos (Keeling) Islands was thus freely assigned something that would become very sought after as the internet grew.
Scams and phishing attacks blocked by Google
Fast forward to 1997, when a Seattle man, Brian Cartmell, with a background in adult entertainment websites, realised that the Cocos (Keeling) Islands ccTLD hadn’t been claimed.
Mr Cartmell secured the rights to administer the ccTLD and then set up a new company that would sell cheap “.cc” domain names without much oversight.
The business grew quickly, he told a US senate committee four years later.
“Since that time, we have grown to be the second-largest domain registry in the United States, second only to VeriSign, with approximately 400,000 domain names registered, including nearly 300,000 in the United States alone,” he told the committee.
(In that same statement to the committee, he wrongly claimed that the islands had been privately owned when he bought the “.cc” domain. They had been an Australian territory for over a decade.)
A few years later, Mr Cartmell sold the domain to VeriSign, a massive company that quietly runs the back-end systems of much of the internet.
VeriSign then sub-let that domain to other private companies to sell “.cc” domain names.
By the end of the noughties, the “.cc” domain was synonymous with scams and phishing attacks (tricking a user into giving up sensitive information, such as bank details, by impersonating another website).
In the second half of 2010, for example, the domain hosted twice the number of phishing attacks found under any other extension.
A year later, Google took the rare step of blocking the “.co.cc” domain — addresses with this domain were being sold to scammers by a Korean company that had purchased the right to do so from VeriSign.
And so in just over two decades, the “.cc” domain name had gone from being something created to expand global connectivity to something blocked to stop strangers from stealing other strangers’ passwords.
An island haven for ‘unscrupulous business’
Around this time, websites that host images of child sexual abuse began using the .cc domain.
According to James Mortensen, a research fellow at the Australian National University’s National Security College, the domain has become “synonymous with child sexual abuse and scams”.
“It’s a very cheap domain that doesn’t require much information, not much oversight,” he said.
The UK’s non-profit Internet Watch Foundation listed “.cc” as the tenth most abused TLD in 2019 for child sexual abuse material.
In 2016 it was in the top 5.
“The amount of material on .cc fluctuates, depending on the availability of other domains,” Dr Mortensen said.
At the heart of the problem, he says, is the lack of formal oversight or moderation of the “.cc” TLD.
In Australia, this moderation or administration is performed by a non-government organisation called auDA.
As a result, “.au” has a very good reputation for not being used by websites that, for example, run scams.
“The Australian government is rightly proud of the way .au is clean,” he said.
“But given that the Cocos (Keeling) Islands is part of our territory, it seems bizarre we allow our digital real estate to be abused in that way.”
Could Australia take responsibility?
Now Dr Mortensen and other ANU researchers are calling for the Australian government to “regulate or reclaim” the .cc domain and hold it to the “same high standards as .au”.
They point to the precedent set by France, which had a similar problem when its Antarctic external territory had been assigned its own “.tf” TLD.
In 2004, France successfully requested that ICAAN (the central body for agreeing on common standards for the internet) “redelegate” the “.tf” domain to the non-profit that was already responsible for the administration of the main French domain “.fr”.
Dr Mortensen points out that the .cc domain has also been used by offshore gambling websites. In 2018, the Commonwealth’s media authority, the ACMA, launched an investigation and federal MP Andrew Wilkie called for the sites to be shut down.
“But we don’t have to block them — we can take responsibility for the domain,” Dr Mortensen said.
“I can’t see, based on current practice and policies, how the Australian government would be denied the right to take control of the .cc domain.”
Domain is not ours to sell: VeriSign
In response to questions from the ABC about the possibility of redelegating the domain, James Barbour, a VeriSign communications executive in the US, said the multinational does not “own” the domain.
“VeriSign acts as the registry operator,” he said.
“Thus the .cc TLD is not VeriSign’s to give or to sell.”
He added that it acts as the operator “with an endorsement from the Shire of Cocos (Keeling) Islands and a memorandum of understanding with the government of Australia, in which the Australian government also endorses our role.”
A spokesperson for the Department of Communications said the government had not endorsed any party to run the .cc top-level domain.
The Shire of Cocos Keeling Islands has been contacted for comment.
The ABC understands that the Memorandum of Understanding between the Shire of Cocos Keeling Islands and Verisign states that the .cc domain “must be administered and managed in accordance with Australian laws”.
Mr Barbour says VeriSign does not “moderate” any content, but will remove websites from its registry list “when requested to do so by the appropriate authorities”, including the Australian government.
Removing the websites from the list does not delete the content (it’s still hosted on a server somewhere), but it makes it significantly harder to find, as the website won’t have an address that can be typed as words.
Though VeriSign’s removal of websites from its list was welcome, the fact it only did so upon request meant it was generally slow to respond, Dr Mortensen said.
The arrangement was much less effective than having a dedicated administrator, such as auDA’s oversight of the .au domain, he added.
The Department of Communications spokesperson said any concerns about breaches of Australian laws in the management of the .cc domain should be directed to the Australian Federal Police.
“The eSafety Commissioner also works with law enforcement agencies to facilitate the removal of child sexual abuse material and other illegal material hosted in Australia and overseas,” they said.