Technologies and Technical Measures to Address Online Harms – WS 03 2026
27 May 2026 09:30h - 10:30h
Technologies and Technical Measures to Address Online Harms – WS 03 2026
Summary
The discussion focused on technical and policy measures for addressing online harms, especially phishing, DNS or IP blocking, and the tradeoffs between user protection, effectiveness, and fundamental rights [1][7-15]. André Melancia framed the session as an interactive exchange on technologies to address online harms, with speakers presenting short introductions before audience discussion [1-2][7][11-15].
Miguel De Bruycker described Belgium’s anti-phishing approach, built around a public reporting address where suspicious messages are forwarded for analysis, which has grown to tens of thousands of submissions per day [21-31]. He said the Belgian Anti-Phishing Shield works with major internet service providers on an opt-out basis, using DNS synchronization to warn users when they try to visit domains assessed as highly likely malicious [34-48]. De Bruycker argued that AI is contributing to the growth of malicious content, and presented the system as a proportional warning mechanism rather than content removal, reporting 185 million warning-page displays last year and saying the system had generated no official complaints in seven years [32][60-64][67-73]. He also explained that analysis combines automated detection of phishing kits, anonymization, and support from commercial partners, while Belgium is expanding to detect broader scam indicators such as phone numbers and messaging accounts [79-84][99].
Raffaele Sommese contrasted user-protection blocking with blocking used to enforce government or private-party decisions, arguing the latter creates serious problems because IP and DNS are often the wrong technical tools [106-112]. Using Italy’s Piracy Shield as an example, he said it had blocked more than 10,000 IPs and 40,000 domains, caused thousands of cases of collateral damage to legitimate services, lacked transparency, relied on extra-judicial requests from copyright holders, and remained easy for illegal operators to evade cheaply by changing IPs or domains [133-160]. He added that the platform had not shown clear economic effectiveness and that more aggressive cross-border blocking raises extraterritoriality and internet freedom concerns [166-169].
In the broader discussion, participants emphasized that collaboration among states, service providers, platforms, and technical actors is essential, with one example showing that cooperation among European country-code domains improved phishing detection through shared machine-learning models [220-229][333]. De Bruycker said cooperation with providers and platforms is improving, including faster action by companies like Meta and the use of shared signal exchanges, while Belgium tries to avoid turning anti-phishing work into censorship by limiting its focus to known cybercrime-related abuse rather than lawful but harmful content [173-181][186-197][271-279][323-329]. Several speakers stressed that there is no “silver bullet,” that interventions must be proportionate and transparent, and that more granular, content-level responses are generally preferable to infrastructure-level blocking when possible [280-281][291-297][300-304][312-316][331][333]. The session concluded that online harms require balanced, multi-stakeholder solutions that protect users without causing unnecessary collateral damage or undermining internet freedom [333][338-354][355].
Keypoints
– The discussion centered first on Belgium’s anti-phishing approach as a practical technical measure against online harms. Miguel De Bruycker described a public reporting system for suspicious emails, the large volume of reports received, and the Belgian Anti-Phishing Shield, which uses DNS-based warning pages through major ISPs on an opt-out basis to alert users about highly confident malicious domains. He stressed proportionality, transparency, and a focus on clearly malicious cybercrime-related domains rather than broader content control. [21-35][40-49][60-72]
– A major theme was how such systems are built and evolving in response to new phishing methods. Miguel explained that Belgium combines automated analysis, phishing-kit detection, anonymization, and commercial partners to process reports, and is expanding beyond email and fake websites to include scam indicators such as phone numbers, WhatsApp accounts, and other messaging-based abuse. [79-84][95-99][101-103]
– A second major focus was criticism of infrastructure-level blocking, especially IP and DNS blocking for copyright enforcement. Raffaele Sommese argued that these tools are technically ill-suited for many government-led blocking goals because IP blocking causes extensive collateral damage and DNS blocking raises cross-border and jurisdictional problems. He used Italy’s Piracy Shield as a case study, saying it blocked thousands of IPs and domains, harmed legitimate services, lacked transparency, relied on extrajudicial private-party requests, and remained easy for illegal services to evade. [106-130][131-169]
– Participants repeatedly debated the tradeoff between security intervention and rights protections, especially transparency, freedom of expression, and the risk of censorship or overreach. Speakers distinguished targeted anti-phishing measures aimed at “known bad” cybercrime indicators from broader content blocking, while others warned that policymakers often pursue blunt “silver bullet” solutions that can undermine anonymity, speech, and legitimate access. The importance of balancing benefits and harms, and involving technical experts in that balancing process, was emphasized throughout. [186-197][280-281][291-297][300-304][323-331]
– Collaboration emerged as a key solution across the discussion: between governments, platforms, ISPs, registries, and across EU member states. Miguel highlighted improving voluntary cooperation with ISPs, Microsoft, Google, and Meta, while Raffaele and audience members stressed that cross-border and inter-stakeholder collaboration can improve phishing detection and abuse response. The discussion ended with the broader point that because the internet is largely privately operated infrastructure, governments must work collaboratively with service providers rather than rely only on coercive or purely national tools. [34][174-182][220-229][341-354]
The overall purpose of the discussion was to examine what technologies and technical measures can effectively address online harms, while also testing their limits. The panel compared protective cybersecurity tools such as Belgium’s anti-phishing shield with more controversial content- and copyright-blocking systems such as Italy’s Piracy Shield, in order to explore effectiveness, collateral damage, transparency, proportionality, and possible alternatives. [1][7-15][105][333]
The overall tone was professional, expert, and highly policy-oriented, with an initially practical and explanatory tone during the Belgian anti-phishing presentation. It then became more critical and cautionary during the discussion of IP/DNS blocking and Piracy Shield, especially around collateral damage, lack of transparency, and policymaker misunderstandings. By the end, the tone broadened into a reflective and collaborative one, emphasizing balance, rights, and multi-stakeholder cooperation rather than simple technical fixes. [16-18][60-72][135-169][312-316][331][341-355]
Speakers
– Andre Melancia – Moderator of the session; co-moderated “Workshop number three, technologies and technical measures to address online harms.”
– Miguel De Bruycker – Director General of the Center for Cybersecurity Belgium; presented insights on the Belgian Anti-Phishing Shield.
– Philip Struyf – Co-moderator/facilitator of the session.
– Raffaele Sommese – Professor at Twente University; presented research on the Italian Piracy Shield, including collateral damage and efficacy.
– Nenad Bogunovic – Acting Deputy Head of the Cybercrime Unit in Serbia.
– David Frautschy – From the Internet Society.
– Olivier Crepin Leblond – With the United Kingdom chapter of the Internet Society; active in internet governance discussions [S13].
– Peter Kovdynik – Participant/speaker in the discussion.
– Philip Lucas – Summarized the session messages at the end.
– Petra Arts – From Cloudflare.
– Participant – Various unnamed audience and remote participants asked questions and made comments.
Additional speakers:
– Stigl Fernandes – Former student / university student interested in technical applications to policy.
The session was framed by Andre Melancia as an interactive discussion rather than a set of long prepared speeches, with participation invited from both speakers and the audience, including remote participants [7-13][14-15]. The discussion then moved from a concrete anti-phishing case study in Belgium to a broader debate about internet blocking, proportionality, transparency, technical architecture, and fundamental rights [7-15][104-110].
Miguel De Bruycker, Director General of the Centre for Cybersecurity Belgium, presented Belgium’s anti-phishing model as an example of a technical protection measure aimed at cybercrime rather than general content regulation [19-25][34-35]. He explained that Belgium had launched a public awareness campaign eight years earlier telling people not to trust every message they receive and asking them to forward suspicious messages to “suspicious@safeonweb.be,” available in four languages [21-26]. The scale of this reporting system has grown sharply: Belgium now receives on average 27,000 suspicious emails per day, rising to 35,000 in January and 42,000 in April, which he linked in part to AI making malicious content easier to generate at scale [26-33][S58][S60]. He also used a concrete example to explain why such a system exists, describing scam campaigns that targeted thousands of Belgians, especially women aged 40 to 65, with fake advertisements for clothing brands offering implausible discounts; after action was taken, the scammers quickly switched to other brands, illustrating how rapidly these campaigns mutate [50-59].
De Bruycker then described the Belgian Anti-Phishing Shield as the main technical response built on top of that reporting channel [34-35]. He said the system works voluntarily with the country’s main internet service providers, which subscribe to a secure DNS arrangement under an opt-out model [34][40-46]. Domains extracted from reports are evaluated, and only those judged with extremely high confidence to be malicious are synchronised with ISP DNS systems so that users who try to access them receive a warning page [42-49]. He repeatedly stressed that Belgium’s system does not remove content and is meant to present a warning page rather than impose an absolute access ban [50-64][174-180]. He compared it to a public warning sign around a known danger and argued that the state has at least a duty to warn users when it knows a digital hazard exists, even if users can still choose to proceed or work around the warning [60][67-70]. He reported that the warning page had been displayed 185 million times in the previous year, which he presented as evidence that the system was having a meaningful protective effect despite its limits [60].
A central part of De Bruycker’s argument concerned safeguards. He repeatedly stressed proportionality, transparency, and restraint, saying that the Belgian system uses a low-risk approach, including lists of known-good domains, and only warns on domains when officials are as close as possible to certain that they are wholly malicious [36-39][60-64]. It is also opt-out: users on participating ISPs are covered by default, but can switch to a DNS service without the protection if they choose [40-46]. Users can also challenge a warning, after which the domain may be removed from the list following evaluation, with protections in place to prevent abuse of the challenge process by criminals [47-49]. He concluded that some technical protection at this level is necessary in the same way antivirus tools stop malicious files and spam filters stop malicious emails, while also acknowledging that the policy question is where to draw the line [67-72]. He argued that, after seven years, the system had generated no official complaints and no known mistakes or operational problems, which he presented as evidence that Belgium had found a workable balance in this limited anti-phishing context [71-72].
When asked by Andre Melancia how such large volumes of suspicious emails are processed, De Bruycker explained that Belgium uses a combination of automation and external support rather than a purely manual workflow [74-78][79-84]. He said the system automatically extracts links from messages, anonymises the data, and runs it through detection engines that identify, among other things, phishing kits-software packages rented on the dark web and used in more than 90% of phishing campaigns, according to his estimate [80-84]. The Belgian centre creates signatures for these kits and combines them with other parameters and the assistance of two commercial partners that evaluate anonymised links for maliciousness [81-84]. This showed that operational anti-phishing work depends on layered detection pipelines, commercial cooperation, and some limits on disclosure of exact methods so that attackers cannot easily adapt [79-84].
Questions from the audience then focused on how such systems may need to evolve. Nenad Bogunovic from Serbia, where a national cybercrime reporting system is being developed, asked whether Belgium’s approach would move beyond links and fake websites toward newer forms of abuse such as spear phishing, AI-generated scams, SMS phishing, and similar techniques [90-98]. De Bruycker responded that Belgium is already building a new project designed to ingest broader scam indicators, including phone numbers, WhatsApp accounts, and other messaging-related signals, with production expected by the end of the year [99][S103]. This exchange highlighted a shared view that anti-phishing systems cannot remain static as attack vectors diversify beyond classic email-based phishing [95-99].
A separate audience question raised end-to-end encrypted messaging services [100]. De Bruycker replied that the Belgian system was built for email, but that users who receive suspicious messages on services such as WhatsApp can take screenshots and forward them to the reporting address [101-103]. He stressed that the state does not scan end-to-end encrypted channels directly; instead, users voluntarily forward suspicious messages, after which the Belgian system strips personal data and analyses the submission [100-103]. He added that Belgium’s data protection authority oversees the system under a strong data protection framework, allowing him to argue that encryption itself is not undermined because the forwarded content comes from the recipient rather than from interference with the encrypted service [101-103].
The discussion shifted in tone when Raffaele Sommese presented research on Italy’s Piracy Shield and the wider issue of infrastructure-level blocking [104-105][106-110]. Sommese began by distinguishing between two very different uses of internet intervention: first, protective measures aimed at shielding end users from harms such as scams; and second, systems used to implement governmental, judicial, or private-party decisions to protect specific sectors such as copyright industries [106-110]. In his view, the main problems begin with the second category, because the technical tools most often used-IP and DNS blocking-are not well suited to those policy goals [110-112]. He then explained basic internet architecture for non-technical participants, describing IP addresses as something like the number of a building and DNS as the naming system that helps users reach a particular destination within shared infrastructure [113-121]. This supported his central point that internet resources are heavily shared, so coarse infrastructure interventions can affect far more than the intended target [122-126].
Sommese argued that IP blocking is easy to order but inherently risky because one blocked address may host many unrelated services, producing substantial collateral damage [122-125]. DNS blocking, in his account, is different but also problematic, especially once it involves public recursive resolvers or services operating beyond national borders [126-129]. He stressed that IP geolocation cannot reliably determine a user’s country, and that providers cannot confidently certify such information “in front of a judge,” making country-specific blocking at the global resolver level technically and legally unstable [127-129]. He presented this as both a technical and policy problem, arguing that some regulatory approaches in Europe are being developed without sufficient regard to how shared internet infrastructure and geolocation actually work [127-130][S109][S110].
Italy’s Piracy Shield served as his main case study [131-135]. He described it as a platform created to combat illegal online football streaming, often cited by some as a successful model, but one that his research found to be a poor example in practice [133-136]. According to Sommese, Piracy Shield has blocked more than 10,000 IPs and 40,000 domains across Italy and caused thousands of cases of collateral damage to legitimate websites and services [136]. He illustrated this with examples including web shops, car repair sites, and a Portuguese hosting provider that had rented infrastructure previously abused by a pirate streamer and then found its address blocked in Italy, leaving it unable to send invoices to Italian customers for a month [138-141]. He said the company did not even know why the block had been imposed because the system is opaque [141-148].
Transparency and accountability were among Sommese’s strongest criticisms. He said blocking requests are inserted by private copyright holders, must be acted on by operators within 30 minutes, and are extra-judicial in character because there is no vetting of the requests or of the forensic proof attached to them [142-145]. He also said the blocklist is not public, meaning affected parties may discover a problem only when they can no longer reach a service, without being told the legal or factual basis for the block [145-148]. In his view, this opacity is a governance problem because it prevents public scrutiny, independent audit, and effective remedies [141-148]. He further argued that the system remains easy for illegal services to evade, since IP addresses can be leased cheaply and domains can be registered at low cost, allowing operators making money from piracy to rotate infrastructure quickly and continue operating [150-157]. At the same time, he argued that, as implemented, these blocks “last forever,” because there is no later verification of whether the illegal resource is still there, which in his view causes long-term pollution of the internet’s namespace and harms later legitimate re-users of those resources [158-165].
Sommese also argued that Piracy Shield has not demonstrated economic success [166-169]. He said the number of subscriptions to legal services did not rise after the platform was introduced, undermining claims that it is an effective anti-piracy intervention [166-168]. He warned that the Italian regulator now wants to extend this approach even more aggressively to VPNs, recursive resolvers, and CDNs, which in his view would deepen the same extraterritorial and technical problems rather than solve them [169]. He therefore asked whether better alternatives exist and suggested that, given that 77% of blocked servers were located in the European Union, authorities should use available EU legal instruments to go after hosting providers and financial flows instead of relying on broad and ineffective network-level blocking [169-170]. This “follow the money” and source-level approach was one of the clearest alternatives proposed during the session [169].
A remote question then invited comparison between Belgium’s anti-phishing work and these more controversial blocking systems by asking what percentage of scams Belgium blocks and how it works with online platforms [171-172]. De Bruycker’s answer reinforced a recurring distinction in the discussion between Belgium’s warning model and broader blocking regimes [173-197]. He reiterated that Belgium’s cooperation with ISPs is constructive, non-legal, and non-binding, and explicitly agreed that blocking IP addresses is a bad idea because of collateral damage [174]. He also described growing cooperation with large technology companies through mechanisms such as the Global Signal Exchange, which he described as a spin-off of Oxford University, where Belgium shares domains it considers certainly malicious with companies including Google, Microsoft, and Meta [174-180]. As a result, providers may move emails containing such links from inboxes into spam folders rather than deleting them, or remove malicious advertisements more quickly than before [175-180]. He said recent improvements in response times, especially from Meta, suggested that some platforms increasingly recognise they bear practical responsibility when their services are abused for cybercrime and they receive credible notice [179-182].
On effectiveness, De Bruycker said the volume of reports gives Belgium “quite a good” and “representative” view of phishing campaigns affecting the country [183-185]. He explained that, at first, the system could extract and act on only around 25-30% of malicious links because officials were being extremely cautious to avoid being perceived as censors [186-188]. That figure has now risen, in his estimate, to around 60-70%, though many other domains are still treated as suspicious but not sufficiently certain for intervention [189-192]. He acknowledged that the system will never reach anything close to 99% and again compared it to spam filtering: imperfect but essential, because without such filtering email itself would become unusable [193-197].
Another audience question clarified that Belgium’s reports originally came entirely from citizens, but that the model is evolving [199-200][202-214]. De Bruycker said that until about a year earlier the feeds were 100% from the population, but Belgium now also has a priority channel for banks and the national digital identity provider Itsme to notify phishing domains targeting their services [202-206]. He also referenced a more proactive project aimed at finding domains registered with malicious intent against Belgian government and critical infrastructure, though he declined to explain the method publicly so as not to make evasion easier [207-214]. This exchange again highlighted the operational tension between transparency and secrecy that later became explicit in the discussion [210-214].
The audience then broadened the discussion from national systems to European and multi-stakeholder coordination. A participant from CleanDNS argued that Belgium, Italy, Serbia, and others were confronting similar threats and asked how member-state collaboration could be strengthened and what more could be done at the infrastructure level across the provider chain [220-221]. Andre Melancia encouraged participants to organise across the EU and build collective pressure so that concerns receive more political attention in European institutions [222-225]. Sommese added a technical example: a study had shown that cooperation among several European ccTLDs, sharing a machine-learning model trained on each other’s data, improved phishing detection across those domains [227-229]. In the closing synthesis, Philip Lucas summarized one of the recurring messages from the session as the need for multi-stakeholder collaboration across industry and government because online harms continue to evolve [333]. This part of the discussion showed broad support for greater cooperation, even though participants differed over the kinds of intervention that cooperation should enable [220-229][333][S35][S67].
David Frautschy from the Internet Society further deepened the critique of infrastructure blocking [232-248]. He argued that comparing IP addresses to telephone numbers can mislead policymakers because, unlike a single phone line, one IP address may support many websites and services [234-239]. He pointed to examples from Spain, including the disruption of a payment gateway that affected e-commerce during a football match, to show the real economic consequences of overbroad blocking [240-242]. Frautschy also questioned why policymakers seem more willing to listen to rights holders than to the technical community, despite repeated warnings about the harms of such systems [243-247]. Finally, he asked whether a liability scheme should require those who request blocks to compensate websites harmed by wrongful blocking [248-250].
Sommese responded by clarifying that his analogy referred to the number of an entire office building rather than a single household line, and by reiterating that while it is easy for a state to order national ISPs to comply, it is technically difficult to target only users from a single country once a service operates across borders [252]. On liability, he agreed the issue is important and gave the example of Piracy Shield blocking Google Drive in October 2024 for several hours [253-258]. He said such an incident may have had enormous business consequences, yet no liability attached to the party responsible for the block and there was no meaningful policy debate about compensation [259-261]. He added that liability would in any case require transparency, since only a public and auditable record of what was blocked, when, and why would allow harmed parties to prove losses and seek redress [261]. This exchange highlighted accountability and compensation for overblocking as unresolved governance questions [248-261].
A remote question from the perspective of a media regulatory authority asked whether “follow the money” is really a better alternative in hard cases such as copyright infringement, pornography, or other content harmful to minors when providers and hosts cannot be reached [263]. Sommese answered that this is indeed difficult and that for universally illegal material such as CSAM stronger blocking may sometimes be justified even at the risk of collateral damage [264-266]. However, he said the deeper problem remains the existence of bulletproof hosting providers that ignore legal authority and continue to host unlawful content [267-270]. De Bruycker responded more broadly that there are many possible responses to cybercrime, including law enforcement, following the money, and provider cooperation, and that no single tool is sufficient [271]. He again defended the value of warning the users one can protect, even if coverage is incomplete [271]. He also offered a practical lesson from Belgium’s cooperation with platforms: abuse notifications framed as violations of platform policies can prompt much faster responses than formal legal accusations, which are often routed through legal departments and slow things down [272-279]. In his experience, most providers will act if clearly notified that their services are being abused, though not all are equally responsive [271-279].
Andre Melancia then widened the discussion to rights implications beyond phishing and piracy, particularly age verification and child-protection measures [280-281]. He warned that certain internet blocking or verification schemes, such as restrictions on minors’ access to social media or mandatory age checks, can create serious harms to anonymity, freedom of expression, and even the ability of people in some countries to organise peaceful protest [280-281]. This linked the technical discussion to broader democratic concerns and reinforced the distinction between combating known cybercrime and trying to regulate lawful or borderline content through infrastructure controls [280-281][355].
A participant identified in the transcript as Peter Kovdynik then introduced one of the session’s most architecturally focused critiques [286-298]. He suggested that more attention should be paid to cross-border issues, the difference between voluntary and involuntary blocking, and the role of circumvention technologies [288]. He also challenged repeated claims that authorities could not disclose more about their methods, arguing that public authorities have transparency obligations, especially when they intervene in ways that may affect private market participants providing security services [289-291]. Most importantly, he questioned why content mitigation, which properly belongs at the application layer or user level, should happen at the infrastructure layer at all [292-295]. He pointed to more granular alternatives such as spam folders, browser plug-ins, and other user-facing tools that offer more control and avoid interference with the internet’s core infrastructure and its cross-border implications [296-297]. His intervention crystallised a key line of disagreement in the discussion: whether DNS-layer action can ever be sufficiently narrow, or whether even well-intentioned interventions are being attempted at the wrong technical layer [292-297].
In response, De Bruycker defended Belgium’s approach by distinguishing between transparency of purpose and disclosure of every operational detail [299-303]. He said Belgium is transparent about what it does, but argued that publishing all security methods would be like publishing every antivirus signature and would only help attackers adapt [300-302]. He acknowledged that tools such as spam filters could theoretically be abused by governments to suppress particular types of messages, but insisted that this possibility is not a reason to abandon all filtering, because without such safeguards the underlying services become unusable [302-303]. The real challenge, he argued, is to find the right balance between effective protection and abuse prevention, and he maintained that doing nothing would be a greater risk than trying to act within supervised limits [303]. Sommese partly converged with Kovdynik here, stating bluntly that IP and DNS are the wrong place to block certain kinds of content and that action should be taken at the source where possible, especially for content hosted within the European Union [304]. This exchange showed both some common ground and a continuing disagreement: De Bruycker defended narrowly scoped DNS-based warning pages for phishing, while others remained more sceptical of infrastructure-layer intervention as such [299-304].
After a participant asked for a simple explanation suitable for politicians of why the technical framework is ill-suited to child protection online [306-309], Olivier Crepin-Leblond shifted the discussion toward political incentives, arguing that policymakers often seek “silver bullet” solutions because they want immediate results [310-316]. Unless complexity, trade-offs, and risks of false positives are made clear, he warned, harmful measures such as overbroad age verification will keep recurring and make the internet harder to use [312-316]. Petra Arts then pointed participants to a commissioned study on the economic cost of network blocking, reinforcing the argument that the harms of overblocking are not merely theoretical [317-321]. A final remote question asked whether Belgium has supervised methodologies to ensure it preserves freedom of speech rather than becoming a censorship arm of government or private parties [322]. De Bruycker replied that Belgium focuses only on “known bad” cybercrime indicators such as phishing and does not move into content domains such as adult-site restrictions, precisely because there is no correct technical solution there [323-325]. He also said Belgium was in contact with Cloudflare, noting that many malicious domains use its infrastructure and arguing that collaboration with service providers is preferable to imposing duties solely through law [326-329].
In one of the final exchanges, Sommese summarised the broader lesson by saying there is no silver bullet: every internet intervention has consequences and must be balanced through discussion with technical experts [331]. In the closing synthesis, Philip presented three messages from the session: first, the evolving nature of online harms requires multi-stakeholder collaboration; second, intervention at the technical layer through IP or DNS blocking can seriously affect the availability of online resources and create collateral damage; and third, measures against illegal content or online harms must remain proportionate and respectful of users’ rights [333]. When asked for a recommendation for young participants, Sommese encouraged them to participate actively in these debates and define for themselves what harms they want protection from, especially when so many of these measures are justified in their name [338-340].
De Bruycker’s final remarks added a broader governance perspective [341-354]. He argued that the internet is not public space in the same way as a street is public space, but a largely privately owned ecosystem of devices, ISPs, carriers, and services [341-349]. Because governments do not simply enter that private environment and impose solutions unilaterally, he said, effective online safety requires cooperation with the companies operating the infrastructure [348-354]. At the same time, he argued that those private actors bear significant responsibility when their services are abused [353-354]. Andre Melancia closed by noting that concerns about restrictions, freedoms, and democratic backsliding are growing globally, and that these debates will continue beyond the session [355-360].
Overall, the discussion revealed recurring points of agreement alongside clear differences over methods [220-229][292-304][331][333]. Participants broadly agreed that phishing, scams, and other online harms are real and growing, and that doing nothing is not an acceptable response [26-33][333]. There was also repeated concern that IP-level blocking is especially blunt and that broad infrastructure-level blocking for copyright or other policy goals can create serious collateral damage, opacity, and cross-border problems [122-129][136-169][174][234-242][304][333]. At the same time, disagreement remained over whether carefully limited DNS-based warning systems such as Belgium’s anti-phishing shield are a justified and proportionate protective measure or whether even these should be treated more sceptically because they still intervene at the infrastructure layer [34-49][60-72][174-197][292-304]. The clearest contrast to emerge was between Belgium’s narrowly scoped, cybercrime-focused warning model-presented as voluntary, opt-out, transparent in purpose, and not aimed at content regulation-and broader blocking regimes such as Piracy Shield, which were criticised as opaque, overbroad, easy to evade, and harmful to legitimate services [34-49][60-72][131-169][174-197][323-329].
Shop number three, technologies and technical measures to address online harms. Both me and Philip will be moderating the session. My name is André Monsilla. We have Philip Zdrav. Apologies if some of the names that we say are going to sound terribly, terribly wrong, but we have multicultural names here everywhere, and, well, we are in the right place to get them wrong in the European Commission anyway. So with us we have, I will try to say this correctly, Miguel de Brucke, okay, and we have Raffaele Zometzi, okay, with us, and they will start the panel. And we also have, of course, and again, I will try to say this correctly, Philip Lukacs. okay and we have our two moderators there as well so they will help us out if anyone is remotely at this point you are more than free to ask questions and we will take questions from the audience remotely our idea for this is that in the spirit of juridic to spend the most amount of time actually getting interaction from the audience so we will have a starting five minutes introduction at most from each of our key speakers and then from that point on we’ll open it up to questions from the audience questions and of course comments okay please remember that while four or five of us are here on this side and also a lot more people in the back and in the front everyone here is an expert and you have valid points to share so we want to hear it as well okay so anything we should mention no i think we heard yesterday that there are still a lot of online harms to be addressed and the first key participant that we invited is Miguel Dubrakis.
He’s Director General of the Center for Cybersecurity Belgium and he wants to give some insights on the Belgian anti -phishing shield. So the floor is yours, Miguel. Miguel, just before you begin, let me put this up on screen. So we’re going to have some of these topics that we’re going to talk about. We’re not going to pretend that we are going to do them in an exact order because this will be very difficult, but we will try to talk about all of these. I know some of you are not technical people, right? So what we actually added is a few slides that over time we will share with you to actually explain some of the concepts that we will talk about later on.
But for now, let’s just share your slides.
Yes. That’s my last one. Oh, okay. Thank you very much. Good day to everyone. So my name is Miguel de Bruyckers. As I was introduced, I’ll push this button. Center for Cybersecurity Belgium created 10 years ago, 8 years ago, we launched a campaign warning the people against phishing. You cannot trust every message, every email that you receive. And the call to action was if you see something suspicious, forward it to us. So we created a mail address in four languages. In English, it’s suspicious at safeonweb .be. And, well, it went a little bit crazy in the sense that, and I’ll put the numbers immediately on top of this, that last year, on average, we received 27 ,000 emails per day from the population.
It’s a small population, 27 ,000 emails. This is a lot to process. Now, in January, that went up to 35 ,000. In April, we were at 42 ,000. So it’s going up very fast. And AI and AI possibilities to create malicious, malicious content is certainly playing an important role of that. What do we do with that? We share it, for instance, with Microsoft and Google, the malicious domains. or for instance Google Safe Browsing we have the Belgian Anti -Phishing Shield we have an app warning people be careful now there is a large campaign using B -Post or using TaxPay or whatever, don’t get caught so we have quite a lot of different systems so 8 years ago we created that mail address 7 years ago we created the BAPS system the Belgian Anti -Phishing Shield that is actually with the main internet service providers voluntarily, they subscribe we take responsibility we filter out the malicious domains from those let’s say 14 ,000 emails that we get every day and through DNS RPC synchronization reads that our DNS is synchronizing with their DNS meaning that if you get a link with a domain of a domain that by us is flagged as …
99 .999 % for sure malicious, you will get a warning page. So we do an evaluation of all those domains. We have a low -risk approach. Like, for instance, we have made a huge list of what we know as the known good to make sure that we never warn for one of those domains. But there are a lot of other mechanisms. We detect phishing kits and things like that. It’s an op -out system. So by default, if you are under one of those five main Internet service providers, you are under that secure DNS. You get a warning page that is something like this. And you will see also that we also say, okay, we don’t want this secure DNS.
So we tell you how can you switch to another DNS that we provide where that security is not. But it’s an op -out. You have to do it yourself. Or you can say, I absolutely don’t agree with this warning. And then you can say, why and 24 -7 we will remove it from the mops list. after an evaluation. There are some criteria to remove it to make sure that criminals don’t abuse this. Why do we do it? Well, for instance, this is an example of the last few weeks. Last few weeks, thousands of Belgians, especially women, between 40 and 65, were being targeted with publicities for brands, Marimero, Marijoev. I’ve learned a lot. I had to ask my wife what is this.
They have created thousands of malicious domains, all linking to those brands and trying to convince those people to buy online with 80 % of discounts. This is, for instance, one of yesterday. Now they have switched because we have taken action. I have to admit, even together with Meta, there were advertisements online for these websites, and Meta is responding and is removing them, but it’s going so fast. So now they are switching from these brands to Fritz’s A .S. Adventure. That was yesterday. what are the benefits well I know that there are risks there are questions like for instance well if you set out those warnings you don’t remove the content and the effectiveness is limited of what you’re doing and that is absolutely correct but imagine that there is a hole in the street and you know that there is a hole I think as a government it’s important that you put out some warnings and that people can still fall into that and that there are ways to circumvent that I know but for the moment that is working we send out that warning page last year 185 million times so we do see a positive effect of what we’re doing it’s not perfect but at least it’s doing something you can have false positives there is the risk of over blocking of government abuse of that that is for us very important that is that proportionality, that is that transparency.
We do what we say and we say what we do. That is one of our mantras and people know that very well. And it must be proportioned what we’re doing. So we will only warn for a domain when we are as good as sure that it is 100 % malicious and the goal remains to protect people. Think about my last slide. Follow this. Yes. So as a conclusion, I think you cannot build a secure environment without some kind of protection. If you want to stop cyber crime, you will need to warn and even stop malicious processes using antivirus. You have to stop malicious emails using spam filters. And I think you have to warn for malicious domains.
using, well, DNS warning systems. And the big question is, of course, how do you find the right balance? And I think since we are doing this for seven years and we have no official complaints, no mistakes, no problems in using that system. Thank you.
Okay, so I think one of the things that we can do right now is open this up for one or two questions, and I will actually have a question myself. So when we saw your numbers and you mentioned 20 ,000, 40 ,000 requests per day, how do you process them? Do you use AI? Do you use humans? Is there an uncertainty here?
Yes, thank you. Well, you have to use a lot of tools, and we have different methods. Okay. I cannot reveal it publicly how we’re doing it, but for instance, I have a question for you. we have a whole system that is detecting phishing kits. More than 90 % of those phishing mails are being sent using phishing kits, software that is used, that is rented on the dark web, $100 per month. You use that, and we create signatures of those phishing kits. So if we can detect, okay, we receive a link, we receive an email, we extract automatically, this is all done at our CCB, we anonymize it, and then it goes through the engine, and we will try to detect if we see, for instance, those phishing kits.
There are also some other parameters, and then together with a few commercial partners, there are actually two companies that are helping us to evaluate the anonymized links to flag them as malicious.
Okay, so let’s open this up to questions at any time. If you also have questions. If you have questions remotely, you guys will let us know. So any questions so far? We have a question there.
Just a short question. Thank you so much. Well, first of all, I’m from Serbia, from the Cybercrime Unit, and we are currently developing a national cybercrime report system, and your system was one of the, sorry, yeah, and your, sorry, of course, Nenad Bogunovic, I’m the acting deputy head of the Cybercrime Unit in Serbia. So one of the key components we are using is also anti -fraud system, anti -phishing system. My only question is to you, I see that you’re more oriented to links and fake websites and so on and so on. Will you evolve your anti -phishing system to the evolution of phishing today, you know, more spear phishing, AI, generated content, SMS phishing, and so on and so on?
Because I see that. Maybe it’s, you know, maybe it should evolve in this regard as well. That’s at least something we are trying to do, and it’s really a big challenge from our side at least. thank you
thank you very much well we have a new project that is up and running and that should be in production by the end of this year to to take all those malicious signals or scam indicators like phone numbers whatsapp accounts on a messenger like types a lot of other things that are being used now so this is a project that is up and running and that will be normally in use by the end of
more question of one question there yes when shock building around serve on the board of your Riddick come from Switzerland but I admit I’m not a technician how does this work the screening with end -to -end encryption did messaging systems
Okay, so somebody receives a message Our system was built especially for emails But for instance, if you receive a WhatsApp message And there is a link to a WhatsApp account You can just take a screenshot And you can forward it to that mail address So that means that, imagine that you receive an email You have it in your inbox Now the population is aware through media That they can send it to suspicious at saveonweb .be And this is like a little bit of crowdsourcing You are using the population as a first filter To evaluate that something is wrong So the first evaluation actually is done by the population They see something suspicious, they say This doesn’t look right And they forward it to us And then that is where the analysis starts So we get actually the message from the population And then we extract everything that is related to personal, so we have a strong EPA in Belgium, and we’re under their control.
So we’re doing, as I said, we’re saying what we do and we do what we say, and this is quite important. So the fact that they extracted themselves and they forwarded to us the encryption is not an issue.
Thank you, Miguel, for the interesting presentation and addressing those questions. We will now hand over to Raffaele Sommese, professor at Twente University, who will present his research on the Italian Paris Shield and the collateral damages and the efficacy of that system.
Thanks a lot. So let me start first with, I mean, internet blocking is something that has been given as a sort of big blanket towards two different concepts. One is the concept that Miguel was introducing that was protecting the security of end users. From, for example, financial scam or financial harm. And the other aspect is implementing governmental or judge or private party decision for protecting certain sector. And the problems start to rise when we have the second category of implementation, because the current technology that we have is not actually the right tool. And the reason why it’s not the right tool is because the way it’s implemented is mostly with two aspects of the Internet.
One is the IP protocol and one is the DNS protocol. Now, for the one in the room that are not familiar with this concept, imagine the IPs as to be the phone number of the Internet, like a series of digits. And you call the house of someone. And then when you call them, you’re not sure of the person that will respond on the other side. There may be multiple persons. There may be like a 20 -story building office that you’re calling. So you want a specific person out of that number. To get a specific person out of that number, what we use is the IDN. It’s basically this phone book of the Internet that provides this translation from names, things that we can easily remember, Europa .eu, for example, to something that is more difficult to remember that are these numbers.
But they also give us the opportunity to select who we want when we call a specific number in that building. And blocking IPs from a perspective of a government, it’s very straightforward. You just order all the Internet service provider in your country to block that specific IP, and then all the customers for your country will be not able to access that IP. The problem is that you will cause a lot of collateral damage, because then all the people in that 20 -story building will be unable to access their services. And that’s the scenario nowadays in the Internet with the content delivery network, for example. To block DNS, it’s a bit more difficult concept, because you can do it, you can do it at an additional level, but…
But when you cross the border of national level, when you ask like a public recursive resolver out there to block specific names, you encounter the problem of extraterritoriality where basically you don’t know where the client that are connecting to this recursive resolver are from because on the Internet, we don’t have a stable way to determine where an IP address is connecting from, from which country it is. All the service that we have out there, all the geolocation providers that we have out there, they tell you, we do the best effort to provide you this information, but we cannot tell you this user is from Italy and we cannot swear this information in front of the judge.
So it’s a very challenging technical problem. And the other problem is, while this problem exists, this has been ignored by the regulation that is coming up in Europe, especially in Italy and Spain and in France. And in Italy, we have like a very bad case. That’s named piracy shield. So what is Piracy Shield? Piracy Shield is a platform that exists in Italy to try to prevent basically the online football streaming piracy. And while it has been considered by someone a good example of how to implement this, we did the research on this topic and we demonstrated basically with numbers that this is a very bad example. Because Piracy Shield as of today has blocked more than 10 ,000 IPs and 40 ,000 domains in all Italy and has caused thousands of collateral damage to legitimate websites.
Sorry that I was describing you before of the building. Imagine that when we did the research, we found like a lot of websites that were completely not piracy related, websites of web shops, websites of car repairs. It was like actually the case that I always report is this case of a Portugal hosting provider that was blocked because they rented. The infrastructure that was previously abused by someone that was streaming illegal content. and they ended up with an address that was blocked in Italy and they were not able to send invoices to their customer in Italy for an entire month. And they didn’t know that their address was blocked by this platform because the other problem is that there is no transparency in this platform.
The requests for blocking are requested and the cooperator should comply within 30 minutes. There are extra judicial orders because the requests for blocking are inserted by private parties that are the copyright owners and there is no vetting of these requests. There is just a forensic proof that is attached to this platform but actually no one is vetting this forensic proof. And the other problem is that there is no transparency. The list of block is not public. So you just notice that something is blocked because you see that you cannot connect to the website but you will never know why it has been blocked. This information is not provided to you. This is a video that was recorded in the last week of May.
And the other problem is, despite causing a lot of collateral damages, this platform has proven to be ineffective because the Internet is a big place and illegal services evades very easily these blocks. I mean, an IP address on the market today costs 30 cents to lease and 20 euro to buy. You can get, if you go like on an IP leasing market, you can get like an entire network block and a single IP will cost you 30 cents. So if they block an IP, these streamers will just need to allocate 30 cents of their money to get a new one and evade the block. And same goes for domain names. Domain names goes from 50 cents to 15 euro. So again, if you are a platform that is making a lot of money out of this illegal streaming, you have a very easy tool to evade this kind of blocking.
You can invest money and just escape the blocking. And the problem is that blocking, the way that they are implemented, lasts forever. There is no verification after if the illegal resource is not there anymore. So we are polluting the Internet with blocks at a level that they should not be there. And these blocks are lasting forever and harming users that will reuse these resources later on. Because, yes, Internet is a big place, but we reuse resources constantly on the Internet. IP gets reused. They get reassigned to new people. You can lease the IP that someone else was leasing before. You can register a domain that expires after someone was using the domain before. And the other problem is that it’s also being proved ineffectively from an economic perspective.
Because the amount of subscription after this platform was introduced in Italy didn’t went up. And so it has been considered a good example, but the numbers show that this is not a really good example. And Spain and France that are once ago down the same road, and some other European countries that were once ago down the same road, seems to not understand that this is not a good solution. and now to solve this problem basically the Italian regulator wants to be even more aggressive with the internet providers saying that these blocks need to be applied to all VPNs all the recursive resolver, all the CDN out there but again we cannot differentiate traffic when it comes from a specific country and it’s very hard to do and unless we accept the faith that these blocks should be done for all the internet users something that is illegal in a specific country may not be illegal in another country and we should not harm users in other countries this may be problematic and it in general violates the idea of extraterritorial and the fact that we will reduce the freedom on the internet and the freedom for the user of the internet so the question that I have for the public is actually do we have a better alternative or not?
the majority of blocks that Piracy Shield issued were towards servers that reside within the European Union 77 % of the server blocks were within the European Union we have legislative instruments to go after these people within the border of the EU this bulletproof hosting way that they are named that are within the European Union and actually take them down and perform what’s called follow the money so basically trace back the transaction, the economic transaction that led to the creation of this service and the client of this service to actually take down this business so can we do something else? Thanks
Let’s have a look at some questions that are presented remotely We have one question and it is w
hat is the amount in percent of scans you block and how do you work with online platforms?
Okay, thank you It was a question for me, I suppose How do you work with online platforms? First of all, with the Belgian internet service providers There is a constructive, non -legal, non -binding collaboration Allow me also to say that The idea of blocking IP addresses I think it’s not a good idea Because there you have too much collateral damage And it’s too difficult Collaboration with, let’s say, US hyperscalers To name them Is improving a lot the last year It is really changing For instance, there is something like The Global Signal Exchange It’s a spin -off of the Oxford University And there you have the big players The Googles, the Microsofts, the Metas Who are linked to that Global Signal Exchange platform And there you have the big players our Belgian Anti -Phishing Shield, our domains, the domains that we flag as 100 % or as good as malicious are uploaded.
And for instance, what they are doing now is they are moving emails that have links to those malicious domains from the inbox to the spam folder. So they are not deleting them, but in an automated way, they are saying they are not on the inbox anymore, they are in the spam folder. So yes, you can go to a website like that. Yes, you can click on that link, but at least you will have the notification that, well, it was in the spam folder. It’s less trustworthy. So bit by bit, we see that, for instance, last weekend, apparently Meta did remove advertisements to those malicious online shops. And they did it within hours, which for us was quite new.
So I have the impression that the last six months to one year, the collaboration is starting and that they understand that as a service provider online, when you provide a service and that can be a telco that provides a phone number or an email address, an IP address, hosting of a website, that when your service is being abused for cybercrime and you get a notification, well, you get some kind of not legal, but you get some kind of liability. So we don’t oblige internet service providers in Belgium to collaborate with us by law, but we explain them that, well, if we get notified by the population that something is wrong, that something is like the hole in the street, there is a hole, well, at least let’s work together to put a warning sign in front of that.
And the other question was, do you have any idea how much you’re blocking? I have to admit that with the more or less 40 ,000 emails that we get every day, we have quite a good view, a representative view, on phishing campaigns being sent out in Belgium. So we are doing, for the moment, analysis. And I have to admit that at the beginning, we were only able to extract 25 to 30 percent of the malicious links, because we had to be very, very, very cautious. We don’t want to be seen as government censorship, and we will not allow our system to be used as government censorship. We want to filter out malicious domains, cybercrime. Now we are pulling that up, and I think more or less we are at 60 to 70 percent.
That is what we can filter out. We see a lot of other domains that we consider as malicious, but we’re not sure enough. So I have to admit that we cannot go to 99 percent. That will probably be, but it’s a little bit like a spam filter. A spam filter is not perfect. It’s not perfect, but it’s not perfect. But imagine that we would take out spam filters on our mailbox. Our mailbox is dead, honestly. 95 % of all emails that are being sent out worldwide are being filtered out by spam filters what you get in your spam folder is less than 10 % of what is being filtered out so you have to do something to protect the environment and I think that we are at a level now if you see how it is going up that you are at a point where you have to accept that DNS warning like a spam filter is more than necessary
Thank you Miguel for a clear and elaborate answer I believe we have another question
Hi, so thank you for your attention my name is Stigl Fernandes I was a student two years ago and now I’m a university student who’s really interested in technical application to policy so I have two questions actually but maybe we can do one on one how much time do we have? do we have enough time? alright then, I’ll go right away so my first question is regarding the first presentation my understanding is that all reports come directly from users is that the case? or do you have also forwarded reports from Google for instance Gmail, Hotmail or is there maybe an automatic mail filtering system in place and the second answer is regarding last presentation It was mentioned that it is often cited as an example, the IP blocking of CDNs and such, but by whom?
Is it usually like the legislators, just the legislators for doubling down? is it the ISB companies or what stakeholders is mainly coming from? Thank you very much.
Okay, thank you. Let’s say up until more or less a year ago, it was 100 % feeds of the population. What we now did is in collaboration with Belgian banks and with our more or less digital identity provider on a national level, it’s called It’s Me. We have a system, It’s Me, it’s our digital identity. That there were so much campaigns against banks and against It’s Me that they have a separate priority channel to notify malicious domains. So that is one additional channel that we have because if they get notified that, for instance, a certain bank is that there is a campaign, there is abuse of a bank and there is a malicious domain. they can notify it to us through a priority channel.
That’s one thing. And another project is called Fishnemo. I will not reveal too much because is this like public?
Fully public. Fully public.
Then I have to be careful because if I tell too much, how, okay. Okay, let’s say we’re trying to find domains that are linked to Belgian government and critical infrastructure but have been registered for malicious intent. So I will not explain how we’re doing this because if I explain how, it’s probably a bit easier to circumvent. But that is an additional system. So we’re trying. Okay, is there, are there domains that are being created linked to critical infrastructure that are not owned by that critical infrastructure? absolutely what you’re trying to do.
Thanks again, Miguel. I’ll answer the second question. So, of course, I mean, the people that are, the stakeholders interested in this system are the copyright owners first, because they are the ones that pushed for the creation of this anti -piracy system, but there is also a lot of support from government, so from government bodies, and actually in Italy from our national regulator, that is Agicom, the regulator for the communication. And on the opposite side, I mean, operators and internet users and companies for freedom of the internet are completely against this platform. Operators mainly also because of a cost problem that this platform introduced, that they need to, the burden is on them and they don’t get any compensation for implementing these blocks.
Okay, so we already have three questions, so we have a question from so let’s take your questions first
good afternoon everyone thank you for your excellent presentation gentlemen we have representation from belgium from italy and from serbia in the room we’re talking about very similar activities i’m from an organization called clean dns we work extensively in this space i’d like to ask the presenters about the importance of collaboration between member states because it seems as though we’re all pursuing very similar interests at a national level and greater collaboration could be of extreme advantage to citizens and to governments how can we pursue that uh further in terms of the presentation that identified uh ip address uh restrictions uh reputation block list if you like i also agree that that is not uh a panacea however i can understand how at a certain level of government taking activity through what is perhaps perceived as an easy option will give a certain profile an advantage, but this is a multifaceted environment where we need all stakeholders to be involved.
So in terms of taking action to restrict phishing and those activities which are malicious, what else should be done, especially at the infrastructure level, thinking of the different providers in the chain to help us address this at a
Again, that’s a very good question, and we are in a perfect place to debate that kind of question in the European Commission. Next door, of course, we have the Parliament. One of the recommendations that I would say is get in touch with other people around the European Union one by one, grow bigger, and then you’ll be noticed a bit more by the people who usually are around these buildings and maybe sometimes, something… completely European can be born to actually attack that problem. Sadly, usually our colleagues that usually live here usually pay attention only when things get bigger enough for that. But I will pass on to both of you if you want to comment.
I have a comment on that. Basically, a couple of years ago already there was published a study that a collaboration between several European and CCTLD, I can pass you the name later on, several European and CCTLD led to an increased phishing detection for these CCTLDs because they were able to share the machine learning model they used trained on the different data of each CCTLD and they were able basically to detect abuse going from one CCTLD to the other CCTLD. So yes, collaboration is the key from this perspective.
Thank you. So, I guess we go to the next question. Gentleman at the end.
Hello, I’m David from the Internet Society. So, I have a few comments from the presentations and also a couple of questions. On the comments, I think the analogy of IP addresses like telephone numbers can be misleading. Because when you have an urge to cut a telephone line, it’s unique. So, you can cut this line or you can cut my home line. And it will be only my house. And that’s it. IP addresses, as you explained very well, when you block IP addresses, you will be blocking many other websites, potentially. So, the impacts are enormous, potentially. You explained extensively the case of Italy. I know more. In the case of Spain. Nowadays websites Many times are composed by blocks That are just appearing in front of your face But it’s not coming from a single address But just coming in And for instance One of the blockings recently affected A payment gateway So it was all e -commerce affected In the country during this football match Not all e -commerce but most e -commerce Because when payments were to be done Requests to verify Credit card information was not possible Because this website was shut down So I think this analogy Can mislead Policymakers who just don’t know What we are talking about here So The other thing I don’t Agree is with the Blockings are difficult to do I think they are easy to do Too much easy to do Especially if the ISP doing the Blockings is an interested party Like in the case of Spain Where Where the blockings are issued by the content right ownership, right hold owner, and then in many cases they are issued and to be executed by Telefonica which is the retailer of the football matches themselves by the channel, so they are forced immediately, they want to do the blockings.
So my questions are why these policy makers are listening more to rights holders than to the technical community. We are trying to explain this is wrong. There are notorious cases of blockings. Why is this happening? That we are not able to reach out our voice correctly to the right people and explain this is wrong. Now the other question is, do you think a liability scheme would be appropriate so that right holders would be required to pay to those websites that are being affected by their IP requests
t
o be blocked? I didn’t… O
kay. so on the on the example of the phone number uh i tried to explain it’s more the phone number of an entire building so the the phone number for example of a company that has many employees they’re not the phone number your phone numbers your cell phone number to make it clear um um on the on the question of the uh whatever uh this it’s easy or not it’s easy to mandate it’s easy to request the internet service provider in your country because they need to comply they cannot i mean otherwise you go then we’re there with police and you arrest whatever is not complying with that rules and regulation so the technical way exists the difficult part is what if you want to do these on a service that is residing outside the country and you want to country just for the italian users you cannot do this because there is no way you can enforce that users from italy goes here and users from all the other countries goes in another direction On the question of liability, I think you raised an important point.
And Piracy Shield blocked in October of 2024 in Italy for more than a couple of hours, drive .google .com, so the domain name of Google Drive, basically. And that block lasted for many hours. Now, arguably, Google Drive is a service that is used for many, many users for many, many companies. So it’s very hard to quantify the business impact of that blocking. We were lucky that the blocking happened on a Saturday evening where possibly not a lot of people were working. But that may have had tremendous consequences. Yet no liability was given to the content blocker. And there is no discussion of giving. Giving that liability. Basically, there is no discussion of what if something goes wrong, who needs to pay.
and the other problem is that to have that kind of liability you need to have transparency in the system so the system of the blocks that are requested needs to be public because there needs to be someone that can audit these blocks and can tell this block can happen from this day to this day hence the financial consequences that happen for me are these but none of this is in the current regulation and none of this is in the current
So we have two more questions so I’ll ask Arun and Samridhi to actually read it out and then we’ll hand it
So the question is from the perspective of a media regulatory authority that orders DNS blocks, all of the money is only a better alternative when it comes to precisely such cases of copyright infringement, pornographic platforms etc. but it doesn’t help with sites containing other types of content harmful to minors, the providers themselves as well as the hosting providers cannot be reached So what would be the better alternative here from your view?
That’s something very hard and that’s something where a stricter block to a certain extent is somehow required. I mean, side hosting, CSAM content are arguably illegal in the whole European country and probably the whole world. So that’s a case where you can say you need to have a block that goes beyond, even to the risk of causing collateral damage, may go beyond basically the intended purposes. The problem is also that, I mean, a lot of these content are hosted on platforms that are not responding to legal authority. And we need to make an effort to curb down the fact that these bulletproof hosting out there exist. And they can host this content that are illegal.
Not removable by any legislation in the world.
well my experience is that there are different ways and a lot of different ways to respond to these crimes you can of course can follow the money you can count on law enforcement and that is absolutely necessary because if those bad guys are never caught I mean it’s like well it’s a never ending story on the other hand we can do a lot and it’s true that Belgian people that go abroad or use another provider than the five that are currently in our system they will not be warned that’s correct but let’s at least try to warn those people that we can warn my experience is that for most of the providers and for me a provider that can be a telco for a phone number that can be whatsapp can be meta that can even be a bank that provides an online bank account or a credit card company that can be a telco for a phone number that can be a bank account or a credit card company that provide us, if you notify them that their services are being abused, they’re listening.
What they don’t want, like for instance, we have a program that is evaluating online advertisements. And at the beginning, we were notifying to Meta Advertisements, giving the references, the legal references of Belgian law. This is an infraction of Belgian law, article Y. They said, please don’t do that, because when you deliver something to Meta that has a legal reference that says, this is an infraction of law, we have to immediately send it to our legal department. And they have to start an investigation because they have, of course, that umbrella. They will take the responsibility, but it will be through their legal department. So if you want a response within hours and not days or weeks, it’s better not to put.
So we created, we looked at the policies of Google, of Meta, and we said, well, we’re going to do this. And to be honest, everything that is illegal in Belgium is almost forbidden in their policy. so it’s better to put references in general saying okay this is impersonational and you say this is what they are doing but in their terms and conditions and my experience is that they do respond and they do take action but that’s not the case for all providers on the web unfortunately
Okay so we have a few more questions there’s also another one remotely so we will try to make this quick so that everyone is heard before handing it over to Peter let me just add something to this question because this question mentions some of this one of the things that we’ve been seeing about internet blocking in general is situations where we have internet social media for instance in Australia being blocked to minors in the UK they want to implement a verification that actually causes a lot of issues, especially related to freedoms, because suddenly you are not free, you are not allowed to look at the Internet in an anonymous way. So we still have a few minutes to talk about this later, but it is important to point out that this actually causes a lot of harms related to the freedoms that we have, freedom of speech, and especially the typical scenarios of countries, and we have seen this, a lot of countries trying to control the population that is no longer able to use the Internet as a means to gather and as a means to start some peaceful protests, etc.
So let’s hand it over to Peter at this moment. Yeah, thank you. Very interesting. Peter, do you want to? Did it work? No, it worked. Sorry. Peter Kovdynik, apologies.
So again, interesting discussion. Not the first time we’re having this topic, and discussion is progressing, but we always get new players in the game. I think there are a couple of things, or a couple of parts that may deserve a bit more attention, like cross -border issues, voluntary versus involuntary blocking, and circumvention technologies. And then I’ve heard twice I can’t tell you what we’re doing, because otherwise some things would happen. That’s a bit between security by obscurity and a magician sharing all their tricks. But from a state actor, or from a public authority, I do think there’s a certain transparency obligation, especially given that there are private markets participants that provide protection services, and sometimes public authorities are actually interfering with that part of the market.
Finally, I think the most important part when we talk about DNS or internet blocking… I still don’t understand why content mitigation, which is at the application layer or the user level, would have to happen at the infrastructure level, which is the core governance question. Why do we fiddle with it, even though it is not very granular? And what would the participants do to arrive at more appropriate and more granular alternatives? We’ve heard about spam folders that address mail issues. There are browser plug -ins and so on and so forth, which are more lean towards the user, give the user more control over the blocking and the protection, and also would not fiddle with the core infrastructure and avoid the cross -border issues as well.
Thank you so much.
Miguel, could you address the transparency?
Yes, absolutely. As I said, everything we do is transparent, but that doesn’t mean you have to be transparent. You have to make it public. If you have security measures in place, I mean it’s like an antivirus you don’t publish all signatures that you have found immediately otherwise the counterpart knows that that’s the way you try to protect your environment and of course those systems can be abused to my knowledge ours is absolutely not and I would never accept that. A spam filter could be abused by governments to remove specific content if you say we don’t want people to receive messages with this content or on this topic technically you could do that but that doesn’t mean that we have to remove spam filters as I said if we would do that the email system is dead so it’s about finding the right balance between applying security measures in a correct way, in a transparent way and as I said we are very transparent and we are under the control of the DPA and well, protecting your citizens and finding that right balance that is I think what is first the most important, but I do understand the concerns but on the other hand not doing nothing is I think more of a concern than trying to do something
And I want to add that I completely agree IP and DNS are the wrong place where to block things for certain kind of content and you need to go to the source, you need to block the content and then source, especially if the content are within the European Union, because we have other mechanisms to act
Okay, so I think we have about 10 minutes and we still have to see the messages let’s do it like this, so we have four pending questions let’s take the questions now and then we’ll try to come up with answers for all of them if that’s okay feel free to start.
Yeah, I’m sure quickly here. Could you just once again explain in a way to a layman, to a child, or to an average politician, why exactly the technical framework is not apt to help with the question of child protection online? So what’s really a very, very basic explanation why not for a politician? Please continue.
Thank you, Olivier Crepin-Leblanc. I’m with the United Kingdom Charter of the Internet Society. We’ve had to deal for a long time with the UK government in regards to age verification, online harms, etc. One of the problems we find with politicians is that they have a very limited lifespan of a few years and need immediate solutions. They like silver bullet scenarios and some firms… Some companies go, speak to them, and say, we have this stuff about it. We have the answer for you, this immediate thing, which unfortunately is not the solution because it’s got a whole lot of repercussions. Unless we can prove that there are no silver bullets and these are complicated issues that need balance, that need certain mitigation and analysis, we will continue having problems where there will be the false positives and the Internet will be somehow a lot harder to use if all these things are implemented, such as age verification, etc., etc.
Petra, you were there.
Yes, thank you. Petra Arts from Klaus Flair. Two small comments. Thank you, Alfredo, I think, for also highlighting the issues around global resolvers. We obviously have quite a lot of concerns around that from some of the developments that are happening in some of the countries from the legislation perspective. Thank you for highlighting that. I wanted just to point to people that want to kind of know more about the economic impact of looking to a study that we commissioned last year from Analysis Mason, a consultant center. it’s to be found online it’s called the economic cost of network blocking where we try to also illustrate a number of these kind of the things that were mentioned by a number of people in the room and maybe it’s helpful for for people as a resource so thank
you yeah i think it’s also listed in the further reading uh section of the on the wiki yeah yeah it’s there now final question online um do you have supervised methodology to ensure that you preserve freedom of speech ensuring you’re not turning into a censorship arm of a government or
even private parties oh yes absolutely we are um we are detecting phishing emails so it’s like an antivirus um it is detecting the known bad it’s about identifying the known bad and bad means you know you’re not you’re not you’re not you’re not you’re not you’re not you’re not within a specific cyber crime domain and not in a content domain. And we do check that we never go on content. It’s not because somebody is saying something like adult sites trying to protect young people that is currently absolutely not what we are doing because we don’t have a correct solution for that. And coming back to, for instance, Cloudflare, we are actually in good contact with Cloudflare.
Because more than half of the malicious domains are using Cloudflare, are using that infrastructure to anonymize themselves partially. But as we understand with the collaboration of Cloudflare, they don’t want to be, let’s say, a provider for cybercrime too. And they’re also asking, okay, how can we collaborate and how can we with governments have a better exchange so that… we are not those ones that make sure that those bad guys are never being called so it’s about finding a way in a balanced way together with those I also call you a service provider in that way you’re delivering a service on how can we do it but not by law, by talking to each other by listening to each other what can we do together and that is I think the model that we set up and that we’re trying to defend
Raffaele?
I will be extremely brief to answer, there is no silver bullet and everything we do on the internet as consequence every action that we take and where we interact with the internet protocol in general as consequence there is all there needs always to be a balance between the risks and the benefit of the action that we take and that balance needs to be discussed with technical brewers that’s the important part
thank you, now over to Philip for the messages from this session
yes, I’ll very briefly share the messages I did my best to to summarize the conversation, so you should be able to see that now, so so, the first message is that the evolving nature of online harms requires a multi -stakeholder collaboration to be tackled effectively, as we heard from Miguel and this may take form of collaboration among industry players or across industry and the government second, intervention of the technical area by blocking the IP addresses or DNS have significant impact on the availability of online resources, like websites and cause unnecessary collateral damage without necessarily addressing the legal content in question and thirdly that interventions on illegal content to increase online safety should be proportionate so the rights of
Okay, we have one or two minutes if anyone wants to comment
Thank you, Rishi, Clint, DNS I’d like to ask the panelists this is coming just on the apologies I was going to ask for the youth diggers for one recommendation for them to think about arising out of this session
Sorry, can you repeat?
I would like to ask for one recommendation from the panelists for the youth diggers attending this session
Be active and participate in this discussion because I mean, some of these discussions center around the fact that part of these blocking are for protecting young people on the Internet. You need to have a voice on what is really the harm you want to be protected from. It’s more important that this comes from you.
The Internet is not public space. What I mean is that when I leave this building, I’m on the street. There, as a government, you can put cameras, you can even put policemen, you can control. The Internet, when I connect here to the web, it’s a privately owned… Well, this is now government, but that’s the exception. I mean, you have a private device connecting to a private ISP, going to carriers, services. They’re all owned by companies. As a government, you don’t enter private space just like that. It’s a different story. Meaning that if you want to achieve something, we will have to collaborate. With respect for each other and understanding that ecosystem. It’s private space. It’s privately owned.
Yes, but that means that those service providers, those private companies, they’re taking a lot of responsibility. And we have to, together with governments, figure out how to secure that in a balanced way together in that private space.
Okay, so we are perfectly on time So let’s just wrap this up for today I think that it’s not going to be the end of this conversation because this topic will go on forever So let me just mention that at this moment we have 73% of countries which are no longer democracies if some of them ever were and these kind of limitations that we see especially the last topics that we talked about these kind of problems are growing more and more so we will discuss them in future events as well. We want to thank you all very much for being here. We want to especially thank Miguel and Rafael for being our guests. We also want to thank everyone who participated, and especially we want to thank Philip Lucas, and we want to thank Arun and Samridi for moderating remote sessions.
And of course, Philip and I, we really want to thank everyone for being here in person or remotely, and I hope you have a great event coming up. Okay, thank you everyone.
“Miguel De Bruycker was identified as Director General of the Centre for Cybersecurity Belgium, and the CCB was described as a central public authority for Belgian cybersecurity policy.”
The knowledge base confirms the institutional role of the Centre for Cybersecurity Belgium as the body that monitors, coordinates, and oversees Belgian cybersecurity policy, and notes that CERT.be operates as its national CSIRT [S123]. This supports the report’s description of De Bruycker speaking from the CCB’s central operational and policy role.
“Belgium’s anti-phishing model was presented as a technical protection measure aimed at cybercrime rather than general content regulation.”
This framing is consistent with broader knowledge-base material distinguishing cybercrime-oriented blocking of phishing, malware, and botnets from wider content-control regimes. A technical session report notes that DNS or other filtering is commonly used to hinder access to phishing websites, malware, and botnets, while also highlighting the need for care in implementation [S87].
“The Belgian Anti-Phishing Shield works through DNS-based warning mechanisms rather than removing content.”
The technical distinction is supported by the knowledge base: blocking name resolution means the content can continue to exist while access is hindered unless the exact IP address is known [S87]. Separately, guidance on jurisdiction stresses that taking down a domain removes all websites and e-mail accounts associated with that domain, showing why DNS-layer intervention is different from content removal [S54].
“De Bruycker stressed that Belgium’s system does not remove content and is meant to show a warning page rather than impose an absolute access ban.”
The knowledge base supports the underlying technical and policy distinction. DNS-level blocking affects resolution rather than deleting hosted material [S87], while domain takedowns are much more sweeping because they remove every website and e-mail account on the domain [S54]. This adds context to the report’s claim that the Belgian model was framed as a warning-based intervention rather than full removal.
“Belgium’s approach involved cooperation with major ISPs and used secure DNS arrangements.”
The knowledge base contains relevant technical background on DNS as an Internet infrastructure layer that can be altered by ISPs, including examples of ISP-operated DNS manipulation and discussion of DNS policy’s broad effects [S36] and [S86]. While it does not verify the Belgian program details, it supports the plausibility and significance of ISP-based DNS implementation.
“The report linked the growth of phishing reports in part to AI making malicious content easier to generate at scale.”
The knowledge base adds supporting context that AI has created new cybersecurity threats and is being used in phishing campaigns, including for sophisticated fake images, videos, and social engineering [S129]. It also notes the rise of deepfake-enabled fraud and scalable multimodal deception, which reinforces the report’s point about AI increasing the scale and realism of scams [S130].
“Belgium had launched a public awareness campaign encouraging users to forward suspicious messages, and this anti-phishing effort was part of a broader cybersecurity-awareness strategy.”
Belgium’s cybersecurity strategy explicitly states that the CCB raises awareness of major cyber threats and how to protect against them, and that citizens should be informed and aware of the main risks when using ICT and the internet [S123]. The knowledge base also highlights awareness-raising as an important anti-cybercrime measure more generally [S35].
“The discussion expanded from a concrete anti-phishing case toward wider debates about blocking, proportionality, transparency, technical architecture, and fundamental rights.”
The knowledge base confirms that these are standard fault lines in discussions on Internet blocking and filtering. Reports on content blocking discuss proportionality, transparency, overblocking risks, and freedom of expression concerns [S87] and [S88], while DNS-policy materials stress that infrastructure-layer decisions can have broad rights implications [S86].
“De Bruycker emphasized proportionality, transparency, and restraint as safeguards for the Belgian system.”
The knowledge base strongly supports the relevance of these safeguards. Discussion of Internet blackouts and other restrictions highlights the principle that governments should act proportionately in cyberspace and in accordance with law [S88]. Separate material on content blocking stresses that lack of transparent and accountable processes can be harmful and can lead to overblocking [S87].
“The moderator framed the session as an interactive discussion with audience and remote participation rather than a sequence of long prepared speeches.”
The knowledge base does not verify this specific session setup, but it provides strong background that Diplo and related Geneva events routinely emphasized remote participation, interaction, and blended formats rather than purely in-room exchanges [S118], [S119], [S120], and [S121].
The strongest agreements were that online harms are real and require action; that collaboration across governments, platforms, operators, and technical actors is essential; that IP and DNS blocking are often blunt tools with serious collateral risks; and that any intervention must be proportionate, rights-sensitive, and accompanied by safeguards such as transparency or oversight [174-182][227-229][292-297][333].
The main disagreements were not about whether online harms are real, but about which technical layer should be used to address them, how much transparency and accountability public interventions require, and how to balance urgent protection goals against collateral damage and rights risks. The sharpest divide was between Miguel’s defense of narrowly scoped DNS warning for phishing and Raffaele’s and Peter’s broader skepticism toward infrastructure-layer intervention [34-45][60-64][110-125][150-161][292-297]. A second major fault line concerned governance safeguards: Miguel defended limited disclosure of methods within an overseen system, while Peter and Raffaele pushed for stronger transparency and auditability, especially where public action causes harm or affects markets [141-148][253-261][289-303]. Child-protection cases added a further tension between stronger intervention for universally illegal content and concern about privacy, anonymity, and overbroad controls [264-270][280-281][312-316][323-325].
Moderate. The speakers broadly shared end goals such as reducing cybercrime, protecting users, and avoiding abuse, but they disagreed substantially on implementation choices and safeguards. This level of disagreement implies that future policy on online harms is likely to hinge less on whether action is needed and more on designing narrowly tailored, transparent, technically informed, and rights-respecting mechanisms that distinguish between phishing/cybercrime mitigation and broader content control [67-72][169][292-297][331][333].
The key comments shaped the discussion by progressively moving it through three levels. First, Miguel De Bruycker grounded the debate in practical cyber-defense, arguing that some technical protections are necessary and legitimate when narrowly aimed at clear cybercrime. Second, Raffaele Sommese and several participants complicated that picture by showing that infrastructure-level blocking becomes far more problematic when used for copyright or content enforcement, especially because of collateral damage, opacity, and ease of circumvention. Third, later interventions from David Frautschy, Peter Kovdynik, Olivier Crepin-Leblond, and Andre Melancia elevated the debate from technical effectiveness to governance, accountability, architecture, and rights. Together, these comments transformed the session from a discussion of tools into a much richer examination of where intervention should occur, who should decide, who should be accountable, and how to balance security with freedom. The overall flow moved from operational examples to systemic critique, and finally to a more mature multi-stakeholder perspective on online harms.
Disclaimer: This is not an official session record. DiploAI generates these resources from audiovisual recordings, and they are presented as-is, including potential errors. Due to logistical challenges, such as discrepancies in audio/video or transcripts, names may be misspelled. We strive for accuracy to the best of our ability.
Related event
