Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Swiss law on malware-infected domains

Friday, February 14, 2014 - 08:50

The recent TF-CSIRT meeting in Zurich included a talk by the Swiss telecoms regulator (like ours, called Ofcom, though their 'F' stands for Federal!) on the law covering websites in the .ch domain that distribute malware, normally as the result of a compromise. Under this law a designated authority can order the temporary or permanent suspension of such a domain; where the domain registry has evidence of a problem it may itself suspend a domain for up to five days though a warning is generally given first and suspension will usually be shorter if the site owner removes the malware. This has proved successful in reducing the prevalence of malware on Swiss websites and the risk to users from threats that their anti-virus systems do not yet detect.

Unlike proposals by Nominet to use registry contracts to deal with malware and other alleged criminal activity in the .uk domain, the Swiss scheme is based in specific Telecommunications law, giving it a very precise scope and objectives. In Switzerland, unlike the UK, domain names are considered "addressing elements" so the telecoms regulator has the same power to regulate their use as, for example, telephone numbers. Telecoms regulation can, however, only be used for objectives that are within the remit of the telecoms regulator; regulation of domain names used unlawfully in areas such as banking or medicines would have to be done by the regulators of those sectors under their designated powers and objectives.

The Swiss Ofcom's duties appear similar to those of the UK's, which are set out in section 3(1) of the Communications Act 2003:

  • to further the interests of citizens in relation to communications matters; and
  • to further the interests of consumers in relevant markets, where appropriate by promoting competition.

This means that although the Swiss telecoms regulator could, if it wished, propose laws addressing other types of harmful content, it could only do so where the harm relates to communications matters. Malware that infects citizens' computers clearly does, wider forms of content-based "censorship" that some in the audience were concerned about wouldn't.

I've always felt that the operation of the Swiss anti-malware scheme struck a good balance between the interests of domain holders and those of internet users. It seems that its legal basis also gives clarity to the registry while limiting the possibility of mission creep.