Code of conduct for combating abuse
Version 1.1 September 2018
Society must have the confidence that operators and providers of digital infrastructure try to prevent and combat the use of their facilities for unlawful activities. Such operators and/or providers therefore comply with this code of conduct.
Digital infrastructure is: facilities connected to the Internet that facilitate digital online services, in the broadest sense of the word, including data centres, hosting and cloud platforms, domains, networks (AS), internet access, platforms, file shares; and everything that is considered to be a mere-conduit activity under the European E-Commerce Directive.
Abuse is: the misuse of digital infrastructure connected to the Internet in the broadest sense of the word, such as the sending of spam or phishing emails, the spread of malware, DDoS, running a botnet, storing and spreading CAM or other illegal material, running a fraudulent website, et cetera. Abuse always concerns unmistakably illegal activities and also anything that the operator concerned considers undesirable.
Digital infrastructure operators:
- Are, in principle, neither liable nor responsible for the activities of the users of their services.1 Nevertheless, this does not exempt them from doing everything within their power to combat abuse.
- They will therefore comply with this code of conduct and shall make that known on their website, i.e. communicate about this with their clients and employees.
- Comply with the NTD code of conduct and implement the associated processes and organisation.
- Adopt an acceptable use policy for their clients and/or users that states what is expected from them if abuse is demonstrated in their activities.
- Are obliged in the case of prolonged, substantial or repeated violation of the acceptable use policy by their clients to suspend the service provided, to place services in quarantine or to end the contract with such clients.
- Shall take direct measures to prevent or limit further damage in the case of abuse that the operator has noted is causing ongoing severe harm to individuals. CAM, phishing, bogus web shops and the spreading of malware are in any case considered to be such forms of abuse.
- Ensure they have the correct contact details of the client, so that in the event of suspected or actual abuse they can contact the client directly.
- Are pro-active towards their clients or users; in other words, they take action if they are made aware of abuse or vulnerabilities in their services.
- Adhere to industry best practices for combating abuse that are appropriate to their activities, such as the M3AAWG code of conduct and make this known to their clients.
- Publish on their website and in the relevant WHOIS registrations the contact details for reporting abuse.
- In so far as this can be reasonably expected, accept all abuse reports that they receive via automated systems and through individual reports written by people.
- Do everything reasonably within their powers to obtain information about vulnerabilities and abuse in their networks and via their facilities. At the very least they will do this by subscribing to abuse feeds of the AbuseHUB, connecting to a national CERT, and consulting or connecting with other information sources that provide such insights.
- Do everything that is reasonably within their power to reduce the effects of abuse within their networks for other Internet users. At the very least they will do this through egress filtering of spoofed traffic and applying the measures stated in the MANRS code of conduct.
- Inform themselves about their performance in the area of combatting abuse by consulting the available sources for this.
- Realise policy to continuously improve their performance in the area of combating abuse.
- Users of this code of conduct will report any suspected or actual incorrect use of this code to one of the sector organisations that endorses this code of conduct, the NBIP or the Platform Internet security (PIV) of ECP.
- The NBIP, the sector organisation contacted and/or the PIV shall request the organisation concerned to provide an explanation. If, in the opinion of the organisations mentioned above, the answer provided is unsatisfactory then the party concerned will be requested to refrain from referring to its use of the code of conduct. In that case, the situation will be reported to the PIV, the ACM, the Dutch Ministry of Justice and Security, and the Dutch Ministry of Economic Affairs and Climate Policy.
- Participants in this code of conduct will, if possible, refrain from business relations with organisations of which it is known that they evidently act in conflict with this code of conduct, and/or of which it can reasonably be stated that they deliberately facilitate illegal practices.
- This code of conduct shall be periodically reviewed, based on the feedback and experiences of the participants in this code of conduct.