PPP in the Netherlands: the right approach to deal with online abuse

Soon after the start of the COVID-19 crisis, strong digital infrastructure turned out to be a major asset. The Netherlands is one of those fortunate countries. Everyone has access to affordable and reliable broadband. Families, employees, businesses, and government switched to videoconferencing, working, learning and shopping from home without a glitch. In addition, we have hundreds of large datacenters within our borders. Giving home to millions of servers and enormous amounts of data. Which gives us significant digital autonomy and an economic advantage. Dutch gaming, hosting and e-commerce companies saw a significant increase of their business over the past months.

But our strong position as an internet, colocation and hosting hub comes with a cost. We also have the questionable honor to facilitate significant amounts of cybercrime. Ranging from fraudulent web shops , phishing sites and botnets, to the second largest supply of online sexual abuse content in the world.
Our government, but also we as digital industry have struggled to mitigate these problems.

The typical political reflex is to attribute cybercrime to the internet and blame infrastructure providers for letting that happen. And make legislation to mandate them to enforce the law towards their customers. But obviously that is an undesirable development. Worse, it does not work. The law cannot force companies and their employees to inspect millions of images to determine of they display sexual abuse. Or have them determine whether or not a video with screaming men shooting Kalashnikovs around a camp fire are just celebrating a wedding or are encouraging terrorism. Neither is effective technology within financial reach for mostly SME companies.

The inevitable conclusion must be is that online law enforcement cannot be privatized and infrastructure providers can’t and shouldn’t be turned into police, prosecutors and judges. They can act, and must act, but only if they are properly , swiftly and correctly informed of unmistakably unlawful activity on their servers.

Over the past years we have decided to bury the hatchet and started to work together on that approach. We started a cooperative not for profit anti-DDOS scrubbing center that now effectively protects more than 50% of the entire .nl domain, 2.5 million sites against large and sophisticated DDOS attacks. Together with our ministry of economic affairs and ministry of justice we have launched several cooperative projects and private-public partnerships. These also turn out to be extremely effective. We developed a code of conduct Notice and Takedown for non-government notices, and funded trusted notifiers. During this year we have implemented an anti-CSEM approach with a hashcheck function for public photo shares, based on a police database, that after just 6 months has proven to be extremely effective. We have started an online trust coalition, an anti-abuse coalition, an anti-DDOS coalitions. All as PPP’s, with major organizations and players in NL, and government organizations and even authorities.

We believe that we have found the right formula for collectively fighting abuse and cybercrime. Not laws and regulations, but policies, codes of conduct, information sharing facilities, technology. And sure- also with additional legal mandates and possibly fines for companies that fail to implement their duties of care. Based on actual, measured performance.
This co-regulatory approach can and must be a template model for our shared ambition: a well balanced approach to keep the Internet clean.