April 4, 2024

By Joe McNamee, Senior Policy Expert, EU DisinfoLab

The “Doppelganger” disinformation campaign relies on the creation of web addresses (“domain names”) that look like the web addresses of trusted news sites. Content that is deceptively similar, or just plain identical, to those trusted news sites is hosted under that domain name. Disinformation is then planted in the doppelganger site, to make the lies appear more credible.

So, someone should do something about this. Right?

Well, yes. In a previous blog post, we established that, as a basic principle, the internet intermediary that is closest to an offence is the one best placed to stop it. In this case, the offence is, partly, the domain name so, somewhat exceptionally, the domain name registry or registrar is best placed to address it.

How do domain names work? Well, when you buy a domain name like disinfo.eu, you buy it from a registrar like Tucows, they buy it from the registry for that top level domain, which is a company called Eurid for .eu. ICANN is a global authority responsible for high-level administration in relation to registries and registrars.


The global body responsible for the domain name system is ICANN (the Internet Corporation for Assigned Names and Numbers). While it does high level work to stop abuse of domain names in relation to purely network security threats (botnets, phishing, pharming, malware and spam), it is unwilling to regulate content. This makes a lot of sense because, while security issues are universal, languages and what legally or socially constitutes unacceptable speech are not.

Adapted from an image from CENTR.org

During the COVID pandemic, ICANN ran a security operation called DNSTICR (Domain Name System Threat Information Collection and Reporting). It reviewed websites with domain names with specific COVID-related words, to check if they were involved in phishing (fraudulent attempts to obtain personal data) or malware (injecting malicious code into visitors’ computers).
The methodology was, in essence, if it walks like a duck, and quacks like a duck, and potentially has other duck-like features, there was reasonable grounds for believing it might be a duck.
ICANN then informed the registrar that registered the domain name that:

  • The domain name contained the suspicious COVID-related term (it walks like a duck) AND;
  • The content loaded at that domain name appeared to be malware or phishing (it quacks like a duck) AND, if relevant;
  • There were other relevant characteristics (it had feathers and a beak like a duck).

The registrar, as the entity with a direct business relationship with the domain name owner, could then take the most effective action, based on the local laws, their terms of service, and so on.

Dispute resolution

When a person or an organisation feels that a domain name that should normally belong to them has been unfairly or illegally registered, there are options to complain to have the domain name withdrawn or transferred to them. Depending on the registry, this may be the Uniform Domain-Name Dispute Resolution Procedure (UDRP), the complementary Uniform Rapid Suspension (URS) procedure, a registry-specific procedure, or a national judicial procedure. This can and does often work well and several doppelganger domains have been successfully revoked.

However, such dispute resolution needs to be done with due attention to freedom of expression, as otherwise legitimate speech would be undermined. It is important to recognise and mitigate against the fact that this is difficult to get right. The World Intellectual Property Organization (WIPO) decision that wal-martsucks.com was confusingly similar to Walmart.com is not without its critics, for example. The decision to revoke ihateryanair.co.uk is also surprising to some people.

Care takes time. However, as Mark Twain said, a lie can travel halfway around the world while the truth is getting its boots on.

So, other options are needed also.

Registries and ducks

So, what if there was an ICANN-style (DNSTICR) way of sending doppelganger “duck reports” to registries?

The structure has already been created for the ICANN-defined security threats (phishing, pharming, botnets, spam and malware) on the netbeacon.org website. This guides users through the process of formulating a well-structured report, that is sent to the registrar or registry (depending on various factors that are beyond the scope of this article), which then has all the information they need to take action.

  • Does the domain look confusingly similar to a news outlet? (Does it walk like a duck?)
  • And does the website look confusingly similar to that same news outlet? (Does it quack like a duck?)
  • Does it have other clues pointing to it being designed to manipulate and misinform? (Does it have other duck-like features?)

Then, with a minimal amount of diligence and cooperation from registries, the doppelganger sites are, well… sitting ducks.

Ceci n’est pas (forcément) un canard

But… what if it is an Australian registry processing a complaint about a Swiss news site that, it is alleged, confusingly similar to an Egyptian one – which came first the .ch or the .eg? Who is liable for damage caused by the wrong domain being revoked?

Another solution could be for registries or registrars to grant media trade associations “trusted notifier” status. This model is already used in parts of the domain name industry and, with shared liability, a high degree of due diligence on the part of notifiers could be counted on.

If (more) registries and registrars are prepared to support this approach to fighting egregious abuse of their services;

If media associations are prepared to invest resources in defending their online content and identities;

And if, together, we can streamline reporting mechanisms so that well-formatted reports about genuinely open-and-shut cases can be sent from trusted notifier media associations to the right place… then maybe we could help the truth get its shoes on before the lie gets too far on the superhighway.