Legal Framework, Data Conventions and Access Controls

Anti Phishing Working Group

APWG’s eCrime Exchange (eCX), the world’s oldest and most trusted repository designed specifically for the exchange of machine-event data related to cybercrime, owes its longevity and global acceptance to its multi-dimensional trust architecture

Data Exchange Designed for Cybercrime Fighters

For Membership Information:

APWG has spent decades refining and updating a precisely relevant contractual framework that allows cybercrime event data exchange to execute programmatically (among usually non-correspondent parties) while defining and managing attendant risks to submitters and to data consumers.

Bilateral data sharing requires corporate legal teams to forge agreements with everyone — peer-to-peer — with whom they want to share data. That approach can consume months in delay, and may not result in effective data sharing or complete understanding and amelioration of attendant risks.

APWG’s Data Sharing Agreement (DSA) mediates data exchange across a central (versus bilateral) clearance platform — the APWG eCrime eXchange (eCX) — by satisfying risk-management requirements of corporate counsel, thereby mobilizing data for security applications and cybercrime forensic routines required for programmatic suppression of common cybercrimes.

The DSA, centerpiece of eCX’s trust architecture, allows companies, governments, NGOs and multilateral treaty organizations to submit and consume data with a simple, single agreement that protects every participating institution — at once.

APWG’s DSA global acceptance, across so many domains, speaks to its recognition as a universally applicable clearance instrument for mediating the exchange of these types of essential event data. After nearly two decades in operation, not a single formal legal dispute related to the exchange of data has been experienced by any eCX user, or the APWG in its role as eCX curator.

APWG’s experience in uneventfully curating the exchange of what was considered by some parties as liability laden data at the institution’s foundation in 2003 speaks to the success of APWG’s labors in balancing the interests of parties that would be correspondent in the exchange of those data through eCX.

Strictly Defined Meta Data Enable Programmatic Responses

APWG’s DSA works in concert with precisely defined data element definitions; conventionalized metadata; and rigorously maintained data-marking standards (for key usability indicators such as Confidence Factor). These conventions in data marking allow developers to recruit and employ APWG eCX data with measured confidence and design coherence to deploy and maintain programmatic responses that would otherwise be vastly more work-intensive to craft without them.

Data records submitted into the eCX that include a “Confidence Factor” indicates the submitter’s confidence that a data record is a genuine expression of risk, reflecting the level of manual, eyes-on, manual examination applied in determining the represented data element’s maliciousness.

The Confidence Factor can change as investigators enrolled on the eCX gain more knowledge about a data item. This mechanism allows data to be shared at the earliest point in an investigation and can quickly express others’ knowledge into the data item shows more risk – or a false positive. Each eCX user can edit confidence factors – with each update logged in eCX administrative records.

eCX API endpoints conform to rigorously drawn schema that organize data elements disciplined by technical standards and conventionalized definitions of events (i.e. phishing campaigns; registration of brand-abusing domain names, etc.) and data elements (e.g. URLs, domain names) that are created, recruited and abused in common cybercrimes. In eCX’s malicious-domain endpoint, for example, ‘Fake Store’ is distinguished from ‘Scam’, each framed by their own definitions. Each record on the eCX, further, distinguishes between the timestamp applied at discovery and the time of any modification of the records.

These data architecture elements established and maintained on APWG eCX provide working infrastructure for responders crafting programmatic cybercrime detection and response routines. They were developed as a collaboration among APWG over the decades that continues to this day.

eCX Trust Architecture: Builds Trust By Design Contractually & Operationally

eCX’s trust architecture ensures parties are vetted and validated as a component of the enrollment process itself, so all data records with a Confidence Factor archived on eCX can be traced to auditable parties — by design — down to individual submitters and their employers.

APWG engineered its DSA in 2004 to satisfy risk management requirements of both data submitters and data consumers, striking purposeful balance in addressing liability and indemnification questions attendant cybercrime event data exchange.

The agreement requests – but does not explicitly enforce – best efforts for data accuracy. At the same time, eCX allows users to edit and correct inaccuracies, leveraging the membership’s larger wisdom to continually improve and preserve eCX data fidelity.

APWG’s DSA works in concert with eCX user toolsets to animate a trust-building environment. The larger eCX trust architecture, in which all members follow explicit and precise usage rules, builds trust, as do common expectations and actions. Empowerment as a data contributor and data editor, as well as consumer, moreover, builds trust. 

Members / data-sharers operating under the APWG’s DSA process eCX data as equals — from newest member to APWG directors: each user had full read / write access to eCX API endpoints. At the same time, the DSA’s provisions for for flagging and/or removing erroneous data, empowers eCX users with authority to edit Confidence Factors, for example, reflecting the users’ knowledge and understanding of a report’s accuracy.

APWG’s directors believe the DSA language’s precision, situational relevance and the time-tested and familiar contract law conventions it observes allows participating institutions to make a precise assessment of risk attendant exchange of the kind of cybercrime event data that are archived on eCX.

eCX’s Data Exchange Architecture Is the Trust Model for Our Cybercrime Epoch

Civilization requires data exchange for programmatic suppression of risks that attend the development of advanced economies – and exchange of cybercrime event data is no exception. 

APWG’s estimation is that structured exchange and formal clearance of cybercrime-related machine event data and Internet event data will be the fuel and forge for global response of common cybercrimes until the built computing environment is reformed to complicate those cybercrimes for the attackers — by design — rather than apparently assist them.

Hanseatic League maritime traders of the Middle Ages fused maps of piracy locations to optimize trade routes to avoid raiders. Underwriters collect and share fire and casualty event data to calculate rational premiums on homeowners’ policies. Public health agencies exchange flu strain data from across the world to frame the composition of season flu vaccines.

Today, cybercrime prevention and suppression demands a rigorous, globalized data clearance mechanism, first to respond to common cybercrime events and minimize the damage they inflict and, secondarily but no less importantly, to provide counter-cybercrime responders, researchers and developers with data to craft their forensic examinations and tools. 

After 18 years clearing cybercrime data for the private and public sectors, APWG has worked through a good deal of the challenges attendant risks related exchange of these kinds of data – experiences we are glad to share with our peers in the counter-cybercrime enterprises. 

Correspondents with interests or questions about our DSA or trust model need only contact us at

APWG’s Data Sharing Agreement has been signed by the largest companies in the world — as well as multi-lateral organizations, national law enforcement agencies, national CERTs and national regulatory bodies