As mentioned in our recent back-and-forth with the US FDA, we recently received the following Notice of Criminality from the City of London PIPCU:
Classification: NOT PROTECTIVELY MARKED
Dear Sir or Madam,
Notice of Criminality
[domain name redacted by easyDNS]
EASYDNS TECHNOLOGIES, INC.
Receipt of this email serves as notice that the aforementioned domain, managed by EASYDNS TECHNOLOGIES, INC. 28/03/2014 is being used to facilitate criminal activity, including offences under:
Fraud Act 2006
Copyright, Designs and Patents Act 1988
Serious Crime Act 2007
We respectfully request that EASYDNS TECHNOLOGIES, INC. give consideration to your ongoing business relationship with the owners/purchasers of the domain to avoid any future accusations of knowingly facilitating the movement of criminal funds.
Should you require any clarification please do not hesitate to make contact.
Kind regards,
PIPCU Anti-Piracy | Operations | Police Intellectual Property Crime Unit | PIPCUantipiracy@cityoflondon.police.uk<PIPCUantipiracy@cityoflondon.police.uk > | Address: City of London Police Economic Crime Directorate, 21 New Street, London, EC2M 4TP | ü www.cityoflondon.police.uk<http://www.cityoflondon.police.uk/>
Once again, we are being asked to do (something, we’re actually not sure what this time) based entirely on an allegation which has never been tested in a court of law and has been afforded absolutely zero “due process”. (The domain in question is a search engine that hosts no content).
What it is we’re being asked to do is, in our minds intentionally vague. If you recall, last time the PIPCU came around they wanted us to arbitrarily takedown domains purely on their edict, hijack said domains’ traffic and reroute it to an IP address displaying advertisements for IP lobby approved business interests.
We think this time the intent is not to actually get the domain name taken down, but rather to build some sort of “case” (I won’t call it legal, perhaps the better word would be “kafka-esque”) that we, easyDNS by mere “Receipt of this email” are now knowingly allowing domains under management to be “used to facilitate criminal activity”.
Thus, if we don’t takedown the domains PIPCU want us to, when they want us to, then we may face accusations in the future (in their own words) “of knowingly facilitating the movement of criminal funds.”
Which of course, we don’t know at all because there has never even been a court case anywhere to test the PIPCU allegations. I know I never went to law school or anything, but in my mind, until that happens, that is all they are – allegations.
The Slippery Slope is a Road to Tyranny
In the past, when we’ve been sticklers for “due process” people would ask “why?” and we would respond that we were on a slippery slope and now that domain names were being taken down without it we were on our way to “rule by decree”. It was a lot more abstract and hypothetical, but it did seem to be following the script laid out in “First They Came For The File Sharing Domains” that we wrote back in 2010.
Recent events made it all very real, when exigent circumstances prompted our co-operation with the FDA to take down a rogue pharmacy without a court order, and suddenly, very quickly that exact same FDA attempted to parlay that cooperation into further summary takedowns of a domain list that included completely legal websites operating here in Canada.
Let’s Spell Out The Obvious
So let’s sum up by stating the obvious and enumerating the reasons why domain registrars and DNS providers should not be counted upon by law enforcement and government agencies to summarily takedown domains without any semblance of due process:
- Innocent Until Proven Guilty Do we need to say it? It’s a basic building block of modern “democrazies” (hah, typo, I think I’ll leave it in) that our overlords cannot penalize us, deprive us of our property, liberty or basic freedoms absent some kind of legal process that finds us guilty of a crime.
- Conflicting Obligations The website the FDA wanted us to summarily takedown without a court order is a lawful Canadian business. If we take them down “because the nice man at the FDA asked us to” then we open ourselves to liability from our own clients. In the absence of a legal proceeding to take down a domain, we need to see clear violations of our ToS or AUP – otherwise, we can and will get sued by those we summarily takedown.
- Disruption Is Not A Crime As a failed musician I do have sympathy and understanding for how the new digital age challenges the existing business models. While I don’t have any easy solutions for how content creators can adapt to the new realities, I do know that the way to do so is to embrace the new emergent paradigms, not fight them. The argument that file sharing hurts sales is far from undeniable fact, some studies have found the exact opposite. In any case, when a new model emerges it is always painful, but disruption is the price of innovation, not a crime.
- Registrars Rarely Go To Law School: Whenever a Registrar or DNS provider is asked (or commanded) to summarily takedown a domain name / website, one must understand that absent due process, and absent a deemed violation of the provider’s own ToS by the provider itself, then the provider is then being tasked with adjudicating law.
In a larger sense, the these points can be extrapolated into two larger principles:
- The World Can Learn From Canada where the RCMP (particularly the highly clueful Tech Crimes Unit), and any other government agency who comes calling always has their paperwork in order, every time. You may notice that Canada, as a result of it’s law enforcement and government agencies following due process, has not collapsed into a heap of post-apocalyptic lawlessness on account of the internet preventing the rule of law from prevailing.
- Finally, Enforce Your Laws in Your Jurisdiction Not Everywhere Else If it is illegal to import something, download something …(or think something) within your country then the LEA apparatus of said country should work toward enforcing the laws locally – that way the citizenry actually sees what is happening (and will hopefully stand up against it if it’s egregiously over the line, much like how a public outcry staved off Bill C30 a.k.a. “Lawful Access” here in Canada).
I’m No Expert In “Defamation”, but…
(…aside from being sued for not taking down an allegedly defamatory website) It seems to me… that if anybody (law enforcement or otherwise), got into the habit of emailing somebody’s, anybody’s vendors and business associates and repeatedly telling them that somebody was a criminal, and urged them to sever business ties with that entity in complete absence of proof or legal proceedings to back that up; that would seem a textbook definition of defamation or libel.
Further, hinting that failure to cooperate could result in adverse consequences such as i) being stripped of one’s trade accreditation or ii) possibly being accused of a crime in the future, strikes me as coercive or an abuse of position on the part of PIPCU.
Further Reading
Free Webinar: The 7 Deadly Risks You Are Exposed To Through Your Domain Names
Reserve your spot today for Mark’s upcoming O’Reilly Webcast where he deconstructs the 7 distinct types of risk that any organization is potentially vulnerable to by simple fact of having a domain name. Click here.
Interestingly, if you view the source of the PIPCU page http://83.138.166.114 (the location that they asked for sites to be redirected to), it's using Google Analytics to track visitors. Which is fine, and I don't have any problem with that at all. I use Analytics myself, as do millions of website operators across the world. But both Google's ToU and EU law require any site using Analytics to have a privacy policy page explaining that Analytics is in use and telling people how to opt out or control the way it tracks them. And, because Analytics uses cookies, it falls under the EU's cookie directive requiring website operators to notify users that cookies are in operation and give people the opportunity to opt out.
The PIPCU holding page has neither of those. Which means that it is, at least technically, in breach of UK and EU law as well as Google's ToU.
Mark,
there is a specific technical reason DNS providers should be loathed to remove domains.
"Domains can contain name servers for other domains."
This means you have no way of knowing in advance what the scope of your actions are, since DNS provides no mechanism for you to discover this.
When I worked at a small UK web-hosting company our domain name servers controlled a surprisingly important amount of traffic. I dare say from the outside we looked like we were – a small web hosting company. We split our DNS servers into two in-bailiwick groups one under ".net" and one under ".co.uk", so that no one TLD provider could break service simply by dropping our domain (wrong answers for those domains on the other hand could break it, but at least you have a sporting chance and can play games with the servers you still control).
If you'd dropped our domain (before it was split), you'd have broken a few thousand domain, a few tens of thousands of websites, and potentially have affected UK network traffic in the kind of event that makes newspaper headlines. Won't happen often, but as a business man I would suggest it is not a bet you want to take lightly.
In practice newly registered domains, with dodgy credentials, and dodgy looking payment details are unlikely to have substantial Internet infrastructure hung off them. But you have no way to know for sure if all you control is the parent domain, other than potentially query volume, and in cases of a simple registration that may be with the TLD operator.
In my opinion, you are totally within your rights and ability to revoke domains that don’t adhere to the TOS. When a domain owner signs the registration agreement, you are given a right to judge what constitutes an allegation of illegality and whether they are grounds for suspension or revocation of a domain.
I know you’re a stickler for due process, but what if I told you EasyDNS was the registrar of a child-prostitution website, or a murderous drug gang? Something that was obviously criminal, dangerous, foul, and directly threatened you and your family?
Would you try to contact the FBI and file a report, hope some overworked agent cares enough to make a legal case of it? Or simply suspend that domain with a few clicks of your own mouse?
I’m sure the public would approve and appreciate you revoking those domains immediately – as is your right under the registration agreements – instead of waiting weeks or months for some judge to order you.
Where is this coming from? A concerned member of the public, who tried to get a registrar in the US to revoke a domain used for a terrorist website. Yes, it’s those guys who are doing a lot of beheading in Syria lately, and their website has some of the most monstrous content you can imagine.
They refused to suspend the domain, and told us to “get a court order”. A Texan company defending the Islamic State’s right to free speech. That’s rich.