"Rapid takedown" was foisted on us in 1999 when the original registrar agreements were being negotiated at ICANN. At the time, it was held out as a threat - agree to rapid takedown, or be subject to US regulation. At the time we didn't realize that it was the intellectual property community making the threat - it came to us under the cloak of the ISP community, which we've since realized meant "Big Telco's with massive media holdings".
Its been a slippery slope every since.
oBDisclaimer: I work at a large registrar and was in the room when the original contracts were being discussed and negotiated. I'm sorry for the part I played!
Freejack, very interesting. What would be the best course of action to preventing these takedowns, or at the very least, prevent the abuse of takedown notices?
There was an incident a week or so ago where the admin of a Finnish punk website posted a scan of an "information request" he had received from the police. This request was to provide registration information (especially email and IP addresses) of certain users of the site.
The common factor was that these users had participated in a forum thread discussing organizing a (apparently entirely peaceful) "shadow event" of the traditional presidential Independence Day reception.
The "request" came with a gag order and without any mention of an appeal process. The rationale included was a generic boilerplate "investigation or prevention of crime" with no mention of anyone being suspected of any crime or planning thereof. The gag order was, obviously and quite defiantly, disobeyed by the admin.
Now it appears that these kinds of requests are perfectly legal, do not require the authorization of any member of the judiciary, and appear to be used quite carelessly to gather information about people not officially suspected of anything. Getting "official" personally identifying information from ISPs is much harder, though, but this does not look good especially given that the new police law currently in planning stages is expected to considerably extend the electronic powers of the police.
Sure; I wrote the post in a bit of haste, just meant to share a related anecdote. The alarming thing about the case is that it seems to have come as a surprise to most observers that the police actually does have such powers in the first place.
Is due process the wrong term? Can't due process occur after the fact? For example, you can be arrested for suspicion of drunk driving, taken off the road, put into custody, and found to be innocent, and that is still part of due process. Your actions appeared to be causing a threat to others, so the government stopped your actions immediately and let the courts decide your guilt or innocence. How is that different than taking a site that is suspected of harming other people offline immediately and then work on deciding guilt or innocence?
Note: I don't necessarily disagree with the author, but I am playing devil's advocate here.
Well, due process used in this context normally means innocent until proven guilty. Unfortunately the approach taken in this instance is the reverse 'guilty until proven innocent' or worse 'guilty and that's it'.
Yes, property seizures, arrests, etc. can happen as part of due process however there are complicated legalities associated with those things. For example, you actually need a court order to make an arrest (an arrest warrant) or a warrant to seize property. Getting a court involved means you have to prove something as well, or have enough evidence. Furthermore, other things such as danger to safety, security, flight risk, etc. are all considered by the judge.
I guess that's where due process is being totally skipped here. There is no court order, no warrant, just a threatening letter without any formal basis.
"Well, due process used in this context normally means innocent until proven guilty."
While this is how it is used colloquially, at least in the US, the parent is right: Due process can occur after suspension of rights.
US Supreme court basically says it's a balancing act to decide whether you need pre-or-post deprivation due process, and what must be part of that process.
I think you make a good point. I've always thought in such situation law enforcement should be responsible for some damages if the verdict is innocence to disincentivize overly aggressive tactics. If you're taken off the road for drunk driving, but are found innocent and missed work, I believe the police should be responsible for lost wages. At least within reasonable limits. In this case, I think it would be good for law enforcement to be willing to put up restitution to legitimate business that are hurt by these tactics.
edit: Sadly, I fear the costs would merely get passed on to tax payers eventually anyway, and would perhaps not actually promote more prudent and judicial use of powers.
> Sadly, I fear the costs would merely get passed on to tax payers eventually anyway, and would perhaps not actually promote more prudent and judicial use of powers.
Well, it would if the signal it sent to taxpayers was that they needed to be more prudent in their oversight of government. Of course, just restoring immunity is an easier way to avoid the issue, and so would be the most probable response.
Taking a site offline on mere suspicion would be analogous to imprisoning someone on the mere suspicion. The notion of due process breaks down when it is too easy to abuse the process itself.
One is put in jail after an arrest before trial. They require a fee to be released before trial. Even if one is acquitted of charges, they do not receive refund.
No, actually not. The police can place you in arrest, but only for a limited time. Then a judge has to decide based on various factors whether you can be kept in jail until trial, whether you can get out on bail and how large the sum is, and sure, you get the bail money back if you show up in court, even if your not acquitted. [1] The important factor is that a _judge_ gets to decide that, not a prosecutor or mere policeman.
[1] Please note that if you loaned the money from a bail bondsman, the bondsman gets to keep his fees. This however is a separate transaction.
In the US, if you post BAIL you do get it back, a BOND however is a service provided by a company where by they post BAIL for you and you pay a company 10% (normally) for their service, The BOND company then guarantees to the court you will appear or they will track you down, if they bond company does not they must pay the court 100% of your BAIL. So if you have a $5,000 bail, you can go to a bonding company and get out for $500, you will not get that $500 back, however if you had the $5,000 you could give that to the courts, and get 100% of that money back.
> Is due process the wrong term? Can't due process occur after the fact?
I think due process would be limited to simply removing the DNS entry, not resolving to a site that is promoting other commercial sites. Just think if coke accused pepsi and got pepsi.com to resolve to coke.com?
While due process can occur after the fact, in order for a process to be 'due', it would have to (a) happen soon after the fact - but the website takedown isn't ensured to be so, any actions would simply stop after the takedown is done; and (b) include a way for compensating the innocent that are unduly punished - the given example has no practical way to redeem losses of the website if they are found to be innocent.
A little background: the guys who sent the letter are PIPCU, a new department with funding for two years who are undoubtedly keen to get results quickly and cheaply.
A weirdness of PIPCU is that they're City of London police, not London Metropolitan Police as you'd expect for a department with such a wide remit.
Note for Americans: there's no equivalent of "federal" police, it's handled by the local or regional authority. The "Met" end up with most of the national-level jobs like anti-terrorism.
PIPCU is a bit odd and new, and clearly looking to make a mark. They might reasonably complain that London police have no authority over them, and they'd be right; this is really a problem for ICANN who are ultimately threatening the registrars.
What is the difference between City of London police and London Metro police? (US resident, my only time in London was a quick drunken jaunt through SOHO on a long layover)
The London Metropolitan Police (aka “Scotland Yard” although I don’t think anyone in London uses that term anymore) is the police force of Greater London, excluding the City of London which is basically the financial district of London (famously called the “Square Mile” for obvious reasons). It also has some nationwide responsibilities, such as counter-terrorism.
The City of London Police is the police force of the City of London only. Given that there are less than 8,000 people living in the City of London but more than 300,000 people work there (many of them very well paid), they specialise in white collar crime.
It's "just" a business district within London, leaving aside a couple of millennia of history. London comprises the City and 32 boroughs, somewhat similarly to the way New York is made up of five boroughs, one of which is also called "New York" in some contexts.
Far and away the most stunning thing I saw when I visited London as a tourist in 1979 was the wall around The City of London. This is the ancient wall that at one point protected the city from attack. Why was it stunning? Because we walk up to the wall and look down a deep ditch of about twenty(?) feet to view the top of the wall. From the go go American point of view where things are transient and everything is new, to realize I was standing on the results of two thousand plus(?) years of human habitation, which had slowly raised the level of the earth all around that much, gave me a visceral sense of my connection with human history.
I would think it's the distinction between the "City of London" (just the city itself) and the "London Metropolitan Area" (the city and surrounding sprawl).
In fact the City of London is a tiny part of the city of London, and only one part of the centre (the north-east). It's the area that was originally defended by a wall in Roman times.
"The City" is a tiny little slice with something like one hundred residents. It bears zero relation to London, the London Urban Area, the London Metro Area, or the London Municipal Area.
City of London is the financial district, a city within a city. Most of the voters there are companies and it is administered by a corporation. Dick Whittington ran it for a bit with a cat that liked sturdy footwear. It is weird.
Just because it's called "City of London Corporation" does not mean it's the same as a public limited company with shareholders. It's basically a local authority with an unusual name and history(+). Of course it's very pro-establishment, but that's a function of its electorate.
PIPCU is new and a little unusual, although there's plenty of precedent for having special police units for complicated crime and they sit next to the Fraud bureau in City police units. It's a bit of an escalation - previously it was local Trading Standards who would handle piracy (e.g. people selling copied DVDs at the local market)
(+) How old? Over 1000 years, its origin is unclear.
What gets me about all of this is that the largest, most
egregious perpetrators of online criminal activity right
now are our own governments, spying on their own citizens,
illegally wiretapping our own private communications and
nobody cares, nobody will answer for it, it's just an out-
of-scope conversation that is expected to blend into the
overall background malaise of our ever increasing serfdom.
The truth doesn't have many friends with the powers that be.
They are only ordering to redirect the domain to a sole ip address? Not serving HTTPS? Should links point to secure versions of seized domains or simply to attest their identity. I think it's ok to say they are the criminals on the internet and not necessarily the other way. Not that requests cannot be legitimate but at least a basic level of quality must go into the actual process because here it just looks awkward. Not to mention shitty html behind it: if you takedown domains, please show some style :)
Due process went out of the window a long time ago when the US showed everyone that it is certainly possible and even admissible to seize domains without any sort of process. The US (department of homeland security, no less!) started seizing domains about 2 years ago. They went and basically took down any domain that was related to large scale piracy (demonoid) or counterfeit goods (sites that sold fake gucci bags, that kind of stuff..). The other kind of site that they targeted were mostly sports streaming sites (ones that streamed ESPN, etc.).
It was obvious that the UK would follow soon enough seeing that such a thing was entirely possible. Of course when the US seized a spanish website (rojadirecta) domain, they were challenged in court and lost. [0] There were also several other incorrect seizures where the US government ended up seizing sites that had nothing to do with any illegal activity and then returning them a year later [1]. This is what happens when you ignore due process.
Most small service providers and ISPs feel threatened when a big government like the US comes after them. Unless they have properly defined protocols for dealing with this kind of stuff, the support rep will probably buckle under pressure and hand over the data.
Personally, I've seen instances where domain registrars are often requested for private registration data without court orders or any sort of legal basis. Some registrars hand out the data. Some registrars email their customers asking them to transfer away (so stop being our customers) to continue protecting their privacy. Some registrars actually have the guts to say no. It really varies.
We're certainly at a point now where governments can easily coerce internet businesses to bend to their will. There will be a brave few who will stand tall but I don't know how long it will be before their backs/businesses are broken and bent (lavabit being a recent example).
Of course the UK government probably doesn't have access to the root name servers and therefore is left with sending out notices. But there's no telling when governments (who are of course sponsored by corporations as we all know by now..) will start cooperating with each other for such take down requests. Sort of like the reverse surveillance agreements with Germany/Australia/etc. (can't spy on my own citizens ? no worries, you spy on mine, I'll spy on yours, and we'll exchange notes!)
And I thought the dark days of the internet were in the 90s...
The title of the article (as fascinating as it was) seems rhetorical. Can't easydns just point the PIPCU to their own Domain Takedown Policy and instruct them to take it further with ICANN and the courts of the Province of Ontario?
Its been a slippery slope every since.
oBDisclaimer: I work at a large registrar and was in the room when the original contracts were being discussed and negotiated. I'm sorry for the part I played!