Nominet, the UK internet domain registry, has recently consulted on proposals to allow it to suspend domain names ‘used in connection with criminal activity’. This is a fundamentally misguided proposal, which should be resisted. Details of the proposal, such as there are, can be found here; I think the paper is written by SOCA rather by than Nominet, though that’s not clear.
For a bit of background, I co-founded Nominet in 1996, and served on the board until 2007. I have no role there now, but I still have a tag so I can register domains and take an interest in what is going on.
The idea of having a big red switch to cut off criminals as soon as the police discover who they are is, of course, superficially attractive. However, this proposal has four serious problems: firstly, that there are far more effective ways to achieve the desired result, secondly, that of collateral damage; thirdly, that of justice, civil liberties and the respect of due process; and fourthly, that of mission creep.
With a few exceptions (for which it would be possible to apply a different rule) domain names are not registered by the end customer directly with Nominet. The end customer goes to one of over 3,000 registrars. The registrar might be an ISP, or it might be a web hosting company, or someone else. The registrar is likely to have a far better idea who the customer is than Nominet. For instance, instance, the registrar will have billing details, and details of the IP address used to make the registration. If a domain name is allegedly being used for criminal activity, the registrar is in a far better position to track the alleged miscreant down. The registrar also has a function called ‘investigation lock’ which can disable the domain name. They are also in a far better position to tell the police (subject to the appropriate data protection requirements, of course) who is using the domain name, and what for. In short, the registrar already has all the tools necessary to carry out the functions the police might reasonably require, and more. If it is the case that some registrars are ineffective in this role, perhaps there is a case for imposing such cooperation as a clause in the registrar contract. However, I think it more likely that some registrars, quite reasonably, don’t like cutting their customers off on a mere ‘request’ from the police, not least as they are likely to lose the customer if the police happen to be wrong. It seems to me having someone such as the registrar who is hesitant to cut a domain off unless due process has been followed (rather than taking the easy option of suspension) is a good thing.
Next we have the possibility of collateral damage. I have no figures to prove this, but I suspect most domain names are not used solely by one person. They might be used for a household, a business, or even customers of a business (as is the case, for instance, with demon.co.uk). Unlike the registrar, who can often tell whether a domain name is used for the sole purpose of one web site and one email account, Nominet cannot tell to what use a domain name is being put. Let us assume for the purposes of this paragraph that the police are justified in their belief that a domain name is being ‘used in connection with criminal activity’. Cutting off that domain name could have far wider than might be appreciated. Firstly, it might not be the perpetrator’s own domain name: as reported at great length, whether through computer viruses, weak passwords, or other means, it is not uncommon for someone’s email account to get taken over, and for this to be used for sending unsolicited mail. This itself can be an offence, but often unsolicited mail is used for fraudulent purposes (419 scams etc). Cutting off the domain name not only doesn’t solve the problem, but punishes a victim. Even if the perpetrator has some connection to the domain name registrant, it often isn’t the registrant itself. If my employee threatens someone unlawfully using their work email, should the business’s domain name be suspended? If one of Demon Internet’s customers hosted illegal content (and statistics suggest this should read ‘when’, rather than ‘if’), should all their customers lose connectivity? If my child illegally downloads material from the internet, should I lose my domain name? The answer to each of these is transparently ‘no’, but this is the power SOCA propose to give to the police.
Thirdly, we have justice and civil liberties. I have a number of concerns here. Firstly, these are individuals who the police reasonably believe may be involved in criminal activity. By assumption, they have not been charged, let alone been tried. The police can already get a warrant or a court order to which Nominet will respond under its current policy. One must therefore assume that the proposed change in policy is one where the police have neither a warrant or a court order; one has to ask “why not?” if the situation is sufficiently serious to merit a domain name being cut off. The powers of the police should be proportionate to the likely danger to society. As currently phrased, a domain name could be cut off for relatively trivial offences, such as failing to identify the legal name of the operator of a trading web site (thank you Adrian Kennard), storing a single item of data outside the remit of the Data Protection Act, or any number of other minor offences. The phrase ‘used in connection with criminal activity’ is particularly worrying: emails from an accused to their lawyer are presumably ‘used in connection with criminal activity’. At the very least, this power should be restricted to serious arrestable offences, where evidence would be sufficient to make an arrest were the registrant identified, where the suspension of the domain name will in the reasonable opinion of the police prevent the commission or continuance of the offence, and where this matter has been certified by a senior officer. However, if that test was satisfied, I suspect there would be no difficulty in obtaining the appropriate court order or bench warrant, which makes me think this proposal is meant to be used in other cases.
Fourthly, we have the question of mission creep. The internet is littered with all sorts of unpleasant material. It shares this quality with libraries and public playhouses, and as the Lord Chancellor found out over several hundred years, regulating what is printed or performed to exclude the unpleasant is in the most part doomed to failure. The internet has permitted a whole range of crimes to be committed in innovative ways, just as did electricity, the telegraph, the telephone and mobile phones before it. I am quite sure that with the advent of each invention, well meaning police officers suggested that if they reasonably suspected electricity, or a telephone, or whatever, to be utilised in connection with a crime, they would like the power to ensure it is cut off. No one would say those were reasonable; they would say “go to a court, and argue your case”. I fail to see why the internet is different in this respect. Nominet appears to be engaged in a process of making some false distinction here. A year or two ago, Nominet embarked on the vital task of ridding the world of the web sites of counterfeiters of Ugg Boots. Deep in the small print of the resultant public relations snowstorm, it became evident Nominet suspended or cancelled the domain names merely for not having genuine contact details. I have no problem with this, aside from the way the PR was used to make it look like Nominet was there to protect the great British public from marauding purveyors of ersatz fashion, when it is in fact a domain registry. Less well known is the allegation that at least one of the domain names concerned was not in fact associated with a criminal, but with someone who appears to have been advertising genuine goods (and thus at worst a civil rather than a criminal matter). If nothing else, this should have taught Nominet that playing internet policeman is an area to avoid.
So please, Nominet, think again on this one. This really isn’t a good idea.
Nominet is currently consulting on the issue, so I urge people to respond similarly to firstname.lastname@example.org, and including the title “Dealing with domain names used in connection with criminal activity” in the subject line. Feel free to link to this post, or include text from it (with attribution and/or a link here) elsewhere.