Nominet, the registry that runs the .uk top level domain is seeking feedback on recent proposed changes relating to domain name suspension. The proposal boils down to allowing Nominet to suspend domain names at the behest of the Police: if they receive a report that a domain name is being used for criminal purposes, they want to be able to suspend it.
The problem with this model is there is no judicial oversight. Police are there to keep public order, investigate crime and gather evidence. It is for the courts to decide when the accused is actually guilty or not. By essentially giving the Police carte blanche they omit the necessity for the Police to prove a crime has been committed. This has obvious implications for free speech, as only recently fitwatch.org.uk was taken offline by their hosting provider on the basis of a letter from an acting Detective Inspector. It was claimed the website was hosting illegal content yet I have not read any subsequent news reports of a charge against the authors. The content in question was advice for people on how to deal with Police investigation resulting from their presence at protests, essentially to change one’s clothes/hair and seek legal advice (more info in this blog entry). So to any reasonable person, the absence of a charge or prosecution suggests that the Police simply objected to the material as it concerned their operations. If the Police had to obtain a court order or decree with respect to Fitwatch’s hosting, I suspect their request would have been quickly dismissed by the Magistrate or Sheriff.
Allowing the Police to censor any material they object to is not conducive to free speech, however Nominet’s proposals do exactly that. Do we really want to blithely hand the Police an ability to censor the entire .uk domain tree?
The proposal set forth by Nominet can be found here or in this pdf. Before the 23rd February dealine, you can also submit your own comments and request to be a stakeholder in the discussions by linking through from this page. My own comments are appended below.
With reference to “Policy issue brief: Dealing with domain names used in connection with criminal activity”
Thursday 10th February 2011 : firstname.lastname@example.org
While it is reasonable to implement a facility for the suspension or removal of a domain name that is used for criminal purposes, it is my contention that the current proposal is seriously flawed.
The .uk registry is used by businesses, charities, government bodies, local authorities, the Police and private individuals amongst others. In today’s environment, it is difficult to underestimate the importance of a domain name. Domain names act not only as a means to locate web resources but also for email delivery and a myriad of other services. For a business with online commercial interests, the removal of a domain name will almost certainly affect that business in a substantially adverse manner. For a private individual, they may be deprived of their ability to communicate by email and find their freedom of speech restricted.
One must be mindful of the potential consequences of removing or suspending a domain name: any decision to deprive a registrant of their domain names should be evidence based, independent, subject to appeal, proportionate in the circumstances and be the last remaining course of action to cease the alleged crime.
There are several pervasive problems with the proposals as they stand:
i. The proposal is acting on a presumption of guilt rather than a presumption of innocence, this is in strong dischord to most criminal law in the UK and the public expectation. The decision to remove or suspend a domain name should be taken on the basis of a court order or decree, not an allegation.
ii. “to give a contractual basis to suspend domains where Nominet has reasonable grounds to believe they are being used to commit a crime (e.g. a request from an identified UK Law Enforcement Agency).”
The phrase “reasonable grounds” is ambiguous and suggests that Nominet will act on any well formatted request from the Police. As Nominet are not acting in an investigative capacity, it cannot possibly assess the veracity of the claim(s) in a request so consequentially must trust that the Police request is both well founded and without error.
iii. The domain name in question may be in use by a large number of businesses, private individuals or otherwise. For example, many hosting companies offer sub-domains of their own domain to their customers. As such there is a potential problem of identification and specificity. The current proposal does not constrain the powers and as such could seriously infringe upon the rights or commercial interests of others despite them being entirely unrelated to any allegation.
iv. A domain name may be used for criminal purposes without being of a criminal nature itself. The most pertinent example of this is Google: there is a technique that has been dubbed “Google Hacking” whereby people can submit carefully formatted search strings to Google to return the URI of vulnerable web services; Google will occasionally index and cache sites which contain illegal material; and it can be used in a number of other ways for nefarious purposes. The services Google provides will almost certainly be hosting illegal content in its cache and also can easily be used in the commissioning of a crime. However, regardless of meeting the “being used to commit a crime” test, to any reasonable person, the suspension of google.co.uk would be irrational.
The definition in the current proposal does not distinguish between legitimate situations that may fall under the technical definition of “being used to commit a crime” and the situations when removing a domain name would be the most appropriate course of action. Hence, the proposal criterion of “reasonable grounds” and “being used to commit a crime” are entirely insufficient for the purpose.
v. To the best of my knowledge, Police powers to seize property on grounds of reasonable suspicion are usually directed towards situations where the property in question is to be used as evidence in court and without such seizure there is an existant risk that the property may be altered, damaged or destroyed.
A domain name serves only as a look-up or indexing service to the resources in question. That a person was the registrant of a domain name during a specific period can be proven by reference to the registry’s records; it is not possible to alter evidence of registration. Removal or suspension of a domain name does not serve to preserve evidence as any evidence would reside on the hosts that the domain name DNS records point to.
vi. Normally, under both English law and Scots law, asset or property confiscation proceedings must take place in a court, e.g. upon a criminal conviction, cash forfeiture proceedings in the Magistrates Court, civil recovery proceedings, or by reference from the Procurator Fiscal to the Sheriff Court. Allowing the Police to essentially enact a confiscation without judicial oversight runs contrary to existing rights and places the Police into a combined investigative and judicial role, which is commonly understood to be a dangerous conflict of interest.
vii. Although Nominet is not a public authority for the purposes of the Human Rights Act 1998, UK Police forces are. The Police do not have specific statutory powers with respect to domain names – otherwise this consultation would be rendered redundant – and as such in these matters must act in a manner consistent with both Article 6 “Right to a fair trial” and Article 8 “Right to respect for one’s private and family life, home and correspondence”.
Given Nominet will essentially action any and every well formatted request from the Police, the Police are then assured that they can without question enact any removal or suspension. This implies any request submitted under these provisions by the Police against a registrant who is a private individual would automatically fall foul of the individual’s Article 6 protection.
Furthermore, given any such removal or suspension is not in accordance with law – but of a contract between the Police and Nominet – nor is any such removal or suspension necessary for a democratic society, the Police would also very likely infringe the rights of a private individual under Article 8 provisions.
viii. There is no warning or recourse for the domain registrant in the current proposal. Given the rather broad nature of the wording in the current proposal, it would be prudent to give the domain registrant warning as to afford them time to “get their house in order”. There is also no provision for a registrant to appeal or challenge such a removal or suspension other than lengthy legal proceedings.
ix. If Nominet executed a domain removal or suspension on bad or incorrect information then a claim in tort or delict may lie against them.
x. The provisions are likely ineffective in addressing all but the most trivial of crimes. The United States Department of Justice has recently been seizing domain names of website operators accused of copyright violations. This practice has been proven entirely ineffective as the website operators simply register a new domain name, usually in another jurisdiction. What has been effective is using existing legislation to trace the proceeds of such crime.
A specific example illustrating this principle is Wikileaks: the domain names they had registered in the jurisdictions of the United States were seized and within several hours they were operating from a Swiss registered domain name, the content was mirrored to other services and the IP addresses of their servers had been published.
In a more generalised sense, it has been possible – for several years now – to use anonymising technologies to run so-called “hidden services”. Software such as Tor – “The Onion Router” – and FreeNET allow material to be published in a manner that makes it intractible to either remove or even identify the publisher.
The end result of this is that those with a vested interest in ensuring their services are not disrupted will already be immune to having their domain names removed. It is the average business or individual that will suffer when these powers are inadvertantly used against them when mistakes are inevitably made.