Informal Internet Censorship: Nominet domain suspensions

Read the full report here.

In December 2009, Nominet began to receive and act on bulk law enforcement requests to suspend the use of certain .uk domains believed to be involved in criminal activity. [1] At the request of the Serious and Organised Crime Agency (SOCA), Nominet subsequently consulted about creating a formal procedure to use when acceding to these requests and provide for appeals and other safeguards. [2] Nominet’s consultations failed to reach consensus, with many participants including ORG arguing for law enforcement to seek injunctions to seize or suspend domains, not least because it became apparent that the procedure would be widely used once available. [3]

As with any system of content removal at volume, mistakes will be made. These pose potential damage to individuals and businesses.

Nominet formalised their policy in 2014. [4] It can suspend any domain that it believes is being used for criminal activity; in practice this means any domain it is notified about by a UK law enforcement agency.

A domain may be regarded as property or intellectual property. It can certainly represent an asset with tradeable value well beyond the cost of registration fees.

Many countries require a court process for such actions, including the USA and Denmark. Such actions usually result in control of the domain being passed to the litigant. The EU is asking for every member state to have a legal power for domain suspension or seizure relating to consumer harms. [5]

Some domains are used by criminals, as with any communications tool. There is a case for a suspension or seizure procedure to exist, although it should be understood that seizing or suspending a domain represents disruption for a website owner, rather than a means to cease their activities. For instance, it would not be difficult for the owner of rolexreplicas.co.uk to register replicarolex.co.uk and use the new domain to serve the same website.

Although Nominet failed to get agreement about a procedure for suspension requests, it has continued to accede to requests, which have roughly doubled in number each year from 2014, totalling over 16,000 in 2017. [6] The reasons requests have doubled is unclear, and ORG has not been given clear answers. It maybe in part because the costs of domain registrations decreases over time, in part because detection has improved, and in part because it becomes necessary for a criminal enterprise to register new domains once they are suspended. Parties we spoke to agreed that it is unlikely that the number of criminals is doubling.

Around eight authorities have been using the domain suspension process, one of which, National Trading Standards, is legally a private company and not subject to Freedom of Information Act requests.

Nominet does not require any information from these organisations, it simply requires them to request suspensions in writing. For instance, they are not asked to publish a policy explaining when the organisation might ask for domains to be suspended, or what the level of evidence required to act might be.

Several of the organisations making requests were unable to supply a policy, or refused to supply information about their policy, when we made Freedom of Information requests. [7] The National Crime Agency refused to respond, as it is not subject to the Freedom of Information Act. National Trading Standards spoke to us, but did not supply a policy; it is not subject to the Act. The Fraud and Linked Crime Online (FALCON) Unit at the Metropolitan Police Service confirmed that it has no policy, but decide on an ad hoc basis. The National Fraud Intelligence Bureau at City of London, which suspended over 2,700 domains last year, says: “We do not have a formal Policy”. [8]

Nominet’s process is:

  1. The agency concerned files a request to Nominet, citing the domains it believes are engaged in criminal activity. This may be one or a list of thousands of domains.

  2. Nominet ensure the owners are notified and given a period to remove anything contravening the law.

  3. If there is a response from a domain owner, the law enforcement agency is asked to review its decision.

  4. If there is no response from a domain owner, the domains are suspended.

  5. Any further complaints are referred back to the law enforcement agency.

There is no independent appeals mechanism. If a domain owner asks for a domain suspension to be reconsidered, they are referred back to the police or agency that made the request, who can revisit the decision. As most of the agencies have no policy, or will not publicise it, this does not seem to be a procedure that would give confidence to people whose domains are wrongly targeted.

This is in contrast to the Internet Watch Foundation(IWF)’s procedure, which provides an appeal process with an independent retired judge to consider whether in fact material should be removed or blocked, or left published, once the IWF has made an internal review of its original decision.

The IWF’s decisions are relatively simple compared to the range of concerns advanced to Nominet by the various agencies involved. Despite this, it is surprising that there is no independent review of the grounds for a suspension. It seems unlikely that the police and agencies will always be able to review their own work and check if their initial decision is correct without bias or repeating their error. It also seems unlikely that everyone who wishes to complain would have confidence in the police’s ability to review a complaint.

Ultimately, the decision to suspend a domain is Nominet’s. Nominet owes its customers, domain owners, a trustworthy process that ensures that domain owners are able to have their voices heard if they believe a mistake has been made. Asking the police to review their request does not meet a standard of independence and robust review.

There is also a lack of transparency for potential victims as a result of Nominet’s policy to suspend domains rather than seize them. Suspensions simply make domains fail to work. A domain seizure would allow agencies to display “splash pages” warning visitors about the operation with which they may have done business. If goods are dangerous, such as unlicensed medicines or replica electronics, this may be important.

In our view, an independent prior decision and an independent reviewer are needed for Nominet’s process to be legitimate, fair and transparent, along with splash pages giving sufficient warning to prior customers. Domain seizure processes should replace informal suspension requests and the process should be established by law.

Because some improvements can be made by Nominet that fall short of a fully accountable, court-supervised process, we propose these as short term measures.

Recommendations to Nominet

1. Adopt Freedom of Information principles

2. Ask the government for a legal framework for domain seizure based on court injunctions for domain seizures

3. Require notices to be placed after seizures to explain the legal basis and outline any potential dangers to consumers posed by previous sales made via the domain. This could include contact details for anyone wishing to understand any risks to which they may have been exposed

4. Short term: Offer an independent review panel

5. Short term: Require government organisations to publish their policies relating to domain suspension requests

6. Short term: Publish the list of suspended domains, including the agency that made the request and the laws cited

7. Short term: Require government organisations to take legal responsibility for domain suspension requests

[1] http:/www.dailymail.co.uk/news/article-1233016/Over-thousand-scam-websites-targeting-Christmas-shoppers-shut-online-raid-Scotland-Yards-e-crime-unit.html Over a thousand scam websites targeting Christmas shoppers shut down after an online raid by Scotland Yard’s e-crime unit, 4 December 2009, dailymail.co.uk

[2] http://web.archive.org/web/20111113021751/http://www.nominet.org.uk/news/releases/?contentId=8216 Nominet calls on stakeholders to get involved in policy process, nominet.org.uk, 09 February 2011 (webarchive)

[3] https://www.theregister.co.uk/2011/11/25/nominet_domain_takedowns/ ISP outcry halts cybercops’ automatic .UK takedown plan, The Regis- ter 25 November 2011

[4] https://www.nominet.uk/nominet-formalises-approach-to-tackling-criminal-activity-on-uk-domains/

[5] Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 https://eur-lex.europa.eu/legal-content/EN/TX-T/?uri=uriserv:OJ.L_.2017.345.01.0001.01.ENG&toc=OJ:L:2017:345:TOC

https://wiki.openrightsgroup.org/wiki/Consumer_Protection_Cooperation_Regulation

[6] https://wiki.openrightsgroup.org/wiki/Nominet/Domain_suspension_statistics has a table of statistics derived and referenced from Nominet’stransparency reports

[7] The results of our FoI requests for domain suspension policies are summarised with references at https://wiki.openrightsgroup.org/wiki/Nominet/Domain_suspension_statistics

[8] https://www.whatdotheyknow.com/request/national_fraud_intelligence_bure#incoming-1115354