Domain seizures used to be a rare occurrence, but US law enforcement has become adept at exploiting a quirk in the Internet’s governance structure that allows them to seize domain names without due process. The rate has been increasing exponentially with a total of 87 in 2010, 350 in 2011, 758 in mid-2012, to 1,700 in mid-2013. Last month, nearly 5,000 domains were seized via a single court order. We desperately need to start tracking DNS based chilling effects on free speech rights.
It came a shock in 2008 when a US judge issued an injunction that shutdown the Wikileaks.org domain for a week after a Swiss bank filed a lawsuit. It was stunning that a US judge would allow a Swiss bank to file a lawsuit against an organization that had no legal entity in the US. But despite the obvious abuse potential and public rejection of SOPA and PIPA, the US has continued to ramp-up enforcement measures aimed at domain names. This has been accomplished using a combination of scare tactics, legal maneuvers, and compliance from corporations tasked with managing the domain name system.
In 2012, the US declared that any domain is managed by a US corporation is subject to US law. It doesn’t matter if the activity you are undertaking is legal in your country nor that the domain was purchased from a registrar outside of the US nor the fact that the servers operate outside of the US. Verisign’s bizarre monopoly on the most popular ICANN domains (.com, .net, .org, .biz) means that most websites are subject to US law as well: the US has declared half of the internet a virtual territory of the United States.
As a core Namecoin contributor, I’m pretty concerned about domain name seizures. I’ve been trying to track domain seizures the past couple of years, but it has become increasingly difficult. One issue is that tracking seizures used to consist of monitoring blog posts and press releases from ICE, however, the FBI and the IRS have gotten in on the action within the US. We are also seeing increased activity from local law enforcement agencies outside the US and international agencies like Interpol. And, more recently, private corporations have gotten into the act as well.
Microsoft’s 2014 takeover of No-IP.com illustrates just how easy it is to seize a domain name: a private corporation filed a civil lawsuit and a judge handed over the domains without prior notification to the current owner. What’s totally bizarre here is that Microsoft went after No-IP.com not because of what No-IP.com did but because of what some of their customers were doing. You see, No-IP.com isn’t just a website, they provide something like a mail forwarding service for the internet. No-IP.com is the largest provider of such services and had over 18,000,000 registered users and was providing forwarding for 5,000,000 addresses when the takeover occurred.
Maybe you’re thinking that No-IP.com was a shady operator and willfully ignored illicit activity. However, based on Microsoft’s numbers, only 0.4% of No-IP.com domains were a problem. Any forwarding service (internet, telephone, or mail) will have some illicit users, but No-IP.com actively shut them down. And remember, malware infects servers and their websites too! This website, indolering.com was once hacked and served malicous content. So even the 0.4% of problem domains were not necessarily intentionally malicious. Microsoft convinced a judge that since some of those servers were being used for bad stuff, the judge should hand it ALL over to them without allowing No-IP.com to defend itself.
But wait, it gets worse! Those ~5K domains I mentioned earlier? The court order itself was sealed, so we have no idea why they were seized (one website appears to have been inactive for years). The only reason we know the number of domains involved is because the domain registration information lists the same court appointed receiver for 4,973 sites: firstname.lastname@example.org. Nearly five thousand domains were seized and they are being sold off without any due process!
So far, we’ve only been talking about domain name seizures. We haven’t gotten to the extra judicial methods law enforcement uses to get DNS registrars and service providers to stop resolving many domains. The City of London Police (a quasi-corporate police force) sends out notices to registrars claiming that they are legally obligated to point specific domains to a City of London Police notification page. Such notices are, legally speaking, bullshit, but plenty of registrars comply to varying degrees. If the registrar shuts the domain down and refuses to transfer it, the domain owner must then pursue arbitration through ICANN to get their domain transferred elsewhere. Many registrars will drop any customer at the behest of anyone with a badge a fax machine, such as when GoDaddy shut down JotForm.com after a complaint from the US Secret Service. Despite being an obvious false positive, GoDaddy shut the domain down and the Secret Service wasn’t exactly graceful about the error,
The agent told me she is busy and she asked for my phone number, and told me they will get back to me within this week. I told them we are a Web service with hundreds of thousands of users, so this is a matter of urgency, and we are ready to cooperate fully. I was ready to shutdown any form they request and provide any information we have about the user. Unfortunately, she told me she needs to look at the case which she can do in a few days. I called her many times again to check about the case, but she seems to be getting irritated with me.
When scary letters don’t work, instead of stepping over the low, low bar required to seize a domain name, law enforcement has the option of damaging the reputation (and thus financials) of registrars and DNS service providers. EasyDNS is an awesome DNS service provider that spends money fighting lawsuits to defend their customer’s domains. Recently, the FDA successfully applied political pressure to shut down a domain,
We found out (rather belatedly) that the FDA had named us in a complaint with ICANN after a US citizen ordered a controlled substance over the internet (via a website whose domain was on our registrar tag and using our nameservers), and subsequently died of an overdose of that substance.
In response, EasyDNS updated their T.O.S. to exclude pharmacies that ship controlled substances internationally. Whatever your stance is on international pharmacies, the FDA is asking EasyDNS to act as judge and jury. When asked about it, I told EasyDNS that they didn’t have much of a choice, “EasyDNS helped kill someone … ” is a shitty headline for a small business that is already spending a lot of money defending their customers. I still think any business that wants to avoid JotForm.com’s fate should switch to EasyDNS, but it is utter bullshit that law enforcement is trying to hurt this company financially.
I know, I know, it cannot possibly get worse … but it does! We aren’t just talking about false positives and accidental censorship, people losing their blogs or temporary disruptions to businesses and clueless judges and hapless bureaucrats: in March, the U.S. embassy in Mexico used GoDaddy to shut down a political website. This is black-and-white censorship being perpetuated by a country that has free speech as their first enumerated constitutional right.
When WikiLeaks began publishing Manning’s materials in 2010, US Senator Joe Lieberman went on a rampage. He was able to get Amazon AWS to drop their hosting, he got MasterCard and Visa to stop processing payments, he asserted that the New York Times was violating the espionage act by publishing classified materials and then tried to amend the espionage act to make it a crime to publish classified information. Had the same incident played out after ICE started seizing domains en-mass and before Wikileaks established itself as a “legitimate” news organization, I’m positive that Lieberman would have at least gotten Wikileaks.org shut down by their DNS provider if not seized the domain name itself.
Thanks to Snowden, we know that the NSA and US law enforcement agencies have created a system of parallel construction for distributing information gleaned from illicit surveillance. We know that the NSA targets political dissidents and gathers personal information (from sexual habits to speakers fees) that they can use as leverage. We also know that the NSA spying apparatus was used to snoop on Kim Dotcom and subsequently used to justify seizing his business’s domain name, MegaUpload.com, in addition to shutting down their servers and attempting to extradite Dotcom to the US.
Note that I am not defending the shady actions of the original MegaUpload. However, when any minor offense can be used to wipe a domain from the internet, the systems built to catalog minor offenses are ripe for abuse. While there is more to the MegaUpload case than a simple domain seizure, it illustrates this particular set of abuses in action, from start to finish. If we can’t stop the powerful from crafting the 21st century version of general warrants then we need to at least try and mitigate the damage they can inflict.
Why We Need a Watchdog
Cataloging these abuses will keep us informed about what is going on with different top level domains. The inspiration for this blog post came after trying and failing to compile a list of seized domains. I was looking for a list of “safe” top level domains that haven’t been subject to domain seizures. Specifically, I wanted to know if any .cc domains had been seized.
You see, .cc is a country code TLD that is managed by VeriSign, the same company that has been handing over domains residing in the generic .com and .net TLDs. Some people claim that .cc domains are as unsafe as .com domains, but I couldn’t find any specific instances in which a .cc domains had been seized. Having this information would give us information about the status of different ccTLDs as well as insight into VeriSign’s opaque legal processes.
Another reason we need this service is to gather statistics on how ineffective these measures are. I could care less about the domains of pharmacies selling fake drugs, file sharing sites, or peddlers of counterfeit merchandise. The problem is that the only people seriously impacted by domain name seizures are honest sites like JotForm.com that get caught up in an automated scan. A file sharing website just can just switch to a new domain but switching to JotForm.net did not restore services to the millions of forms embedded using a JotForm.com URL. If you want to damage a legit business, hitting their domain name is a great way to do so. But if you want to stop “the bad guys” you have to go after their operations: cut off their ad revenue, fine or arrest the people doing the crime … you know, engage in actual police work.
But we need more than just a list telling us the number of seized domains, we need to track the law enforcement agencies, their legal and extra-judicial, *cough* fraudulent *cough*, methods, as well as estimate the total damage caused by missteps. No-IP.com only had 22 domain names seized, but that number ignores the 5 million forwarding domains that were affected. JotForm.com didn’t have any their domain seized yet hundreds of thousands of users were impacted.
ChillingEffects.org has been tracking DMCA take downs notices of similar complexity for over a decade. What bothers me is that domain seizures are objectively worse than the DMCA complaints cataloged by Chilling Effects. As bad as the DMCA is, false positives do not result in lost property and seizing a domain introduces prior constraint, censoring future speech.
This past June, the Knight Foundation awarded the EFF $250,000 to create OnlineCensorship.org. But so far, it only mentions censorship of social media platforms. While that is important, DNS is a platform that every website dependents on. I’m trying to scrape together that much money to fund development of a secure TLD and build out infrastructure for legacy systems so I know they can afford to create a database that catalogs domain name seizures!
Ranking DNS Providers
The Electronic Frontier Foundation has been publishing an annual ranking of online service provides called “Who’s Got Your Back” since 2011. It shows how hard web service companies fight for the rights of their customers. Recently, they’ve produced a similar list ranking the security of messaging services. It is time for us to give DNS service provides that fight hard for user rights, like EasyDNS, the recognition they deserve! It is also time for us to start naming and shaming big players who couldn’t care less about their users, like GoDaddy.
So here is my challenge to the EFF and Chilling Effects: replicate these successful initiatives with regard to domain name system. I’ve already sent in my FOIA request in to ICE, help me put it to good use!
Help Get the EFF’s Attention
I got an email from someone working on InternetCensorship.org, mission (probably) accomplished!