This is a pretty long blog post but an important one; it brings to your attention your online business being at the mercy of whoever you bought your .uk domain from. Nominet has introduced a new service that will allow Registrars, if they suspect a domain name is being used for an illegal activity, to use an “Investigation Lock” which in effect means they can:

Remove the domain name from the zone file. This means that the domain name will not resolve to a web page and email directed to it will not be delivered.

Lock all information relating to the domain name. This prevents registrant transfers, registrar changes, nameserver modifications and domain name cancellation.

Set the domain name’s status on the WHOIS to “suspended”.

If applied to an account, lock all domain names on the account. If applied to a single domain name only, that domain name will be locked. Other domain names in the same account will be unaffected.

Cause the domain name to be cancelled 90 days after the investigation lock is applied (unless the lock is removed before this period expires).

All this without necessarily having a court order from an English/Welsh or Scottish court to do so. In fact all it takes is any of the following and is not limited to these;

You receive notification from the police that the domain name is being used for criminal activity

You become aware of facts that indicate credibly that the domain name is being used for criminal activity

You receive an allegation with credible supporting information and evidence that the domain name is being used for criminal activity

You receive multiple allegations from separate parties that the domain name is being used for criminal activity

The domain name is listed on our Phishing feed.

You can read the full details on the Investigation Lock at the Nominet website.

So some of you will probably be thinking, ‘so what, how would this affect me? I run a perfectly legal website and would never break the law, so I don’t care’. Well here is the thing, it affects everyone and it just depends if you are simply unlucky, victim of a hack, have your site or service used by a criminal or have someone decide if your domain has been up to no good but doesn’t understand criminal law. Under this new Nominet tool, they are taking the “Shoot first, ask questions later” approach. Now this will be great if it stops international criminals from stealing your credit card, or closes down a known terrorist chat board or stops an online paedophile site etc., however, while we celebrate the closing down of these type of sites, think about the years of police/secret service investigation going down the drain because of some trigger happy Registrar? Let’s not worry about them for the time being, they can take care of themselves.

Instead let’s look at how this will affect online business such as Affiliates running perfectly legal sites. It’s best that I give some examples, to explain where you could find your site or entire business offline and I will end with offering advice on what to do to keep yourself safe in the .uk space as you go about your lawful business.

Example 1:

You run a service where people can use online scripts/widgets; tens of thousands of businesses use the service happily and perfectly legally everyday but along comes Mr. Phishing criminal who decided your service will be prefect for covering up his tracks and allow him to steal credit cards, usernames etc. Well, guess what, your site may end up in the Phishing register and bam! Your .uk domain name is taken offline. Or it might attract the attention of the US Secret service and instead of working with them to get the Phishing criminal, your domain name registrar gets a “credible” report from them and your website is locked. This wouldn’t just decimate your online business but would affect all your customers also, some of who will be looking to sue for damages to their own business.

I used this as an example as I have had first-hand experience of this type of thing happening, dealing with the US Secret Service (was a nice enough guy, who ‘understood the Net’ that was dealing with it in this case), only then they didn’t have a “Investigation Lock” and besides as I am the registrar (Nominet member company), I wouldn’t of course lock my own domain.

Example 2:

You run an Affiliate website that sells a popular brand of boots, and the company in question wants everyone that they didn’t personally authorise to sell them closed down and it just so happens that UK domain name registry and UK Police Central e-Crime Unit are interested in mounting a high profile campaign just at the start of Christmas to send the message that .uk is safe for online transactions. So without anyone going to court 1,200 sites are locked down and in amongst that list is a couple of Affiliates who committed the heinous crime of pointing people in the right direction where they might buy these popular brand of boots. You should read the A4U post on this very thing happening to an Affiliate at Christmas. It could be you next. I recommend reading that forum post in full to get an idea of how locking domains without a court order can go wrong for Affiliates.

Basically this very thing could easily happen to anyone who is promoting products, especially if they are popular and attract the attention of people wishing to sell fakes. So while as an Affiliate you’re promoting a legit retailer who is selling the real deal, you might be mistaken for a fake site and because it’s not went to court someone with very little knowledge of Affiliate Marketing could mistake your site and order it offline, fun times for you if it’s your busiest period aka Christmas.

Example 3:

You run let’s say a WordPress Blog or site based on it, it gets hacked through no fault of WordPress or yourself and unknown to you parts of your site are being used for a Phishing scam. Guess who’s about to be locked for investigation. Business offline and all your hard SEO work potentially down the drain on top of that. Now you should be making sure your site is secure but how many of you are online security experts? Not many I am guessing.

Example 4: (and the last one because I think you will get the picture now)

You run a bulletin board on your site, but unknown to you some of the members are using it to swap illegal files. You’re totally in the dark because if you knew about it you would stop it, right. Well guess what, your business could be taken offline until you can prove you are innocent, and, not by the courts, but by anyone with credible evidence. This could even be the Police and might not even be a highly trained Internet officer (how many do we have anyway?), It could be a normal Police/CID officer calling your domain name registrar to get your site shut down and all this without a court order from a Judge. We do live in the United Kingdom where we uphold the rule of law don’t we? And as far as I know the Police have not been given the powers of Judge Dredd just yet.

Summing up

If you’re thinking, well there are going to be some innocent people caught up, but it will all work out in the end. But why should it be this way, when we have a perfectly good legal system where you get to prove your case in front of a Judge? and this is the point. We should not have things like “Investigation Locks” in the hands of non-legal professionals to make a decision that could wreck an online company. It should be the Police seeking court orders and having Nominet carry out the “locking” and not just any tom*, dick* or harry* who runs a domain name company.

A lot of this is knee jerk reaction to incoming Government legalisation and Nominet being the only company (non-profit) allowed to sell .uk domain on behalf of the Government need to be seen to be doing something. While I think it’s correct that we should tackle online criminality we need to do so via the courts (being innocent until proven guilty is still something I believe in) and it should be organisations with the man power and the money (my understanding is Nominet have tens of millions they don’t know what to do with in the bank) to run the central response and deal with “locking” domain names after a due legal process has been carried out.

If you’re wondering what you can do to safeguard yourself as a business owner with maybe say 50+ domain names, I would recommend that you join Nominet as a member as currently no one can lock members domains as fair as I know without actually going to court and forcing Nominet to do so. If like me you run legal websites. You have the added safe guard of advanced notice and your day in court and not the sudden surprise of your sites offline and no one told you.

*Note: I know a Tom, Dick and a Harry who run a domain name company and I am not talking about you guys so chill 😉

Nominet Questions and Their Answers

I asked Nominet a number of questions on the Thursday (21st Jan 2010) before publishing this blog post. Here they are in full and the reply’s they gave un-edited. It’s clear from the response Nominet is trying it’s best to help fight online crime, however it’s also clear that they don’t want to take responsibility for it as it’s pretty obvious mistakes will happen and peoples livelihoods will be put at risk and they wish the Registrars (aka Nominet member compaines) to take all the risk and blame. This is something all Nominet Members need to take very seriously and I would urge you to consider only acting when given a court order to do so as it’s highly unlikely you are fully trained in the UK legal system workings but if you make a mistake you will soon find yourself learning a hell of a lot more if a company sues you until you are out of business.

Q1. Why isn’t Nominet taking the responsibility and using the phishing feed you receive to actually investigate and shutdown the domain? Why is it being passed to tag holders? – Having Nominet do the investigations would ensure fairer treatment as there would be a set formal investigation and not left up to companies who will have different policy’s, or simply can’t be bothered.

Nominet: Whilst the phishing feed is a good and reliable source of data on phishing domain names it may not in all cases be entirely clear cut. There are instances where genuine sites are hacked or other malicious attacks take place. As a registrar you know your customers in much more detail than we do and are therefore better placed to make these checks. The type of checks could include contacting the customer directly, looking at other domain names or sites held by the customer, re-checking the credit card details or even checking the originating IP address from which the domain name purchase was made. Any information a registrar holds on a domain name, along with the actual content associated with the domain name could be the basis of a decision to lock a domain name where it is allegedly involved in phishing.

In the section “Situations in which you should consider using the lock:” can you explain the following.

Q2. “You receive notification from the police that the domain name is being used for criminal activity” why do the Police not contact Nominet directly as the .uk domain registry?

Nominet: We do receive requests from the Police and if we agree that it’s appropriate we do act on them, however in many cases the Police contact hosts and registrars directly to request sites and content be removed. The lock that we have provided enables registrars to act themselves when requested to do so. The lock is more effective than simply removing nameserver records which was the only action that registrars could previously take. The lock also prevents a registrar change. This means the problem doesn’t simply pass to the next registrar as we have seen in the past.

Q3. Since when have the Police been allowed to shut down website without a court order?

Nominet: We recommend that registrars co-operate with the Police if you are comfortable that criminal activity is taking place. If this has not been proven to your satisfaction then don’t act.

The circumstances in which you take action and remove a service from a customer depends on your own policies, procedures and contract arrangements. The lock tool is a service that allows you to take action when you see fit.

When Nominet suspended over 1200 domain names in December we did so on the basis of a clear instruction from the Police Central e-Crime Unit. PCeU confirmed that all the domain names concerned were associated with criminal activity. The domains were also in breach of our T&Cs because the domains displayed false contact details and/or they were incorrectly claiming to be consumer sites when they were being used for trade.

Q4. “You become aware of facts that indicate credibly that the domain name is being used for criminal activity” What counts as credible evidence?

Nominet: Again this is very much up to each registrar to define. If it is alleged that a domain name is being used in connection with an illegal activity it is the registrar’s responsibility to evaluate the validity of the allegation and take action as it sees fit. The domain lock is a tool that enables it to take that action.

As a broad principle we would accept a clear notification that criminal activity is taking place and an instruction to act but we would not take action if we couldn’t verify the source of the notice or we were asked to investigate further rather than being instructed to take positive action.

Q5. “You receive multiple allegations from separate parties that the domain name is being used for criminal activity”…. Allegations remain assertions without proof, until they can be proved. Is it Nominet’s stance that we should forget due legal process and just accept allegations?

Nominet: Registrars will understandably have different policies on how and when they take action. If a domain name is allegedly being used illegally or a registrar is allegedly hosting illegal content, then the terms and conditions that the registrar has with its customers will determine the type of action that it takes. It is also up to each registrar to evaluate these allegations and the impact acting or failing to act may have on their reputation. Whilst it is up to each registrar to decide on what circumstances they will use the lock, we suggest that receiving multiple allegations from several credible independent sources would merit investigation.

Q6. “The domain name is listed on our Phishing feed.” Do you have insurance that will pay out Registrars should any site be listed incorrectly by the third party Netcraft, they then lock and are sued by the company?

Nominet: No. The phishing feed is an aggregation service that passes on information from security experts. We do not provide any warranty or any guarantee as to the accuracy of the information provided. We recommend that registrars investigate any reports from the feed and then apply the investigation lock as they see fit on the basis of the investigation.

The terms of use for the phishing feed are here.

Q7. Do you consider an allegation of possible copyright/trademark infringement good grounds to use the “Investigation Lock”?

Nominet: No. Copyright or trade mark infringements are civil matters and are specifically mentioned as situations where the investigation lock should not be used.

Q8. 90 Days to prove your innocence or lose your business, why has a deadline been set when many small business owners will struggle to afford the legal representation to prove their innocence in this amount or time?

Nominet: Just as credible evidence that criminal activity is taking place is sufficient to put the lock in place, credible evidence that the lock has been put in place in error should be enough for a registrar to remove the lock. The registrant may also approach us and we will investigate, working with the registrar. We believe that 90 days is an adequate amount of time to resolve any issues about inappropriate use of the lock.

It is worth mentioning that this lock is an extension of the existing phishing lock, which has been in place since May 2009. We haven’t seen any abuse of the phishing lock which was one of the key criteria we considered before we extended the ways in which the lock can be used.

This lock is intended to simply add to the options a registrar has when faced with the uncomfortable situation of a report of criminal activity taking place with a domain name that is on their tag. From talking to our customers we know registrars are already taking action and dehosting domain names when issues arise. This lock offers some additional functionality (by preventing cyberflight) and also creates a standardised way of dealing with these problems.

As with any new functionality we will keep a close eye on how it is used and the impact it has and make any changes we think necessary. Ultimately we are committed to finding ways to make .uk a safe and secure environment. This isn’t a quick fix but it is one way we are trying to help.

END OF THE QUESTIONS.

If you have any comments on this post, please do so below. Nominet have been made aware of the post and have the choice to reply if they wish, I will not edit their replies. As posts like this will bring out the trolls, I remind you that anything you post here is your own responsibility and that your IP is recorded. Anything brought to my attention that is potentially libellous will be removed.