We've previously highlighted how payment service providers like Visa, Mastercard, Paypal, and others go beyond the law to isolate and effectively censor websites that infringe their sometimes arbitrary standards. This has resulted in websites that provide information on sexuality, pharmaceuticals, or whistleblowing, suddenly finding themselves cut off from their sources of funding, and left with no clear recourse.

How RogueBlock Works

One of the other reasons why websites can find themselves losing payment services is if they are accused of being associated with the sale of goods that infringe copyright, patents, or trademarks. One program used to accomplish this is a shadowy agreement between the payment processors and the private International AntiCounterfeiting Coalition (IACC) called RogueBlock.

In what the IACC euphemistically describes as a "streamlined, simplified" process, it notifies the payment companies that a website allegedly offers goods that infringe a trademark, patent, or copyright, and encourages them to suspend their payment services to that website, usually without any court judgment verifying the allegation. The RogueBlock program is self-described as having been "highly encouraged and supported" by the U.S. Intellectual Property Enforcement Coordinator. Encouragement (and tacit pressure) from government is typical of these private enforcement arrangements, deals that EFF describes as Shadow Regulation.

Domain Takedowns Now Part of RogueBlock

This week the IACC announced the extension of its RogueBlock program so that it can also be used to take down Internet domains. This extension had been foreshadowed for rollout in 2015, but evidently it has taken a little longer to get partners on board. The first partner announced in this expansion of the project is the Police Intellectual Property Crime Unit (PIPCU) of the City of London Police.

PIPCU, which is funded by the UK's Intellectual Property Office (IPO), is dedicated to eradicating digital copyright infringement and online sales of physical goods that are alleged to infringe copyrights, patents, or trademarks. The Steering Group that manages PIPCU consists of representatives from the Intellectual Property Office, the City of London Police, and various rights holders and industry bodies. It contains no representatives of users of copyrighted material such as artists, libraries and archives, educators, or digital rights groups.

PIPCU already takes down Internet domains of its own initiative, through its own program called Operation Ashiko. (Since PIPCU's authority does not extend over the whole Internet, these seem to be limited to domains hosted in the United Kingdom, or hosted under the .uk domain.) What's different now is that PIPCU will also respond to reports submitted from the IACC through the RogueBlock program, potentially resulting in a greater volume of takedowns.

Why is This a Problem?

Traditionally, enforcement of trademark, patent, and copyright laws against sellers of physical goods takes place at the national level; infringing goods that enter the country are detained or seized at the border, or at marketplaces where they are sold. Sellers or importers have the opportunity to contest the seizure, and the dispute is settled by a court or administrative authority, through a process defined by law.

The advent of the Internet has increased the practical difficulty of this approach for enforcement authorities, because even if we leave aside products that are delivered digitally, many goods are now mailed directly to the consumer in small shipments which are likely to slip through the customs net. Therefore it's understandable why the IACC would like to side-step this process altogether, by taking down the websites which appear to offer infringing goods for sale, so that consumers can't order them in the first place.

However, while making things easier for the trademark, patent, or copyright holder, it also substantially increases the potential for enforcement overreach and abuse. Firstly, the websites flagged by RogueBlock are based on private reporting by trademark, patent, and copyright holders. For now, some public accountability still exists in that it is a public body, the City of London Police, that is required to act on these reports, and we can hope that they will engage in some independent investigation before doing so. The program will become significantly more of a concern if the authority to take down domains becomes exercisable directly by private actors, as in the case of the MPAA and Donuts trusted notifier program.

Another problem is that trademarks and patents, in particular, are claims that exist in national law only, and even copyright varies from one country to another. The RogueBlock program does not accommodate these national differences, allowing a website that offers goods that are infringing in only one country of the world to be made inaccessible across the entire Internet. For example, the United States has restrictive laws on the circumvention of DRM; laws that don't exist (or exist with broader exceptions) in other countries such as Israel and India. Thus if a DRM-circumvention device is taken down from an online market, it becomes unavailable even to those for whom its use is perfectly legal. That's also what happened to the Spanish sports streaming site Rojadirecta, which had its domain name seized by the U.S. government for over a year, despite the site being lawful in its native Spain.

Finally, common to other Shadow Regulation deals, the RogueBlock program is lacking in transparency and accountability. If a website is wrongly listed by the IACC in its RogueBlock program, thereby becoming a target for blocking by the City of London Police and the payment processors, there is no readily accessible pathway to have its inclusion reviewed and, if necessary, reversed. This opens up much scope for websites to be wrongly listed for anti-competitive or political reasons, or simply by mistake.

We would have less of a problem with RogueBlock if the program was simply a channel to inform enforcement authorities of claims of infringement, which could be investigated and enforced through legal channels. But the program steps into Shadow Regulation territory to the extent that it encourages payment processors to take action against claimed infringers directly, without due process or means of review.

The latest expansion of the program to facilitate the takedown of domains threatens to compound these problems, particularly if the City of London Police apply it against websites that are not globally infringing, or if private domain registries or registrars join the program and begin to act on claims of infringement directly. We'll be keeping an eye on the program and taking action if our fears prove to be well founded in practice.