Nominet’s Issue Group on dealing with domain names used in connection with criminal activity has published its draft recommendations, which seem reassuringly close to the JANET submission to the original request for comments.
Expedited suspension of a domain is regarded as a last resort, to be used only where alternative approaches via the registrar or registrant have failed or where there is an urgent need to address a risk of “serious consumer harm”. That seems a good way to express a concept I was struggling to describe: that the crimes involved must involve a sufficiently serious and fast-acting harm to members of the public that the extra time required to have the suspension ordered by a court might significantly increase the harm done. I had only come up with two examples – botnets and phishing sites – but the issue group have added unsafe pharmaceuticals and unsafe (at least I hope they are including that restriction) counterfeit goods.
Requests for suspension should only be accepted from UK law enforcement bodies, through an established route (the Single Point of Contact scheme used for Regulation of Investigatory Powers Act requests is cited as a good example) and requesters will be required to confirm that each request complies with standards of necessity, proportionality and urgency. Suspension may only be requested in relation to criminal acts and the process excludes crimes relating to freedom of speech and certain other offences where the permission of the Attorney General is required for a prosecution.
Finally, the importance of transparency is recognised, with recommendations that there should be an appeals process for individual suspensions and that the whole scheme should be monitored and reported on.
Contrary to our original submission, it seems that compromised domains/websites (i.e. those not originally indended for the criminal purpose they are now facilitating) may also be eligible for suspension. I am somewhat reassured, however, by the recommendation that these domains should only be suspended if contacting the registrar or registrant is ineffective, and by the evidence from Switzerland that their temporary suspension of compromised domains has not led to the sorts of problems I had feared.
The issue group will meet later this month to consider final comments before submitting their recommendations to the Nominet board.
[Update] It seems I was optimistic in presuming that it was only unsafe counterfeits that were covered. The latest version of the recommendations makes all counterfeit goods a separate category (para 7b), more or less admitting that the “immediate serious harm” test from para 7a doesn’t apply to those. That seems a confusing mixture of messages. If I were operating a site that relied on user-generated content (or if I were a registrar selling a domain name for such a site), I think I’d want to be clear if I ran a risk of having my domain name taken away because of the activities of my users. Under the new proposals that depends not just on whether those activities present a risk of “immediate serious harm” to others, but whether the site is “directly involved in the criminal distribution of counterfeit goods”. Given the number of contradictory cases on whether eBay, Google, et.al are liable for sales of counterfeits and the different possible interpretations of “directly involved” I’m not sure that second question has a simple answer. A shame, because in other aspects, each draft of the proposals has got better. I hope the next draft will have a tighter wording, more clearly restricting this class of takedowns to domains that have only been registered in order to facilitate the criminal purpose.