Nominet faces criminal liability over websites

Nominet, the independent registrar for the .uk internet domain, could face criminal liability if it refused to take down websites that allow criminal activity, says a specially commissioned report.

Nominet, the independent registrar for the .uk internet domain, could face criminal liability if it refused to take down websites that allow criminal activity, says a specially commissioned report.

The report provides background to negotiations on a change to Nominet's terms and conditions to make it easier for law enforcement agencies (LEAs) to seize and take down infringing websites. The talks follow a request from the Serious Organised Crime Agency (Soca).

The report by Queen Mary University of London PhD candidate Micheál O'Floinn suggested that Nominet faced potential criminal liability if it failed to suspend a website once it was informed of its criminality.

O'Floinn found that Nominet had no explicit provision against unlawful use of its services, but that many of its sub-registrars did. This allowed sub-registrars to take down alleged criminal sites without notice if they breached their contract terms.

Even so, Nominet had locked down 2,667 domains when Soca or the Police e-Crime Unit (PeCU) asked. Most had been involved with the sale of counterfeit products, fraud and phishing scams. No-one had been prosecuted in connection with the incidents, O'Floinn said.

Even though only five domain owners had complained, many comments received by O'Flynn argued that there were areas where criminality was harder to establish. These included free speech, pornography and whistleblower activity such as Wikileaks. More recently governments in some Arab countries tried to close down websites and event the internet to disrupt political opponents' activities.

Others pointed out that US authorities had accidentally taken down 84,000 innocent sub-domains when they seized 10 websites, causing reputational and financial harm. In addition, individuals could easily move their websites to other domains.

Despite these hazards O'Floinn said LEAs and copyright holders' representatives believed that they should be able to rely on Nominet to take down sites. LEAs also wanted to be able to act against off-shore residents who use .uk domains for criminal purposes, he said.

O'Floinn said there was possibly merit in Nominet strengthening its "due diligence" procedures when its registrars took on domains to ensure that the information was accurate and led to a real person.

Nominet's previous actions in taking down websites without court orders led to concerns about the fairness of its procedures, their legality and their correctness in contract, O'Floinn said.

A further complication was that "the internet is replete with instances where conduct is lawful in one country but unlawful in others", O'Floinn said. Another was to discriminate between counterfeit and copyright goods.

O'Floinn said there were 13 questions a panel of 21 representatives from different stakeholders groups, led by Queen Mary's Ian Walden, should consider at a 4 April meeting. Their proposals would be fed back for comment to several hundred others who had registered their interest in the issue.

Questions for Nominet, suggested by the report

1. Should Nominet have an abuse policy and would creation of one be in line with its vision of making the internet a trusted space?

2. Should the issue of criminal conduct by domain name holders be dealt with only through registrars and hosts, and/or strengthening the due diligence obligations of Nominet's registrars? Would there be benefits in sharing information with registrars as is currently done with the phishing feed?

3. Which types of activity would an abuse policy seek to discourage?

4. In what circumstances would suspension of a website be proportionate? Would there need to be an ascertained level of harm or criminality?

5. How can Nominet avoid the risk of criminal liability when asked to take action against offence which are challenging for assessment so of criminality , such as certain alleged speech offences?

6. Should a list of offences over which Nominet will take action be created?

7. Should suspensions be limited to breaches of domestic criminal law or apply to all countries or those where the registrant expects his activities to have effect?

8. What standard of evidence might be required and who would assess it?

9. Would a formal relationship be needed to accept instruction? Who would be able to request suspensions?

10. What principles should govern the form of an acceptable request? Should a formalised standard operating procedure and data sharing arrangement be created between Nominet and law enforcement agencies?

11. If there is a suspension, is there a post-suspension continuing obligation to prevent criminal conduct when the registrant uses the same registration details?

12. Would there need to be any form of appeals process?

13. Are there any other regulatory or self-regulatory frameworks that would provide useful background or experiences?

Read more on IT legislation and regulation