Forgot your password?
typodupeerror
Networking The Courts United Kingdom

It's Official: Registrars Cannot Hold Domains Hostage Without a Court Order 112

Posted by Soulskill
from the dns-hostage-negotiators-suddenly-unemployed dept.
Stunt Pope writes "Back when the City of London Police issued those 'takedown requests' to domain registrars, most complied. However, as previously reported here, easyDNS didn't. A bunch of the taken-down domains wanted to move to easyDNS. One problem: their registrar wouldn't let them. It took awhile, but easyDNS fought it. They've finally gotten a ruling (PDF) under the ICANN policy that ordered the hostage domains transferred."
This discussion has been archived. No new comments can be posted.

It's Official: Registrars Cannot Hold Domains Hostage Without a Court Order

Comments Filter:
  • hmm.... (Score:4, Interesting)

    by Anonymous Coward on Friday January 10, 2014 @02:56PM (#45919355)

    how about like when whole domains are being used for malware, phishing, or fraud?

    do we have to go thru a court to get a registrar to do something? that isn't reallllly that good of news.

    namesearchhere.com is being used for botnet clickfraud. along with probably hundreds of others... now the registrar can just sit on their hands and say... welp. nothing i can do but charge fees. my hands are tied!

    registrars are making money of DGA, clickfraud, and all manner of shitty activities. now they can really drag their feet.

    • by TWiTfan (2887093)

      how about like when whole domains are being used for malware, phishing, or fraud?

      Couldn't the browsers handle that?

      • by gandhi_2 (1108023)

        Ahh. So with Google safe-browsing in Firefox and Chrome, and MS whateverthefuck filter, clearly there are no successful phishing attacks involving websites.

        No, I've reported phishing domains that stayed up for over 48 hours. Google (stopbadware, opendns anti-phishing) and Netcraft respond pretty quickly to phishing reports but people still end up at the sites trying their damnest to log in.

        Maybe hosting providers should be the same way when you report one of their servers as hacked and being used for a botn

        • Re:hmm.... (Score:5, Insightful)

          by Anonymous Coward on Friday January 10, 2014 @03:57PM (#45920057)

          Maybe hosting providers should be the same way when you report one of their servers as hacked and being used for a botnet check-in or malware hoster. Do nothing until a court order. That should work well!

          Better 100 idiots without a scanner installed get infected than one innocent site get shut down by an asshole with an agenda.

          • by Anonymous Coward

            Better 100 idiots without a scanner installed get infected than one innocent site get shut down by an asshole with an agenda.

            Is it? What metric are you using? Economic cost? Human suffering? I'm sure you have a sophisticated analysis and aren't just pulling a pithy expression out your ass.

            • Re:hmm.... (Score:5, Funny)

              by Anonymous Coward on Friday January 10, 2014 @07:53PM (#45922495)
              Better one pithy expression pulled out of his ass than 100 sophisticated economic analyses.
            • by Anonymous Coward

              It's a specific case of Blackstone's Formulation, which you're highly advised to go away and study at length. It's a really good principle.

          • by shentino (1139071)

            Hosting a site and having a domain name are different things.

        • No, Ive got it, they should take the domains down immediately with no verification and no court order whenever someone presses the "report domain" button!

          Seriously, what are you proposing?

          • by gandhi_2 (1108023)

            hand over all your evidence of malicious activity to the registrar, they can decide if the domain should be deleted or not.

            but they shouldn't get an easy "my hands are tied" excuse to do nothing.

            • Im sure the registrar totally has the workload bandwidth to deal with the number of bogus domains that pop up every day.

              but they shouldn't get an easy "my hands are tied" excuse to do nothing.

              Yes they should, i dont want my registrar deciding whether he likes the content Im hosting on my domain. If theres an issue with the content, talk to the host, the ISP, or a judge.

            • by Dan541 (1032000)

              Evidence, aka your word. Why should a provider simply take the word/evidence of someone who isn't even prepared to back their allegations in court.

            • And what, please, is the problem with handing all your evidence to a court that can then decide to order the registrar to delete the domain? Given a court order, the registrar certainly doesn't have a "my hands are tied" excuse to do nothing. Quite the contrary, he has a "my hands are tied" excuse against the domain owner, that is, he has protection against being sued by the domain owner because of the deletion.

        • Ahh. So with Google safe-browsing in Firefox and Chrome, and MS whateverthefuck filter, clearly there are no successful phishing attacks involving websites.

          No, I've reported phishing domains that stayed up for over 48 hours. Google (stopbadware, opendns anti-phishing) and Netcraft respond pretty quickly to phishing reports but people still end up at the sites trying their damnest to log in.

          Maybe hosting providers should be the same way when you report one of their servers as hacked and being used for a botnet check-in or malware hoster. Do nothing until a court order. That should work well!

          Assuming they acted immediately, the root DNS servers would still retain their cache for a long time. Perhaps as much as 24 hours.

        • ... but people still end up at the sites trying their damnest to log in

          You mean there are people out there that don't take advantage of those sites to poison their data, by submitting hundreds of bogus "logins" via a script?!?

        • by Dan541 (1032000)

          Very few abuse reports are genuine. A common complaint I get is from people who are offended and simply want the site gagged. Whant to shut down someones site get a court order.

    • Re:hmm.... (Score:5, Insightful)

      by Anonymous Coward on Friday January 10, 2014 @03:23PM (#45919655)

      how about like when whole domains are being used for malware, phishing, or fraud?

      do we have to go thru a court ....

      How about when Anonymous Cowards like you are murdering babies? Do I have to go through the whole judicial thing to stop it? Shouldn't my word just be enough to come over and judicially execute you and have all your property transferred into my name as compensation for my time? I think all this "judicial stuff" is just getting in the way of my killing off idiots^W^W^W protecting the family.

      • Re:hmm.... (Score:4, Insightful)

        by ancientt (569920) <ancientt@yahoo.com> on Friday January 10, 2014 @04:16PM (#45920285) Homepage Journal

        Mod parent up.

        Not saying I haven't wanted to bypass the legal system myself from time to time, but given the choice, don't you want to live in a world with laws?

        Sure, I'd like to live in a world that doesn't need laws, but since ours does need them, then having people forced to follow them is the best we can hope for.

        • by HiThere (15173)

          If the laws are reasonably fair, then yes. There are plenty of examples, however, of cases where this doesn't happen. Still, the downside cost of living without laws is pretty high, so it needs to be egregious before that seems like a good idea.

    • by Zedrick (764028)
      They are either real domains pointing to somebody's hacked old joomla/oscommerce/cms made simple-site, in which case the problem is with the website. Or if it's a real phishing/malware-domain, it's with 100% certainty ordered with fake user information and a stolen CC, so the registrar/host can simply delete domain (at least that's what we do).
    • Re:hmm.... (Score:5, Insightful)

      by fred911 (83970) on Friday January 10, 2014 @03:44PM (#45919895)

      Why should he registrar be responsible for content? Is the phone company responsable for publishing phone numbers of unscrupulous businesses? The responsibility for mal-content is that of the host, not the directory.

      • by Obfuscant (592200)

        Why should he registrar be responsible for content?

        Because they have made themselves responsible through their Acceptable Use Policy agreement. For example, EasyDNS [easydns.com] includes these conditions upon the registree:

        • The Applicant warrants to easyDNS that the details submitted by the Applicant to easyDNS are true and correct, and that future modifications or additions to those details will be true and correct.
        • The Applicant agrees not to use the services provided by easyDNS to conduct any business or activity or solicit the performance of any activity that is pro
        • The City of London was well within reason to ask them to look at whether one of their users was violating their terms, and all they had to do was say "no". RTFS
          • Re: hmm.... (Score:4, Informative)

            by Obfuscant (592200) on Friday January 10, 2014 @04:56PM (#45920745)
            I've read the summary. I've read the ruling. Have you? The summary and ruling aren't directed at the City of London and say nothing about whether the City of London was incorrect in asking easyDNS (or any other registrar) to review their terms for a possible breach. The summary and ruling deal with domain registrars who made the decision that the customer WAS in violation of their terms and thus shut them off, who then refused to release the domain name.

            This should be clear from the very beginning of the ruling:

            easyDNS Technologies Inc. v. PDR Ltd. d/b/a PublicDomainRegistry.com

            It's easyDNS vs. another registrar, not easyDNS vs. City of London.

            I've also read the "takedown order", which is quoted in part in the ruling itself. Maybe you should read it. It is rather clear in asking the registrar to review the conduct of the customer to see if it violates the registrar's acceptable use policy, and for the registrar to make a decision what action is appropriate.

            The City of London did NOTHING that you or I could not do, and I have done many times in the past when trying to get spammers and such shut down. I've even been more forceful by saying that the registrar SHOULD shut them off, not just that they ought to review the policy to see if they think the customer is breaching it.

            Yeah, the CoL went further by asking the registrar, once they had made a decision to shut the domain off, to take certain steps that would help the CoL maintain evidence of the activity for later legal action. That's not out of line, either, and it still is based on the registrar making a decision, not a demand from the CoL.

        • by parodyca (890419)
          Right, so now they deny you service if you are breaking the law, but the arbiters of whether you are breaking the law or not is the court. Not themselves and not any other body.
          • by Obfuscant (592200)

            Right, so now they deny you service if you are breaking the law, but the arbiters of whether you are breaking the law or not is the court. Not themselves and not any other body.

            Quoting the easyDNS terms of service:

            Such determination on what constitutes a violation of the above or whether a domain has or is "likely" to violate the above is solely at the discretion of easyDNS.

            "The above" includes "unlawful or illegal activities of any kind (this includes ponzi schemes and HYIPs)". I don't know where you get the idea that "now" it has to be a court. That wasn't what the ICANN ruling dealt with. The ICANN ruling dealt with transfer of domains being held hostage by other registrars, not whether the City of London needs a court order to ask a registrar to review a customer's activities for a potential violation of the registrar's terms. They do

            • by HiThere (15173)

              The point is that that's a quite dangerous way to set things up, not that it wasn't legal, or that it didn't match the terms of service. I agree, it's a quite dangerous way to set things up. And the danger is born by then end users (both the web site builder and the user of said site.)
              I'm quite dubious about letting a web site host have the ability to hold my data. In my case this is academic, as I don't have a web site, but were I to do so I'd be reluctant to trust it to a host that could ...I can't thi

            • While they can refuse to supply service at their discretion, where does it say they have the right to refuse to honor a request for a domain transfer? Are you even following the chain of events here or are you just making things up as you go?

              • by Obfuscant (592200)

                While they can refuse to supply service at their discretion, where does it say they have the right to refuse to honor a request for a domain transfer?

                It doesn't, and I didn't claim it did. I was answering the question "Why should the registrar be responsible for content?" Then someone made the claim that "the arbiters of whether you are breaking the law or not is the court", which is contradicted by the same terms.

                You might also note that I am quoting the easyDNS terms. I would never expect anyone to read a quote from easyDNS terms and think it was a justification for PDR holding on to domains, so I am at a loss why you are trying to read such a justif

        • by russotto (537200)

          Because they have made themselves responsible through their Acceptable Use Policy agreement. For example, EasyDNS includes these conditions upon the registree

          That's not how an acceptable use policy works. Having an Acceptable Use Policy does not make EasyDNS responsible to third parties to enforce that Acceptable Use Policy.

    • Re:hmm.... (Score:5, Insightful)

      by LordLimecat (1103839) on Friday January 10, 2014 @04:04PM (#45920151)

      Protecting the good guys from abuse often protects the bad guys to some degree.

      Its all about what kind of internet you want to deal with: One where someone can trivially take your content down, or one where you know that theres bad stuff out there.

      • by maugle (1369813)
        We can look at a microcosm of the Internet - YouTube and its ContentID system - to see what happens when people can trivially take down other peoples' content via bogus claims (or, worse, take control of the content and all its profit). In summary: it's not a fun place to be, unless you're a big company or someone who lives off misappropriated ad income.
    • Re:hmm.... (Score:5, Insightful)

      by Stunt Pope (3287) on Friday January 10, 2014 @04:13PM (#45920227) Homepage

      Registrars can takedown domains for net abuse, the main thing is their terms of service are between them and their registrants, they enforce their policies.

      The easyDNS Plain English terms of service state domains will be taken down for net abuse, but if you want to compel a takedown from the outside because *you* say it's illegal, you need a court order.

      • by Obfuscant (592200)

        but if you want to compel a takedown from the outside because *you* say it's illegal, you need a court order.

        And if you want to ask a registrar to review the activities of one of their registrees to see if they're violating the AUP, you don't. I've done it before, I'm not going to start getting a court order to report abusers and spammers and bears, oh my!

    • Re:hmm.... (Score:4, Insightful)

      by ancientt (569920) <ancientt@yahoo.com> on Friday January 10, 2014 @04:13PM (#45920231) Homepage Journal

      do we have to go thru a court to get a registrar to do something? that isn't reallllly that good of news.

      Registrars can voluntarily do something when asked, so no, you don't have to get a court order to get a registrar to do something. They are absolutely supposed to let people move their domains when people want to also, but some of them weren't following the rules. Having them follow the rules is a good thing.

      If, however, you want to force a registrar to do something which isn't part of the rules, then yes, you should have to get a court order.

      Did you like the scenario where companies don't have to follow the rules you both agreed to? Most of us don't.

    • by Lazere (2809091)
      Since this is /. I'm assuming you didn't even read TFS in order to get first post. If you had, you'd have noticed that this has nothing to do with domain takedowns and everything to do with domain transfers. Basically, the legitimate people who had been taken down in this bit of BS tried to move their domain to easyDNS, but the registrars they were currently on wouldn't let them. All this decision says is the registrars have to let people move their domains unless there is a court order saying otherwise.
    • by Dan541 (1032000)

      do we have to go thru a court to get a registrar to do something? that isn't reallllly that good of news.

      It's called due process. I'm guessing you're the type of person who would also complain if they were locked up without a trial.

    • by shentino (1139071)

      Yes you SHOULD have to go through court for this.

      Same as with anything else that seeks to compel the behavior of another.

  • Godaddy (Score:5, Informative)

    by neoform (551705) <djneoform@gmail.com> on Friday January 10, 2014 @02:58PM (#45919369) Homepage

    As someone who had godaddy hold my domain hostage, this is great news.

    GoDaddy had received a single complaint from an anonymous source, which was apparently enough for them to threaten to revoke my domain if I didn't pay their $200 extortion fee.

    • by X0563511 (793323)

      NoDaddy: for all your hosting "needs."

    • by FriendlyLurker (50431) on Friday January 10, 2014 @03:21PM (#45919627)

      As someone who had godaddy hold my domain hostage, this is great news.

      GoDaddy had received a single complaint from an anonymous source, which was apparently enough for them to threaten to revoke my domain if I didn't pay their $200 extortion fee.

      Buried in the ruling the offending registar is named: PublicDomainRegistry.com (PDR Ltd) wouldn't let EasyDNS do the transfer. Add GoDaddy to the list, what other registrars should we be voting with our wallets and abandoning?

    • Re: (Score:3, Informative)

      by TWiTfan (2887093)

      GoDaddy, oh man. Hard to believe that I used to actually recommend them to clients for hosting. Then they started in with those ad campaigns that made Hooters ads look like church bulletins. That alone guaranteed that I would never recommend them again, even without the accompanying rumors of assorted other sleazy practices. It's a shame too. Their hosting was reasonably-priced and pretty reliable in its day.

    • The information is very well hidden in the FA, but this applies to Canada. The "City of London" will be the one in Ontario. Do decisions of this kind apply in other countries? - I'd guess not.

      • by Anonymous Coward

        You're half right. The City of London police in the UK sent emails to registrars round the world asking them to take down domains. A surprisingly large number complied.

        This case is in Canada, but the original request came from the UK.

      • by Sarten-X (1102295)

        Probably. It's an ICANN ruling, so as far as I can tell it applies to all ICANN registrars.

        What doesn't apply worldwide is the "court order". If an American court tries to issue a court order for a Chinese registrar to hold a name, the Chinese company is probably not required to follow the order, so per ICANN they'd have to release the name. On the other hand, a Chinese order would have jurisdiction, so the registrar would be able (and likely required) to hold the name.

      • by Obfuscant (592200)

        The information is very well hidden in the FA, but this applies to Canada. The "City of London" will be the one in Ontario.

        The "City of London" being referred to is the one in the UK. It says as much in the linked ruling:

        On September 24, 2013, the City of London Police issued a Domain Name Suspension Request regarding a large number of domain names, including the three at issue in this case. The Request asked the relevant registrars to do the following: We request that you review your processes to see if you provide a service for the identified domain(s). If so, we would ask you to review the terms and conditions on the basis of which that service is provided and withdraw or suspend the service if you are satisfied that the terms and conditions have been breached.

        This is the infamous "takedown order" that asks a registrar to review a customer's actions with respect to the registrar's own acceptable use policy and make their own decision. The ruling continues:

        This request was for the following reason: "The owners of the aforementioned domains are suspected to be involved in the criminal distribution of copyrighted material either directly or indirectly and are liable to prosecution under UK law."

        which makes it clear that it is the City of London in the UK. But this ruling actually has nothing to do with the City of London, it applies to domain registrars.

      • by jonbryce (703250)

        No, this is the City of London that is a country-within-a-country in the the UK, and England's smallest city.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I also had GoDaddy hold my domain hostage, it was for a web security site, mostly used to find security holes in OSS as a hobby. Someone reported my site to GoDaddy and said it was a "hacking website" so I had to pay GoDaddys "penalty fee" to get control of my domain again so I could transfer it to someone else. I read through all their ToS and there was nothing about this "penalty fee" anywhere, which I pointed out to them, they replied with something along the lines of tough shit (they used nicer language

  • I mean, the place being named organizedcrime.nl .....
  • by damn_registrars (1103043) <damn.registrars@gmail.com> on Friday January 10, 2014 @03:03PM (#45919427) Homepage Journal
    ... so ICANN cares. Where were they when people were asking them for help shutting down spammer-friendly (and scammer and thief friendly) registrars? When the registrars could make more money, ICANN was happy to comply. Now something is up that could interfere with registrars' ability to make money, so we see from them again.

    The rest of us, of course, can all go to hell as far as ICANN is concerned.
  • by Capt.DrumkenBum (1173011) on Friday January 10, 2014 @03:12PM (#45919525)
    Thank you for your good work on behalf of all of us.
    I have used EasyDNS in the past, and found them a very pleasant company to deal with.
    • Its a pity they didn't fix their DNS record management system until after I had to bitch about them on twitter. Other than that, happy with them for over a decade.

    • Re:Thanks EasyDNS. (Score:5, Interesting)

      by Anonymous Coward on Friday January 10, 2014 @03:40PM (#45919851)

      EasyDNS is a great registrar. Some years ago I had an issue with one of my domain names because a law firm in North Carolina registered a very similar name. The only difference was that they inserted a hyphen in their name and I didn't have one. Naturally some of their clients omitted the hyphen in the address and I received the emails instead, which I passed on to them.

      That was a mistake. The law company was very angry at me, and they accused me of intercepting their mail, using my domain in bad faith, etc. They ignored the fact that my domain name was registered over 5 years before they registered their name. They attempted to get EasyDNS to lock my domain and transfer it to them. They attempted to harass both me and EasyDNS. Eventually they attempted to take my domain through ICANN name dispute resolution proceedings, which failed. They even attempted to get the FBI involved, which resulted in an interesting interview with two agents, but nothing else.

      EasyDNS was wonderful. They investigated and they decided there was no reason to interrupt my domain service. They supported me through the resolution proceedings. I would not use any other domain registrar for any domain name I really care about.

      EasyDNS isn't the least expensive registrar, but they aren't the most expensive either. The fact they in Canada (and therefore outside USA jurisdiction) is an added bonus.

      • by Obfuscant (592200)

        Naturally some of their clients omitted the hyphen in the address and I received the emails instead, which I passed on to them.

        Yes, doing anything beyond reading the errant email and laughing, and then deleting it, is begging for trouble. I used to have the .com version of an ISP's .net and it is remarkable the number of people who think the only TLD is .com. And that when they send their email to the wrong place, it's your fault for getting it.

        That includes a rather large software/OS company located somewhere in Washington state, that kept sending me email they intended for a partner at the .net address.

      • EasyDNS isn't the least expensive registrar, but they aren't the most expensive either. The fact they in Canada (and therefore outside USA jurisdiction) is an added bonus.

        Surely by using a registrar in a jurisdiction other than the one the TLD in question is based in you are increasing your vulnerability to court orders forcing transefer of the domain. If you registrer a .com domain with a canadian register then surely a US court could order ICANN to transfer it while a canadian court could order your registrar to transfer it.

  • by rea1l1 (903073) on Friday January 10, 2014 @04:06PM (#45920169) Journal

    the City of London is a privately owned corporation. I would imagine their police are also.

    Do not mistake London the city with the City of London.

    http://www.theguardian.com/commentisfree/2011/oct/31/corporation-london-city-medieval [theguardian.com]

    • by mythosaz (572040)

      They exist in another time-space, I'm certain of it...

      The Lord Mayor of London and the two Sheriffs are chosen by liverymen meeting in Common Hall. Sheriffs, who serve as assistants to the Lord Mayor, are chosen on Midsummer Day. The Lord Mayor, who must have previously been a Sheriff, is chosen on Michaelmas. Both the Lord Mayor and the Sheriffs are chosen for terms of one year.

      Midsummer Day? Are you effing kidding me?

      • by Anonymous Coward

        Midsummer Day and Michaelmas are two of the Quarter Days (the other two are Christmas Day and Lady Day - https://en.wikipedia.org/wiki/Quarter_days). A lot of significant events used to happen on the Quarter Days, though they don't have much significance nowadays.

  • ...if we only had some form of decentralized name registration. oh wait we do. namecoin ftw.
  • The summary and some of the replies seem a little misguided. I've probably got it wrong as well, but here goes.

    Essentially, the City of London (the borough, not Londinium itself) emailed or wrote to domain registrars asking that they suspend the domain of what they alleged to be copyright infringing sites. This was a request, not an order. As we know a lot of domain registrars really don't give a toss and suspended the domains, probably without investigating whether the takedown request was accurate at all.

    • The big question I have is what happens next? Do icann ask the losing registrars nicely to folow policy and transfer the domains or do they actually force the transfer?

  • by rueger (210566) on Friday January 10, 2014 @06:33PM (#45921821) Homepage
    Lord - things are never dull over at easyDNS. Hot on the heels of the decision above, some called the National Association of Boards of Pharmacy (NABP) is demanding [easydns.org] that easyDNS play Cop.

    It's almost surreal to be getting this letter from the National Association of Boards of Pharmacy (NABP) addressed to ICANN Registrars requesting that "you adopt and implement policies and procedures, consistent with this letter,", given the timing of what we just went through with the City of London Police takedown requests. What are those policies and procedures the NAPB wants all ICANN Registrars to adopt? Glad you asked:...

  • You villify the MPAA/RIAA mafiaa, agree with Voltaire on defending the right to free speech, hate NSA and RSA,

    AND YET

    you say that EasyDNS is in the wrong here?!? I don't get it. I just don't. Regardless that the defendant here was another registrar rather than the City of London itself, the question remains the same: can a police department authorize the seizure of property without so much as a court order? If so, why not do away with the courts altogether since police agencies now play the roles of ju

Do molecular biologists wear designer genes?

Working...