I met with the Police Central eCrime Unit last year as part on an ISPA group that wanted to understand the issues that police have in fighting internet related crime and to see whether there is anything that we could do to help.
The police’s biggest problem is the speed that things can happen at over the internet versus the amount of time it takes the judicial system to crank their mechanical organisational cogs. PCEU staff can, for example, be following a suspect criminal, either physically or electronically, and sometimes have very little time to pounce. A gang might be planning a fraud using online resources – facebook pages, gmail, skype etc. Access via a service provider to look at these resources takes a court order (RIPA) which takes time to organise and by the time it has been effected the crooks are often long gone.
If the police did not require judicial consent to access these data then the whole process could be speeded up and more criminals prevented from harming us. The problem is that even if it was clear to everyone concerned that providing the police with what they ask for was the right thing to do the act of doing so puts the ISP in breach of data protection laws. If the suspect criminal happens to be innocent (or otherwise) this potentially leaves the ISP open to legal action. We can’t have ISPs being asked to perform the role of the judiciary because they don’t have the same legal protection or training.
Now enter Nominet stage right. I have coincidentally just written about Nominet after attending the .uk registrar’s recent 25th birthday party. Nominet is proposing to change its “Terms and Conditions to give a contractual basis to suspend domains where Nominet has reasonable grounds to believe they are being used to commit a crime”. In other words Nominet wants to be able to cut off a domain because in its reasonable judgement and based on a request from the police, that domain has been used to further criminal activity (eg online scams, phishing etc). Apparently the registrar did this on 1,200 occasions last year but wants now to cement the capability into its contract.
It is interesting to note the list of stakeholders Nominet considers appropriate as contributors to the deliberations:
- Serious and Organised Crime Agency (SOCA)
- Police Central e-Crime Unit (PCeU)
- OFT Cybercrime Unit
- HM Revenue & Customs
- Medicines and Healthcare Products Regulatory Agency
- Health and Safety Executive
- Trading Standards
- Department for Business Innovation and Skills (BIS)
- Home Office
- Registrar representation
- ISP representation
- Nominet representative
- Confederation of Business and Industry
- Federation of Small Businesses
The consumer seems to be left out of this just as was the case in the run up to the Digital Economy Act, unless Trading Standards are performing this role.
The issue here is identical to that described at the beginning of this post. Nominet is effectively suggesting that it performs the role of the judge in deciding what is and what isn’t a crime.
This is not an easy subject. One might argue that the government should change the law to offer registrars and ISPs appropriate legal protection for the type of scenario where they are asked to perform a pseudo-judicial role. The problem is that freeing up the system also opens up the territory for exploitation by individuals and organisations pursuing their own agenda.
For example anecdotally, RIPA orders have been used in relation to non-crime related Local Authority type issues. If a court order was not required to take down a domain it isn’t difficult to imagine a council, or an individual within a council (for example), wanting to prevent a “stop the bypass” campaign (again for example) and seeking to take down activist websites, perhaps in conjunction with the local police. Currently a judge would decide whether this was appropriate. Do you trust Nominet or your ISP to make legal decisions of this nature? Even if the website was advocating violent measures? Does this sound far fetched?
Nominet is being well intentioned but I believe its logic is flawed under the current system of law. The internet is changing the way we live our lives. Our legal system needs somehow to evolve to reflect this.
Areas for debate are springing up all over the place – the blocking of pornographic websites to the under 18s and filtering of sites promoting copyright infringement immediately spring to mind.
The internet community of interest needs to make sure that it participates fully in this (these) debate(s) because we will otherwise find ourselves subjected to more and more demands akin to those of the Digital Economy Act where we are now having to conduct a damage limitation exercise. In the meantime Nominet finds itself in the position of trailblazer on the subject of eCrime in the UK.
2 replies on “Nominet and the pseudo-judicial roles of ISPs”
If Nominet follow through on getting rid of domains on police whim, without due process, all that will happen is that suspected criminals will use non-UK domains. We’ll not be any safer.
Footnote: Nominet CEO Lesley Cowley tells me that this discussion has actually been initiated by SOCA and not Nominet. Apologies for the misunderstanding. The points made in the post remain relevant though.