Are Domain Name Registrars Liable for Wikileaks’ Criminal Conduct?

by Roger Alford

The Swiss domain name registrar Switch announced today that it will not shut down Wikileaks.ch as a result of Wikileaks’ criminal activity. It does so at its peril.

The pharmaceutical industry has long faced the question of registrar liability for hosting illegal pharmaceutical drug websites. Legitscript.com, a pharmaceutical watchdog, has summarized the obligations of domain name registrars in this report.

As the report outlines, every domain name registrar is required in its agreement with ICANN to abide by the UDRP, which requires registrars (such as Switch) to prohibit their customers (such as Wikileaks) from using websites for unlawful purposes. Article 2 of the UDRP provides:

By applying to register a domain name, or by asking us to maintain or renew a domain name registration, you hereby represent and warrant to us that … (c) you are not registering the domain name for an unlawful purpose; and (d) you will not knowingly use the domain name in violation of any applicable laws or regulations.

Under the UDRP, each registrar must include a provision in the registration agreement prohibiting use of the website for unlawful activity. When a website engages in unlawful activity, the registrar has a contractual right to shut the website down.

What if it fails to do so? Registrars are generally immune from liability under the Communications Decency Act. But under 47 U.S.C. 230, this is not the case if the registrar knowingly facilitates a third-party’s criminal activity or knowingly profits from that criminal activity. 47 U.S.C. 230(c) provides that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” However, 47 U.S.C. 230(e) adds that “Nothing in this section shall be construed to impair the enforcement of … any … Federal criminal statute.”

Thus, as the Legitscript report put its,

Registrars cannot be held accountable for the information if they do not know about it, but once put on notice about criminal activity, a compelling argument exists that they no longer enjoy the protections of the federal Communications Decency Act, if they knowingly continue to allow their domain name registration services to be used in the furtherance of criminal activity.

The report outlines the experience of pursuing registrars for hosting websites that they knew were selling fake prescription drugs. Eleven registrars, including GoDaddy in the United States, and ten others in Canada, China, Germany, India, Poland, and the United Kingdom, shut the illegal websites down. But five registrars refused to do so. One of these registrars, eNom, hosts 4,000 illegal Internet pharmacies, and through registration fees, is profiting from the criminal activities of its hosted websites. It is now in litigation for hosting and advertising illegal websites.

Likewise, under the EU law, registrars are immune unless they know a website they are hosting is engaged in unlawful activities. Article 14 of Directive 2000/31/EC provides that:

Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

Applied to Wikileaks, every domain name registrar has a contractual right in the registration agreement to shut down a website such as Wikileaks that engages in criminal activity. Moreover, if a registrar knows that a website it is hosting is engaged in criminal activity–such as disclosing company trade secrets or publishing classified government documents–it is not immune from prosecution under US or EU law.

http://opiniojuris.org/2010/12/07/are-domain-registrars-liable-for-wikileaks-criminal-conduct/

10 Responses

  1. Worth noting is that DNS entries are optional, unless you’re using a Virtually Hosted website.  Even if the registrar pulls your DNS entry, your website can still be reached using the IP address, and links in that form will continue to operate.

  2. This is all predicated on the assumption that Wikileaks has committed a crime. Which one Roger?  Why are you so certain that Wikileaks has broken any laws?  Who has filed a criminal claim against them?  What court?  What government? 

  3. M. Yass,

    Yes, you are correct.  I have addressed possible criminal violations for disclosing classified government documents here, and criminal violations for violating business trade secrets here

    Roger Alford

  4. Would the registrars hosting nytimes.com and guardian.co.uk also be in peril?  Is Bill Bennett also subject to prosecution under the Espionage Act?  If not, then the strength of the theory of Assange’s criminal liability is somewhat diminished. 

    By the way, in your post linked to the above comment you repeat a common factual error. Wikileaks has not released all 250,000 cables.  In fact, is has released just under 1,000 — the same ones published by the newspapers and redacted in the same way the papers redacted them.

    Wikileaks is a journalistic entity, and as such its publication of these documents is protected by the First Amendment (Pentagon Papers).  Perhaps you have an argument for why its not entitled to that protection.  If so I haven’t seen it.  But that would be the starting point, rather conclusory calls for prosecution, or Julian Ku’s call to violate a foreign sovereign’s territory to kidnap Assange.

  5. Nathan,

    Good question.  I think that once Assange is charged (or at the latest when he is convicted) then the requisite notice to the registrars would be triggered.  The Switch registration contract provides that:  “3.3.2 … SWITCH can revoke the registration of domain names if: (a) the holder breaches the applicable law; … (e) there is an evident risk that SWITCH could make itself legally liable due to the registration and/or use of the domain name.”

    If other media outlets are similarly charged (again or convicted) with criminal misconduct, then yes those registrars would be on notice too. 

    The key point is that the registration contract protects the domain name registrars and allows them to take appropriate action to stop hosting websites engaging in illegal conduct.  For those registrars that do not wish to take contractual action to protect themselves, then they could be exposed to liability, but of course you would have to establish that the websites they are hosting are actually engaged in illegal activity or there is a risk that the registrar might be liable.   

    Roger Alford 

  6. Would a US or EU registrar be liable for hosting a website ‘engaged in unlawful activities’ regardless of the applicable law? Would the website content have to be ‘unlawful’ in both countries?

    Can a US registrar be prosecuted or sued on the ground that it violates, say, another country’s laws on ‘decency’ in the media? Could an Italian registrar be sued on the ground that it hosts publicity targeted at children, in contravention of Sweden’s (more stringent) regulations on publicity?

  7. You are asking good questions.  Generally it depends on both the intent of the legislature passing the law to regulate extraterritorial conduct and whether those laws are consistent with international law principles.  In the case of illegal pharmaceutical websites it is easy because they are promoting the product in the United States, targeting U.S. customers, and shipping the illegal goods into the United States.  For Wikileaks you would need to show that the relevant laws were intended to capture Assange’s conduct.  His conduct of publishing classified documents occurred at home and abroad.  Of course, much of his other conduct occurred abroad (conspiring with Manning, for example), and I would strongly suspect that laws proscribing the unlawful disclosure of classified government documents were intended to have extraterritorial effect.

  8. Thanks for the response, Roger.  I note that you didn’t take up the issue of whether Wikileaks is acting in a journalistic capacity.  If you think it is, how would you distinguish its behavior from the NY Times’ in the Pentagon Papers, or of the NY Times, Guardian, and Der Speigel now?  If you think it’s not, I would be interested to hear your views on why.

  9. Thank you for your response.

    I was reading the Legitscript report, and found this (p.26): ‘as we explain later in this report, it is precisely because [a Netherlands corporation] is a Registrar — not in spite of it — that they are supposed to act to prevent the criminal misuse of their services.’. In this case, the ‘crime’ in question is ‘importation of a prescription drug in violation of section 804′ (21 USC §331 Prohibited acts).

    On the face of it, this suggests that every registrar, anywhere in the world, should be aware of the minute details of, for instance, sanitary and phyto-sanitary codes of any country with which a website it hosts can potentially trade. The registrar shouldn’t simply be satisfied that its client claims to do nothing unlawful, but it should actively seek to know if its client does, in fact, carry only lawful transactions. So, if Company A operates legally under its host country’s (country B) regulations, but exports to a consumer in Country C, and in C, this product is considered a threat to health (eg, DDT), the DNS that hosts the website of Company A would be (jointly?) liable.

    This seems like a tremendous stretch, and very difficult to operationalize. Even if all that is required is that a registrar remove a site as soon as a regulatory agency or other public authority contacts the registrar with credible evidence of unlawful action, this still seems implausible. How is a Registrar to know whether the (foreign) authority  is actually authorized to make such determinations? How is it to know whether the authority’s judgment is to be enforced unquestioningly, or whether it can be challenged?  Seems like an open invitation for abusive conduct. In the wikileaks case, for instance, no judicial authority has yet determined whether what wikileaks has been doing for the last 4 years is illegal, or on which grounds it would be illegal.

  10. I think Nathan makes a good point: how would you argue wikileaks is not acting in a journalistic capacity? If you can’t make that argument it would be very hard to regulate the free flow of information – with the strong policy for freedom of speech. Even in light of intellectual property law, there doesn’t seem to be a law to protect against this kind of behavior…maybe we need some new laws?   

     

Trackbacks and Pingbacks

  1. There are no trackbacks or pingbacks associated with this post at this time.