Tuesday, April 8, 2014

Is Your Domain Name Safe From Nefarious Interests?

The soft underbelly of everything you do online are your domain names and DNS. (Briefly, your domain names are the labels people use to reach your website or send you email: i.e dollarvigilante.com. DNS is the mechanism computers use to map where these various connections are to take place).
Before anything can happen on the internet, at least one successful DNS lookup has to occur, and no matter how much money you spend on things like firewalls, offshore data centres, redundant network connections, penetration testing, high availability switches and routers; if your DNS stops resolving or your domain name gets yanked, none of that matters because you will simply disappear from the internet.
This is why every time I come across websites of like-minded libertarians, an-caps, contrarians, whistleblowers (and other egregious truth tellers) I often cringe when I lookup their domain names and find out that their registrar is Godaddy, or some other registrar that is notorious for throwing their customers under a bus at the slightest whiff of trouble and with a complete lack of due process.
People who read websites like TDV  or ZeroHedge (another client of ours who keeps us on our toes) have a certain understanding of the world we live in, what's happening, and within broad channels, what's going to happen.
In other words, everybody here knows things are going off the rails and we talk about that freely. However "the powers that be" don't like it to be widely known that things are, in fact, going off the rails, that our monetary regime is headed for systemic failure, or in a wider sense, that nation-states are becoming obsolete.
So various governments, quasi-governments, non-governmental and law enforcement agencies understand that when it comes to the internet, one really effective method of silencing a voice of dissent is to squeeze their domain registrar or DNS provider to take their domain names offline.
We became aware of this first in 2010 with Wikileaks (a situation which we were embroiled in through a case of mistaken identity but it made an impression on us to be sure).
Since then we've had numerous run-ins with people "out there" who wanted us to take down some customer website for the sole virtue that they weren't fans of what that website did or said, or because the domains represented a new business model that threatened entrenched interests.
The problem is this: most registrars, when they receive a "Takedown Notice" (which is what these requests are called), simply shrug their shoulders and go along with it. In other words, it's trivially easy to knock almost any website in the world completely offline by simply telling their domain registrar that a domain is "doing something wrong" and they had best comply with a takedown request and pull the website offline. Sometimes with catastrophic effects.
Web services company jotform.com was taken offline in 2012 after a faxed takedown request was received from the US Secret Service, rendering over 2 million web forms across 700,000 user accounts inoperable. It caused a big stink and people wondered if it would prompt their registrar (Godaddy) to incorporate some modicum of "due process" into their takedown process. They didn't. The takedowns continue, most recently the prominent Mexican political dissent website 1dmx.org was taken offline by Godaddy after the US Embassy asked them to.
We had our turn to prove our point when the City of London UK police sent out takedown notices to multiple registrars late last year.  The London Police's newly formed Intellectual Property Crime Unit had deemed numerous domains (without any court proceedings it should be emphasized) to be "profiting from illegal acts", and requested that the registrars not only take down the domains, but redirect their traffic to an IP address controlled by them, which featured what can only be called "advertisements" for competing industry players (all based within the UK).
Everyone complied, except for us, and when word got out about this some of the websites affected understandably tried to move to us but were blocked by their registrar from doing so.  We pursued the matter through the highest levels of the ICANN Inter-Registrars Transfer Policy and were finally vindicated with a ruling in January from the National Arbitration Forum. The ruling found that even if a registrar wants to obey a takedown order that has no legal basis, if they do not have a court order in a competent jurisdiction then they cannot prevent that domain from moving to a more clueful registrar. It's an important ruling and I mention it for a reason.
No sooner had this ruling come down, some non-governmental group (although they have been accused of improperly using their government influence to have policy enacted) called the National Association of Boards Pharmacy (NAPB), sent a letter to all ICANN registrars that said, in effect:
  • You have to take down any domain we tell you to
  • Registrars are responsible for enforcing the NABP's IP interests in every jurisdiction in the world
  • Registrars cannot allow a domain that has been taken down to transfer away, and
  • There is no real appeals process
All of which was in direct contravention of the aforementioned ruling we had just obtained, and all of which is clearly blustering because the NAPB has no legal authority of any kind. They're just an industry trade group out to protect their stakeholders, who are basically big pharmaceutical companies (and, incidentally, also the brains behind the new .pharmacy top-level-domain initiative. Wouldn't it would be nice if you could make all your competitors "go away" under a thinly guised ruse of "public safety"?)
But it didn't matter. We had a customer running a perfectly legal business selling peptides (chemicals used in laboratory research) over the internet, based here in Toronto, selling goods that anybody in Canada can walk in off the street and purchase whose primary business website was taken offline (again, by Godaddy), after an "internet investigator" in London, UK sent them an email telling them to. I've read the entire transcript between that "internet investigator", the Godaddy Abuse desk and our client and it is nothing short of Kafka-esque and chilling.
The website was down for months, we went to Godaddy, new ruling in hand and battled our way up the chain to find somebody high enough in the organization to finally admit that while it was their prerogative to play ball with any kind of nonsensical legal demand that comes through the door, they couldn't prevent any domains from transferring away after they took it down. Our client was out of there the next day.
The point of all this is: you need to be aware of all these "gotchas" with respect to domain names. In some cases US legislators will even bypass your registrar and go straight to the registry operator to seize your domain there (usually happens under a sealed warrant, blessing it with a veneer of Soviet-era legality).
If you are doing anything that could be deemed as "controversial", including but not limited to: telling the truth, objecting to government policies (like wars, mass surveillance, assassinations, torture, or fraud), getting mixed up in threatening technologies or disruptive business models like: bitcoin, cryptography, p2p or you are some kind of lunatic fringe advocate for privacy, peace, economic sanity or the Constitution; then you are highly cautioned to take all of this into account.
If your activities rely heavily on your web presence, you need to plan for catastrophic failures like takedowns and the like. I don't want this to come off as an easyDNS infomercial, so the following tips can be used anywhere, not just with us:
Know which legal jurisdiction your domain is under. If it's .com, .net, .org, or .biz it's ultimately operated by a US registry operator, even if your registrar is in another country.
Know your registrar: do they have an official takedown policy? Or do they just make it up as they go along? What are their views on due process? Will they simply capitulate to any request or do they have even a modicum of backbone?
What is buried in the Terms of Service? Usually the provider reserves the right to screw you in every way imaginable. (We recently re-released ours in Plain English and are the only registrar in the world that incorporates the Non-Aggression Principle into ours.)
Have a backup domain name or two under different top-level-domains. Preferably non-US ones. Switzerland is a great jurisdiction for this because anybody can register .CH domains and they are fairly laissez-fare when it comes to takedown orders. Also, if you setup a business entity in Switzerland, the entire legal system is geared toward due process and heading off frivolous lawsuits.
Have your data backed up offsite If your entire operation is going to be taken offline you want to be able to relocate and relaunch. Ideally these backups are encrypted (especially if they contain your customer data).
Going forward, it is just a matter of time before the same technological-market forces that brought us Bitcoin will obviate a lot of this by eliminating a centralized DNS root (something I personally thought to be impossible until Bitcoin - and its blockchain ledger model came along).
Namecoin and even Ethereum are in the early stages yet, but it is happening. Until these emergent forces become ready for prime-time, all the action will happen within the legacy naming systems and you'll have to keep your wits around you and partner with a clueful naming entity (registrars, DNS providers) to be able to navigate it.

"Mark Jeftovic is the CEO of easyDNS Technologies Inc. the Toronto-based domain registrar and DNS provider who lives by the credo "Power & Freedom™". In his copious spare time he blogs about anarcho-capitalism, bitcoin and tectonic shifts at Wealth.net and is the guitarist/singer for indie-rock sensations The Parkdale Hookers."

Please share this.

No comments: