[AfrICANN-discuss] The US DOJ Rogue Internet Pharmacy Settlement: Implications for Registrars

[Anne-Rachel Inné]

 The US DOJ Rogue Internet Pharmacy Settlement: Implications for
Registrars<http://www.circleid.com/posts/20110919_us_doj_rogue_internet_pharmacy_settlement_implications_registrars/>
By
*John Horton* <http://www.circleid.com/members/4747/>
http://www.circleid.com/posts/20110919_us_doj_rogue_internet_pharmacy_settlement_implications_registrars/

In the wake of Google's
settlement<http://www.justice.gov/usao/ri/news/2011/august2011/google.html>with
the Department of Justice for permitting advertising by illegal online
pharmacies, what are the legal implications for Domain Name Registrars and
ISPs in the US and elsewhere?

In short, if you're a Registrar or ISP, it's a new ballgame. Here's why it's
critical for you to steer clear of criminal and civil liability by making
sure your registration services aren't used by rogue online pharmacy
criminals. (And, here's how to do it.)

*Defining Internet Drug Dealers*

First, what is a "rogue Internet pharmacy"? The vast majority of websites
that facilitate the sale of prescription drugs are illegal: the National
Association of Boards of Pharmacy (NABP) has consistently found, as has
LegitScript <http://www.legitscript.com/>, that about 96% of all Internet
pharmacies<http://www.nabp.net/news/nabp-issues-rogue-online-pharmacy-public-health-alert/>don't
require a prescription, aren't appropriately licensed, and sell
unregulated drugs — that is, drugs that are not part of the "closed supply
chain" required by most countries' laws, thus raising the risk that the
drugs are counterfeit or adulterated.

In other words, these are Internet drug dealers. And, their websites are
dangerous.

A drug is classified as "prescription-only" for the simple reason that it
requires medical supervision to be used safely. Similarly, unregulated drugs
may be genuine or fake. LegitScript has received numerous reports of
individuals who have been hospitalized or sickened — or even died — as a
result of fake or counterfeit drugs shipped from rogue online pharmacies.

In contrast to other forms of cybercrime like phishing and identity theft,
online pharmaceutical crime is in a category of its own for a very simple
reason: victims can die.

*Welcome to the New Ballgame*
The Google-DOJ settlement signals changing expectations by law enforcement
as to how Internet platforms (ISPs, Registrars, payment service providers,
etc.) should respond when put on notice about rogue online pharmacies.

So what do Registrars need to know — and do?

Registrars that knowingly permit their registration services to be used by
rogue Internet pharmacies, including accepting registration or
re-registration fees for domain names that they have been put on notice are
being used in facilitation of illegal conduct, may be subject to criminal or
civil liability for facilitating and/or profiting from criminal activity.
For Registrars, reducing your liability and disallowing the use of your
services by these illegal websites means suspending and locking rogue online
pharmacy domain names once you are put on notice.

If you're an ICANN-accredited Registrar, you have the sanctioned ability,
and arguably responsibility, to do this. The Uniform Dispute Resolution
Policy <http://www.icann.org/en/udrp/udrp-policy-24oct99.htm> (UDRP), by
which all ICANN-accredited Registrars are bound, requires Registrars to
prohibit the use of their domain names in furtherance of unlawful activity
(see Paragraph 2). That's important because it gives Registrars the explicit
authority to suspend online pharmacies operating illegally. Indeed, as a
contractual matter, there's a solid argument that you're bound to act — not
ignore the notification.

But how far do you have to go? DOJ's recent actions signal an expectation
that online platforms will take "reasonable steps" to avoid facilitating
criminal activity — but that doesn't mean you have to be clairvoyant. After
all, no Registrar can know what every customer or website is doing. But if a
Registrar is put on notice by a credible source as to rogue online pharmacy
domain names using its registration services, a continued pattern of
non-responsiveness may be viewed as the turning of a blind eye to, or even
willfully profiting from, criminal behavior.

*A Letter to Registrars on Behalf of Regulators*

So what's a credible source of information, and how can you know if an
Internet pharmacy is legal or not? The NABP, which represents the government
agencies that license and regulate pharmacies in the US and elsewhere, has
issued a letter to
Registrars<http://www.legitscript.com/download/DNR-letter_10Feb2011.pdf>endorsing
LegitScript's listing of rogue online pharmacies as accurate and
reliable, and requesting that Registrars suspend and lock rogue online
pharmacy domain names LegitScript notifies Registrars about. LegitScript
currently offers this notification as a complimentary service, and regularly
submits information to several registrars including GoDaddy, eNom, Dynadot,
DomainContext, Directi and others.

*Liability may be Criminal...or Civil*

The risk of liability isn't just criminal — it's potentially civil as well.
One of these days, an enterprising civil attorney is going to ask if a
Registrar (who failed to act) was notified prior to her client's overdose or
wrongful death from drugs ordered online. In multiple cases, the answer
would be Yes. And it's not clear that the US Communications Decency Act
would protect a Registrar from a multi-million dollar wrongful-death claim.

*Locking, Not Transferring*

Most Registrars we work with on this issue typically suspend and lock the
domain names, effectively shutting down the website and killing the illegal
business. However, we've seen a few situations where a Registrar suspends
the domain name, then lets it transfer to another Registrar and continue
selling drugs. Could a Registrar who does this be criminally or civilly
liable?

Our answer is Yes, for several reasons. First, permitting the transfer to
another Registrar, when you are on notice of the website's illegal activity,
is an affirmative step that helps the criminal continue their behavior.
Second, Registrars can't claim that ICANN requires them to permit the
transfer: after all, most Registrars do NOT permit the transfer. And third,
of course, the legitimacy of an online pharmacy doesn't depend on where the
Registrar is; rather, the key question is what the website is doing. (Would
you permit a child pornography site's domain name to transfer?) A rogue
online pharmacy doesn't magically become safe by being transferred to an
"offshore" Registrar.

In an effort to get the Registrar to permit the transfer, we've seen it all
— bad-actor Registrants who promise to remove the content; provide a
(genuine) pharmacy license; or argue that they are in fact operating legally
where they are physically located, and don't need to adhere to the laws in
the jurisdictions where they are shipping the prescription drugs.

But remember, rogue online pharmacies are a multi-billion dollar business:
some affiliate pharmacy marketers pull
in<http://krebsonsecurity.com/2011/02/russian-cops-crash-pill-pusher-party/>five-
or even low-six-figures (USD) a month. They are highly motivated to
continue their illegal business: if they are willing to sell prescription
drugs without requiring a prescription, it should come as no surprise that
they'll be willing to lie about it. Moreover, a pharmacy license alone is
not proof of legitimacy: the drugs that these websites sell have to come
from somewhere, and an extra-jurisdictional (but real) pharmacy is often the
source — or pass through point. Put another way, "fake" online pharmacies
and "rogue" online pharmacies are different problems. The former just takes
your money and doesn't send you anything. The latter sends unregulated
medicines with or without a prescription, putting the customer's health at
risk.

*Wrapping It Up*

While it's true that Registrars and ISPs can't be expected to be the
"Internet police," the US Justice Department's recent actions indicate that
when it comes to illegal online pharmacies, Internet companies can't turn a
blind eye to criminals using their services. It doesn't mean that Registrars
need to monitor every single domain name, or be telepathic about what their
customers are doing. It does mean that they need to have clear policies and
procedures prohibiting illegal activity, and more than that, enforce those
policies.

If a Registrar or ISP is put on notice about such illegal websites, it
should take reasonable steps to enforce its Terms and Conditions and act in
accordance with ICANN's UDRP. In the online pharmacy sphere, where roughly
95% of websites are accurately described as criminal entities, this means
suspending and locking the domain name, not turning a blind eye to the
activity or facilitating the transfer of the domain name to another
Registrar.

*By John Horton <http://www.circleid.com/members/4747/>, President of
LegitScript. Visit the blog maintained by John Horton
here<http://www.legitscriptblog.com/>
.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20110920/09126bed/attachment.htm