Note: This blog was originally posted on CircleID.com, a popular blog and forum dealing with Internet infrastructure.
In the wake of Google's settlement with the Department of Justice for permitting advertising by illegal online pharmacies, what are the legal implications for Domain Name Registrars and ISPs in the US and elsewhere?
In short, if you're a Registrar or ISP, it's a new ballgame. Here's why it's critical for you to steer clear of criminal and civil liability by making sure your registration services aren't used by rogue online pharmacy criminals. (And, here's how to do it.)
Defining Internet Drug Dealers
First, what is a "rogue Internet pharmacy"? The vast majority of websites that facilitate the sale of prescription drugs are illegal: the National Association of Boards of Pharmacy (NABP) has consistently found, as has LegitScript, that about 96% of all Internet pharmacies don't require a prescription, aren't appropriately licensed, and sell unregulated drugs — that is, drugs that are not part of the "closed supply chain" required by most countries' laws, thus raising the risk that the drugs are counterfeit or adulterated.
In other words, these are Internet drug dealers. And, their websites are dangerous.
A drug is classified as "prescription-only" for the simple reason that it requires medical supervision to be used safely. Similarly, unregulated drugs may be genuine or fake. LegitScript has received numerous reports of individuals who have been hospitalized or sickened — or even died — as a result of fake or counterfeit drugs shipped from rogue online pharmacies.
In contrast to other forms of cybercrime like phishing and identity theft, online pharmaceutical crime is in a category of its own for a very simple reason: victims can die.
Welcome to the New Ballgame
The Google-DOJ settlement signals changing expectations by law enforcement as to how Internet platforms (ISPs, Registrars, payment service providers, etc.) should respond when put on notice about rogue online pharmacies.
So what do Registrars need to know — and do?
Registrars that knowingly permit their registration services to be used by rogue Internet pharmacies, including accepting registration or re-registration fees for domain names that they have been put on notice are being used in facilitation of illegal conduct, may be subject to criminal or civil liability for facilitating and/or profiting from criminal activity. For Registrars, reducing your liability and disallowing the use of your services by these illegal websites means suspending and locking rogue online pharmacy domain names once you are put on notice.
If you're an ICANN-accredited Registrar, you have the sanctioned ability, and arguably responsibility, to do this. The Uniform Dispute Resolution Policy (UDRP), by which all ICANN-accredited Registrars are bound, requires Registrars to prohibit the use of their domain names in furtherance of unlawful activity (see Paragraph 2). That's important because it gives Registrars the explicit authority to suspend online pharmacies operating illegally. Indeed, as a contractual matter, there's a solid argument that you're bound to act — not ignore the notification.
But how far do you have to go? DOJ's recent actions signal an expectation that online platforms will take "reasonable steps" to avoid facilitating criminal activity — but that doesn't mean you have to be clairvoyant. After all, no Registrar can know what every customer or website is doing. But if a Registrar is put on notice by a credible source as to rogue online pharmacy domain names using its registration services, a continued pattern of non-responsiveness may be viewed as the turning of a blind eye to, or even willfully profiting from, criminal behavior.
A Letter to Registrars on Behalf of Regulators
So what's a credible source of information, and how can you know if an Internet pharmacy is legal or not? The NABP, which represents the government agencies that license and regulate pharmacies in the US and elsewhere, has issued a letter to Registrars endorsing LegitScript's listing of rogue online pharmacies as accurate and reliable, and requesting that Registrars suspend and lock rogue online pharmacy domain names LegitScript notifies Registrars about. LegitScript currently offers this notification as a complimentary service, and regularly submits information to several registrars including GoDaddy, eNom, Dynadot, DomainContext, Directi and others.
Liability may be Criminal...or Civil
The risk of liability isn't just criminal — it's potentially civil as well. One of these days, an enterprising civil attorney is going to ask if a Registrar (who failed to act) was notified prior to her client's overdose or wrongful death from drugs ordered online. In multiple cases, the answer would be Yes. And it's not clear that the US Communications Decency Act would protect a Registrar from a multi-million dollar wrongful-death claim.
Locking, Not Transferring
Most Registrars we work with on this issue typically suspend and lock the domain names, effectively shutting down the website and killing the illegal business. However, we've seen a few situations where a Registrar suspends the domain name, then lets it transfer to another Registrar and continue selling drugs. Could a Registrar who does this be criminally or civilly liable?
Our answer is Yes, for several reasons. First, permitting the transfer to another Registrar, when you are on notice of the website's illegal activity, is an affirmative step that helps the criminal continue their behavior. Second, Registrars can't claim that ICANN requires them to permit the transfer: after all, most Registrars do NOT permit the transfer. And third, of course, the legitimacy of an online pharmacy doesn't depend on where the Registrar is; rather, the key question is what the website is doing. (Would you permit a child pornography site's domain name to transfer?) A rogue online pharmacy doesn't magically become safe by being transferred to an "offshore" Registrar.
In an effort to get the Registrar to permit the transfer, we've seen it all — bad-actor Registrants who promise to remove the content; provide a (genuine) pharmacy license; or argue that they are in fact operating legally where they are physically located, and don't need to adhere to the laws in the jurisdictions where they are shipping the prescription drugs.
But remember, rogue online pharmacies are a multi-billion dollar business: some affiliate pharmacy marketers pull in five- or even low-six-figures (USD) a month. They are highly motivated to continue their illegal business: if they are willing to sell prescription drugs without requiring a prescription, it should come as no surprise that they'll be willing to lie about it. Moreover, a pharmacy license alone is not proof of legitimacy: the drugs that these websites sell have to come from somewhere, and an extra-jurisdictional (but real) pharmacy is often the source — or pass through point. Put another way, "fake" online pharmacies and "rogue" online pharmacies are different problems. The former just takes your money and doesn't send you anything. The latter sends unregulated medicines with or without a prescription, putting the customer's health at risk.
Wrapping It Up
While it's true that Registrars and ISPs can't be expected to be the "Internet police," the US Justice Department's recent actions indicate that when it comes to illegal online pharmacies, Internet companies can't turn a blind eye to criminals using their services. It doesn't mean that Registrars need to monitor every single domain name, or be telepathic about what their customers are doing. It does mean that they need to have clear policies and procedures prohibiting illegal activity, and more than that, enforce those policies.
If a Registrar or ISP is put on notice about such illegal websites, it should take reasonable steps to enforce its Terms and Conditions and act in accordance with ICANN's UDRP. In the online pharmacy sphere, where roughly 95% of websites are accurately described as criminal entities, this means suspending and locking the domain name, not turning a blind eye to the activity or facilitating the transfer of the domain name to another Registrar.