Monday, March 03, 2003

Police powers move into your browser

Police powers move into your browser
By Declan McCullagh
CNET News.com
March 3, 2003, 5:24 AM PT
URL: http://zdnet.com.com/2100-1107-990728.html

COMMENTARY--The U.S. Justice Department is experimenting with an Internet crime-fighting technique that raises novel legal, technical and privacy concerns.

The tactic: domain name forfeiture. In two separate cases last week, the Justice Department seized domains for Web sites that it claimed were engaging in illegal activity.

The first set of domains were allegedly used to sell drug paraphernalia such as bongs and marijuana cigarette holders. Now visitors to PipesForYou.com, 420now.com, OmniLounge.com and ColorChangingGlass.com are greeted by this hair-raising alert: "By application of the United States Drug Enforcement Administration, the Web site you are attempting to visit has been restrained by the United States District Court for the Western District of Pennsylvania."

The second case involved David Rocci's iSoNews.com, which he handed to the Feds as part of a plea bargain in which he admitted to selling illegal "mod" chips for Xbox and PlayStation game consoles. Rocci will be sentenced under the Digital Millennium Copyright Act (DMCA ) on March 7 before a federal judge in Alexandria, Va.

iSoNews.com now says: "The domain and Web site were surrendered to U.S. law enforcement pursuant to a federal prosecution and felony plea agreement for conspiracy to violate criminal copyright laws."

Because domain names can't be squeezed into traditional legal categories, a novel problem arises: They're not ordinary property like cars or boats, which can be seized and resold without worries. It's true that domains can be an instrumentality of a crime, but Web sites and mailing lists are also spots where people meet, chat and search for information--without expecting that ownership may switch hands silently and abruptly.

The Justice Department's privacy policy allows it to hand over information it collects from people visiting seized Web sites to "appropriate law enforcement officials" for criminal prosecution.
That's why we should think twice before applauding this trend in police power. One reason is that the Justice Department's privacy policy allows it to hand over information it collects from people visiting seized Web sites to "appropriate law enforcement officials" for criminal prosecution.

It's possible to imagine a scenario where an innocent Web visitor becomes unfairly targeted by the Feds. It's legal to browse the Web for information about illegal drugs and even legal to read about bypassing copy-protection technology (though under the DMCA, researchers writing such papers may have cause for concern). But in a newly security-conscious climate, the Justice Department may not be terribly sensitive to Americans' First Amendment rights and may assume the worst about visitors to its collection of seized domains.

What's more, the Justice Department is able to review the search terms that people type in before connecting to the seized site from search engines such as Google or AltaVista. That's because Web protocols pass the search terms to the destination site in the Referer: header.

A third problem with the Justice Department's tactic is that criminal defendants are innocent until proven guilty. While Rocci pleaded guilty to DMCA crimes, the people raided last week for selling "drug paraphernalia" online did not. But even if they're eventually acquitted by a jury, what value will their domain name have if it's been tarred by Justice Department ownership for the past few years?

A better solution: Simply yank the domain name. Do what frequently happens in civil lawsuits, which is to take the Web site offline temporarily and place the domain name in the custody of the court system.

This domain-forfeiture technique is not unique to the Justice Department. In December, according to a report by Nathan Cochrane in Australia's The Age newspaper, the Australian government seized a Web site that was selling bogus "purple plates" that purported to strengthen the human immune system.

Purple-Plates.com, the domain name in question, now sports a note saying: "This notice has been placed pursuant to an order of the Federal Court of Australia as a result of action taken by the Australian Competition and Consumer Commission pursuant to s.52 of the Trade Practices Act."

A federal sting operation?
What appears to be the first case of this sort arose in 1996, when the Cult Awareness Network--which warned of the dangers of unconventional religions--was sued into oblivion by the Church of Scientology. A bankruptcy court judge placed the group's assets including cultawarenessnetwork.org up for auction--and the winning bidder was--you guessed it--Scientology.

The disturbing thing is that it would be legal for the Justice Department to seize control of a purportedly illegal site and set up a sting operation tomorrow.
Mark Rasch, a former federal prosecutor who's a vice president at Solutionary in McLean, Va., represented Cult Awareness Network during its demise. After Scientology gained control of cultawarenessnetwork.org and promptly began reading e-mail sent to the old addresses, Rasch told me on Friday, "people thought they were communicating confidentially with an anti-cult group when they were talking with their enemies."

Now, let me be clear. That's not what the Justice Department is doing today. There are clear notices on the sites that the government seized last week. (Although e-mail sent to the postmasters and Webmasters is now read by the Justice Department.)

The disturbing thing is that it would be legal for the Justice Department to seize control of a purportedly illegal site and set up a sting operation tomorrow. In a landmark 1992 Supreme Court case, Jacobson v. U.S., the justices ruled that police may set traps for people who are already "independently predisposed to commit the crime." (A dissent went even further, saying the government could initiate contact with people who had no predisposition to break laws--a rule that would permit the FBI to spam Americans with enticements to commit crimes.)

"That would not be entrapment any more than a woman who's an undercover cop standing on 14th and W streets dressed as a hooker would constitute entrapment," said Rasch, talking about the kind of sting Web site that would be legal today. "You still have to go over to her and negotiate prices and services...(The Justice Department) could take over an Islamic foundation, keep the content the same, transfer the domain name to itself and keep on communicating with people without telling them they're talking with the government. It would be able to monitor communications on the site because it now owns it."

If the Justice Department's actions augur a law enforcement trend, an unintended consequence might be to drive possible targets to shift operations overseas. A Web site selling bongs and chillums may be unlawful in the United States, but a domain registrar in the relatively permissive Netherlands may not be eager to hand it to the Justice Department. (And there are always alternative root servers, which supplement existing top-level domains with a slew of extra ones such as .food, .xxx, and .kids.)

At least for now, though, there's good news for habitual readers of the seized iSoNews.com. In the last few days, after losing its domain name to the Justice Department, the Web site popped up again in a new spot: The aptly named StoleMy.com.

biography
Declan McCullagh is the Washington correspondent for CNET News.com, chronicling the ever-busier intersection between technology and politics. Before that, he worked for several years as Washington bureau chief for Wired News. He has also worked as a reporter for The Netly News, Time magazine and HotWired.