August 31, 2016

avatar

Spamhaus Tests U.S. Control Over Internet

In a move sure to rekindle debate over national control of the Internet, a US court may soon issue an order stripping London-based spamhaus.org of its Internet name.

Here’s the backstory. Spamhaus, an anti-spam organization headquartered in London, publishes ROKSO, the “Register of Known Spam Operations”. Many sites block email from ROKSO-listed sites, as an anti-spam tactic. A US company called e360 sued Spamhaus, claiming that Spamhaus had repeatedly and wrongly put e360 on the ROKSO, and asking the court to award monetary damages and issue an injunction ordering e360’s removal from ROKSO.

Spamhaus lost the case, apparently due to bad legal maneuvering. Faced with a U.S. lawsuit, Spamhaus had two choices: it could challenge the court’s jurisdiction over it, or it could accept jurisdiction and defend the case on the merits. It started to defend on the merits, but then switched strategies, declaring the court had no jurisdiction and refusing to participate in the proceedings. The court said that Spamhaus had accepted its jurisdiction, and it proceeded to issue a default judgment against Spamhaus, ordering it to pay $11.7M in damages (which it apparently can’t pay), and issuing an injunction ordering Spamhaus to (a) take e360 off ROKSO and keep it off, and (b) post a notice saying that previous listings of e360 had been erroneous.

Spamhaus has ignored the injunction. As I understand it, courts have broad authority to enforce their injunctions against noncompliant parties. In this case, the court is considering (but hasn’t yet issued) an order that would revoke Spamhaus’s use of the spamhaus.org name; the order would require ICANN and the Tucows domain name registry to shut off service for the spamhaus.org name, so that anybody trying to go to spamhaus.org would get a domain-not-found error. (ICANN says it’s up to Tucows to comply with any such order.)

There are several interesting questions here. (1) Is it appropriate under U.S. law for the judge to do this? (2) If the spamhaus.org is revoked, how will spamhaus and its users respond? (3) If U.S. judges can revoke domain name registrations, what are the international implications?

I’ll leave Question 1 for the lawyers to argue.

The other two questions are actually interrelated. Question 3 is about how much extra power (if any) the US has by virtue of history and of having ICANN, the central naming authority, within its borders. The relevance of any US power depends on whether affected parties could work around any assertion of US power, which gets us back to Question 2.

Suppose that spamhaus.org gets shut down. Spamhaus could respond by registering spamhaus.uk. Would the .uk registry, which is run or chartered by the UK government, comply with a US court order to remove Spamhaus’s registration? My guess would be no. But even if the .uk registry complied and removed spamhaus.uk, that decision would not depend on any special US relationship to ICANN.

The really sticky case would be a dispute over a valuable name in .com. Suppose a US court ordered ICANN to yank a prominent .com name belonging to a non-US company. ICANN could fight but being based in the US it would probably have to comply in the end. Such a decision, if seen as unfair outside the US, could trigger a sort of constitutional crisis for the Net. The result wouldn’t be pretty. As I’ve written before, ICANN is far from perfect but the alternatives could be a lot worse.

(via Slashdot)

Comments

  1. [The story is arguably a bit less significant the one might get from reading media reports – the following is a public mailing list message]

    Begin forwarded message:

    From: Jonathan Zittrain
    Date: October 8, 2006 5:05:04 PM EDT
    To:
    Subject: more on ICANN NOT ordered by Illinois court to suspend
    spamhaus.org

    Dave and IP,

    I don’t see cause for panic on the Spamhaus lawsuit.

    1/ The subject line of this thread is puzzling, since the document at

    is merely a proposed order, no doubt put forward by the plaintiff.
    The plaintiff is welcome to file proposed paperwork with the judge,
    but that doesn’t make it an order until the judge signs it.

    2/ An alert judge would not sign this document. There are specific
    state practices (and often statutes) about how default judgments are
    handled, and about how any sort of judgment translates into anything
    that binds a party outside of the case. For example, banks can
    sometimes be ministerially ordered to attach wages or seize accounts
    of people who owe money in lawsuits, or land can be auctioned. But
    something like a domain name is a far cry from a bank account or a
    house, and the registrar would have plenty to say about what to do
    with what is more a contractual relationship than a sum of money or a
    piece of real property.

    3/ If the judge isn’t alert and just signs, the registrar would have
    plenty of interventions to make if it chose — and indeed it may not
    even be under the jurisdiction of the court.

    There’s some chance this could turn out to be more than mildly
    interesting, but I don’t see any reason to think it’s some grave
    event for cyberspace. …JZ

  2. ;; QUESTION SECTION:
    ;spamhaus.org.uk. IN NS

    ;; ANSWER SECTION:
    spamhaus.org.uk. 172763 IN NS udns1.ultradns.net.
    spamhaus.org.uk. 172763 IN NS udns2.ultradns.net.
    spamhaus.org.uk. 172763 IN NS ns8.spamhaus.org.uk.
    spamhaus.org.uk. 172763 IN NS hq-ns.oarc.isc.org.

    ;; ADDITIONAL SECTION:
    ns8.spamhaus.org.uk. 172763 IN A 216.168.28.44
    hq-ns.oarc.isc.org. 3261 IN A 204.152.184.186
    udns1.ultradns.net. 172792 IN A 204.69.234.1
    udns2.ultradns.net. 172792 IN A 204.74.101.1

  3. avatar Ned Ulbricht says:

    Suppose a US court ordered ICANN to yank a prominent .com name belonging to a non-US company. ICANN could fight but being based in the US it would probably have to comply in the end. Such a decision, if seen as unfair outside the US, could trigger a sort of constitutional crisis for the Net.

    Comply with what? And how?

    Would the directors be permitted to resign first?

    ICANN’s “power”, such as it is, is the power of consent and pursuasion, flavored with massive inertia. The danger is that some judge might not recognize that.

    On the international scene, a US judge would gain more allies for the United States—and advance national interests further—by ordering the UN Security Council to make Kim Jong Il stop playing with his nuclear toys.

    In the arena of internet governance, there are, of course, nations diplomatically recognized by the United States, who might prefer more coercive control structures. We will listen to their views at the end of this month, in Athens.

  4. Ed, I’m afraid you’ve been misled here. The “power” of a court or government that is relevant here is not a power over ICANN, because ICANN lacks (and disclaims) the authority to order a registry to delete a particular name.

    But every registry is somewhere. And the courts/government of that country have the ordinary authority they have in any case (whatever it may be) to order the registry (directly) do things. The .org registry is based in the US, so it can be subject to (some) court orders…although as a non-party to this case it would be odd and unusual to order it do something without first bringing it into the case.

    The draft order is mostly wishful thinking on the part of the plaintiffs. At present, little more.

    This isn’t an ICANN issue. Fortunately.

  5. I think I would just start a second list of companies that had been legally declared to not be spammers, and publish in very much the same way that the spam list is published (in parallel). Surely, if the original list is machine-readable, shouldn’t the retraction also be machine-readable?

    This would comply with the letter and spirit of the law, and it is hardly spamhaus’s fault if their customers chose to treat these two legally very different lists as both containing spammers.

    I know this sounds over-cute, but if the list of “domains who have gone to the trouble of themselves legally declared not spam” is machine-readable, I cannot see how the owners of those domains can prevent people (writing programs for) reading that list from drawing their own conclusions, no matter what the label says.

  6. Dr2Chase, that is poetic justice. Even so, the fact that you have a poetic remedy to injustice does not absolve the judge of the grievous error that gives rise to it.

    So, who’s registering legallynotspamhaus.org ?

  7. Michael,

    If ICANN really lacks the ability and authority to remove a .org name — and you would know better than I whether it does — then you’re right that this is not an ICANN issue. But an order requiring the .org people to remove a name would have the a similar political effect.

    That the people running .org, and more importantly .com, are located in the U.S. is not a coincidence but follows from the history of U.S. control of the Net. If U.S. courts start ordering these registries around, international netizens will be unhappy and will agitate for some kind of change. If ICANN is unable to shelter .com names from the U.S. courts, this will be seen as an argument against ICANN.

  8. If I were running Spamhaus, I’d transfer the domain registration to another registrar in a jurisdiction less likely to comply with orders from US courts. However, ultimately the court could issue an order to the registry operator, Verisign, forcing them to drop the domain record.

    To my way of thinking, this case demonstrates the high risk of using an international registry that is subject to the legal jurisdiction of another country in which it will be very difficult and expensive to defend from lawsuits. I’m in the US, so I don’t mind using the international TLDs, but if I lived in another country I’d think twice about it.

    I think dr2chase’s suggestion is an excellent way of dealing with it. Note that Spamhaus would have to be very careful to never recommend to their customers to treat the proposed list as a blacklist, so that a court wouldn’t have any justification for ordering that an entry be deleted from that list as well.

  9. Ed – The change to deal with the problem, if problem it be, that .com-&-.org-are-in-the-US is simple and obvious: (1) either register in a ccTLD located in a nation’s whose laws you like better and/or (2) agitate for more gTLDs with geographic dispersion of the registries selected as one of the criteria. That will give consumers a chance to practice regulatory arbitrage by choosing which registry (legal system) they feel most comfortable with.

    More generally I want to push back on the claim that this is actually much of a problem at all. First, this situation exists at all because Spamhaus screwed up its own legal case by the numbers in a textbook fashion. So it’s not especially generalizable. Second, everyone, including registries, should be subject to some legal control somewhere. I support RBL lists as a concept, and I hope they find a home somewhere. Indeed, I think tha the US is a good home for them if they bother to turn up to court occasionally. But they’re subject to the same rules as the rest of us. I can live with that.

    [Incidentally, what’s wrong with arguments against ICANN? Did they suddenly start doing something good or useful while I wasn’t looking? I know they cost a lot more and now have over 70 staffers doing what Postell and Reynolds did in their spare time, but besides that…]

  10. Given, as ICANN has stated, that the registrar is the only party that can be compelled to revoke the domain name, and given that the location of Tucows is the following, the Illinois court does not have the necessary jurisdiction to shutdown Spamhaus.

    Tucows Inc.
    96 Mowat Avenue
    Toronto, ON
    Canada M6K 3M1
    Phone: +1 (416) 535-0123
    Fax: +1 (416) 531-5584

  11. I am from India and am shocked by this order. Which guy would want his terms on a “neutral” land to be dictated by a foreign power? Another case for moving doman management to UN/ITU. We can suffer the bureaucracy, but obeying laws of another country would be totally unacceptable.

  12. I think the statement that “it would be odd and unusual to order [the .org registry] do something [as a non-party to this case] without first bringing it into the case” could be confusing. Injunctions in federal court are issued under Federal Rule of Civil Procedure 65. FRCP 65(d) injunctions bind not only parties but “those persons in active concert or participation with them who receive actual notice of the order.” A domain name registrar falls within the scope of an injunction under FRCP 65. I’ve got a fuller writeup (with, you know, actual cites and links) here:
    http://eplaw.us/news/2006/10/13#spamhaus

    FWIW, I totally agree with the comments that Spamhaus’s particular case not being the “constitutional crisis” its been billed to be, and the various operators of the DNS system being subject to legal regulation somewhere. I’d go further and argue that the US isn’t a bad place to register a domain name (provided one respects trademarks and takes our legal system seriously): the US provides strong First Amendment protections and recognizes property rights in domain names.

  13. In response to Ned Ulbricht: As Taiwanese officials currently participate in ITU activities w.r.t mobile telecommunications, radio frequency allocation and the like, it seems unlikely that Taiwan would lose their domain name if the ITU held the non-national TLDs.

  14. avatar Ned Ulbricht says:

    [U]nless I misunderstand you, we do not disagree that ICANN really could go in and alter the root zone file (even though, again, the consequences might be very severe).

    ICANN has control over the IANA root zone file. But as a technical matter, the IANA root zone could easily cease to be the root zone for most of the world. ICANN does not have control over most named.conf files and other means of specifying root hints.

  15. avatar Wes Felter says:

    19 comments and no one has mentioned PIR. They are located in Reston, VA and could easily remove spamhaus.org with a minimum of collateral damage if ordered.

  16. What is PIR?

  17. avatar T de Hoogh says:

    Spamhaus may have screwed up their case in court but that doesn’t dismiss a judge from considering cause and consequence or proportionality

    It would be interesting to see Spamhaus come to a standstill and the Internet overwhelmed with UCE. In no time others like SORBS or Spamcop would be challenged in court by other Spammers. Normal Internet-trade would halt and the US economy could go bankrupt.

  18. In regards to the blog article I think the bigger question is who should have the authority to manage internet wrong doings. Currently it seems like a US court has authority over US registries and Canada courts has authority over their registries, and so on and so forth. Correct me if I am wrong, but that seems to be the case. Well, ICANN is not a domain registry but rather the one who keeps the domain names in order and they serve the global community, they should not have to delete any domain names -it isn’t their job.

    In which case still begs the question of who’s job or authority should it belong to? There should be some sort of global internet code/governance kind of like the WTO where matters like E360 and Spamhaus can take their issues to. I know that we are from it and probably never reach that day but it is a rising concern when there are more than one country involved on internet issues and more than one country’s law or authorities to follow.

  19. avatar Ned Ulbricht says:

    ICANN Announcement (19 Oct 2006):

    Spamhaus Litigation Update – Court Declines to Issue Order Against ICANN or Tucows

    On 19 October 2006, United States District Court Judge Charles P. Kocoras, presiding over the e360Insight v. The Spamhaus Project matter in the Northern District of Illinois, issued an order denying e360Insight’s (“e360”) motion asking the Court to, among other things, suspend http://www.spamhaus.org. […]

    From Judge Kocoras’ order
    denying, without prejudice, plaintiff’s motion for a rule to show cause:

    The proposed order is limited to only the first remedy, suspension of the domain name by The Internet Corporation for Assigned Names and Numbers (“ICANN”), the entity responsible for coordinating unique identifiers used for Internet communication, or Tucows, Inc., the registrar through which Spamhaus obtained its domain name. Neither of these outfits are parties to this case. Though more circumscribed than the preceding request, this relief is still too broad to be warranted in this case. […] While we will not condone or tolerate noncompliance with a valid order of this court, neither will we impose a sanction that does not correspond to the gravity of the offending conduct.

    (Hat tip / MerciDomain Name / Nom de domaine !)

  20. avatar graham, seattle says:

    I think spamhaus should be shut down. I have had personal email bounced by being on one of their bullshit lists. Would we allow a bunch of self appointed vigilantes to tamper with our physical mail? spamhaus is a bunch of arrogant arseholes that should be sued into oblivion.

  21. fuck spam haus, they are the reason home users get their e-mail blocked on all dynamic ip’s

    Then you get to pay 120 bucks for 1 static ip from comcast on their business account for 356k-512k upload max in our area…..PORTLAND OR

    FUCK YOU SPAMHAUS and the bullcrap isps who use this bull shit filter.

    Stupid fucking a holes

    think how many e-mails you DONT get from home users who get pissed off and dont copy/paste the e-mail to their web interface and resend to you

    MILLIONS of product inquiry e-mails are blocked by these guys and people without tech experience or some with like me who just get pissed off DONT resend our e-mail to your stupid business and you lose money

    FUCK YOU AGAIN SPAM HAUS AND YOU IDIOTS WHO SUPPORT THEM AND USE THEIR FREE SERVICE

  22. Pay a fucking system admin to block this shit

    you cut corners with these stupid companies, fire your IT guys then lose even more money because NO HOME USERS SEND YOU E-MAILS AND THEN THEY DRIVE TO WALLMART YOU GOD DAMN IDIOTS

    GUESS WHO BUYS YOUR STUFF OVER THE INTERNET

    HOME USERS

  23. Yep I was going to buy from 2 local memory foam dealers and when my e-mails were bounced by spam haus, I got upset, I didnt resent my e-mails through the web interface because I was pissed and bought from AMAZON and Overstock. I was very happy with amazon and pretty happy with overstock, watch out for auctions on both sites, you will get ripped.

    I sure would have liked to purchase from local dealers but my dyanamic ip was auto blocked by spam hause in the middle of a 3 year contract with qwest.

    Before outlook sent/received fine. My host Go daddy doesnt allow the settings to bypass their filter from home.
    No host does.

  24. Your home business is fucked if you allow this to continue and get confused and misled by their BS logic like they block 90% of spam but for some reason have to block ALL dynamic ips to do so……..WOW get FUCKED

  25. Thier grandson set up the internet and they cant fix it, help spamhaus blocked me so I cant shop for sheets online!

    Sounds like a stupid argument but think how much internet business you lose from these guys.

  26. Someone please make a law suit over the complete dynamic ip blocking of home users who dont have tech experience to get around the filters or hosts which allow them to change the correct settings.

    In the name of millions of home e-mails being blocked that are costing a lot of money for business, plus adding to the loss of IT jobs, plus monopoly with isps to force insane business account prices for home users.

    There is plenty of evidence and its simple to explain, all the defense about home users upgrading or changing settings simply proves spamhaus is doing something wrong.

    The bullshit cases need to be done out with and the main problem needs to be addressed.

    Let them block spammers with a list thats fine, STOP THEM from blocking all home dynamic isps in conjunction with our isps with monopolistic type business practices.

    SOMEONE please read this and file an ACTUAL law suit that has a chance in hell of working and clears all the other bull crap law suits up.

    • Here is my e-mail if anyone with actual power to confront spamhaus reads this, unlikely on the internet but who knows.

  27. oh sorry I cant reply my e-mail is blocked by spamhaus

  28. Also this is regarding their PBL block list not their BLACK list SBL which is fine.

  29. Direct from spamhaus website

    YOU NEED TO TURN ON ‘SMTP AUTHENTICATION

    GO DADDY DOES NOT ALLOW THIS FOR HOME USERS GOOD LUCK FINDING ONE WHO DOES ALLOW SMTP ON AT HOME

    YOUR OUTLOOK IS NOW FUCKED HOME USERS WITH DYNAMIC ISPS ON QWEST

    YOU HAVE TO PAY 100 + US per MONTH FROM YOUR ISP FIRST THEN MORE FROM YOUR HOST

  30. I’m dropping QWEST AND GO DADDY Hosting

  31. avatar Anonymous says:

    The very last person that does this for free is gmail.

    They let you have all features you need for free to set up outlook, unlike yahoo mail and many others.

    Once g-mail changes their allowed settings on free accounts, im screwed.