tldr:
- PIPCU (Police Intellectual Property Crime Unit (PIPCU) is a department of the City of London Police) is enabled by Nominet to suspend domains which are criminal.
- Nominet relies on PIPCU having a sound legal basis on which suspensions are actioned.
- PIPCU was asked to provide some transparency in their suspensions and the policy it uses to ensure everything is sound.
- PIPCU confirmed and provided a link to its formal domain suspension policy.
- PIPCU believes it not in the public interest to know what domains it has suspended and for what reason.
request:
Dear City of London Police,
Regarding the actions (herein defined as redirection-suspension) outlined:
https://www.nominet.uk/nominet-and-pipcu…
https://www.nominet.uk/law-enforcement-a…
Please provide any/all documentation held in any format in relation to:
1) The process undertaken to assess and classify websites and their content as breaking a law and under which laws PIPCU will seek to have a domain name redirection-suspension.
2) The process undertaken to assess and classify domain names and their DNS records as breaking a law and under which laws PIPCU will seek to have a domain name subject to redirection-suspension.
3) The process undertaken to ensure that a domain name whose partial content is assessed as breaking the law does not through redirection-suspension result in other legal content as becoming unavailable (for example criminality on a specific sub-domain and legality on a different sub-domain, under the same domain).
4) The process through which PIPCU communicates with Nominet to redirect a domain name, what contracts exists for the purpose, and what if any protections have been put in place to protect Nominet.
5) What judicial oversight, transparency and right to redress is built into in the above processes (if not defined within the process documentation themselves).
6) What information is collected or provided to PIPCU in relation to visits to / activity surrounding the domain names prior to redirection-suspension.
7) What information is collected or provided to PIPCU in relation to visits to / activity surrounding the domain names post the redirection-suspension.
8) Data Protection Impact Assessment in relation to the transfer of information relating to redirected domain visitor data being transferred between PIPCU <> Nominet and Cloudflare US <> Nominet <> PIPCU.
9) Specific list of domain names redirected thus far and for each of these the requesting commercial entity, the reason for redirection-suspension, the statistics gathered from the redirection-suspension and if any redirection-suspension decisions have been reversed.
Yours faithfully,
response:
REQUEST FOR INFORMATION REF: FOI2020/01321
I write in connection with your request for information dated 9th December in which you seek access to the information stated:
1) The process undertaken to assess and classify websites and their content as breaking a law and under which laws PIPCU will seek to have a domain name redirection-suspension.
2) The process undertaken to assess and classify domain names and their DNS records as breaking a law and under which laws PIPCU will seek to have a domain name subject to redirection-suspension.
3) The process undertaken to ensure that a domain name whose partial content is assessed as breaking the law does not through redirection-suspension result in other legal content as becoming unavailable (for example criminality on a specific sub-domain and legality on a different sub-domain, under the same domain).
4) The process through which PIPCU communicates with Nominet to redirect a domain name, what contracts exists for the purpose, and what if any protections have been put in place to protect Nominet.
5) What judicial oversight, transparency and right to redress is built into in the above processes (if not defined within the process documentation themselves).
6) What information is collected or provided to PIPCU in relation to visits to / activity surrounding the domain names prior to redirection-suspension.
7) What information is collected or provided to PIPCU in relation to visits to / activity surrounding the domain names post the redirection-suspension.
8) Data Protection Impact Assessment in relation to the transfer of information relating to redirected domain visitor data being transferred between PIPCU <> Nominet and Cloudflare US <> Nominet <> PIPCU.
9) Specific list of domain names redirected thus far and for each of these the requesting commercial entity, the reason for redirection-suspension, the statistics gathered from the redirection-suspension and if any redirection-suspension decisions have been reversed.
Please accept this letter as an acknowledgement of receipt of your request, which has been considered under the Freedom of Information Act 2000 (the Act). (FOIA)DECISION
I have today decided to disclose the located information to you.
1. PIPCU uses two key elements to assist the suspension of domains used in a crime.Criminal Activity: PIPCU undertakes responsibility for the prevention, investigation, detection, and prosecution of criminal offences, including the safeguarding against any threat to public security. Should any domain be found committing unlawful activity contrary to United Kingdom legislation, the PIPCU will certify suspension.
Compromised domains and websites used for criminal purposes:
The PIPCU will also take action to suspend domains where we have reason to believe a domain has been compromised without the original owner’s knowledge. The suspension is solely carried out to protect the original domain owners and members of the public from detrimental reputational and financial harm both to themselves and/or their business. In such cases, the PIPCU will look to carry out remedial action with the original domain owner so any compromise can be rectified, such as the removal of unauthorised Unique Resource Locators (URL’s).2. Evidence – Obtaining evidential statements in writing from brand representatives confirming infringements.Intelligence – Gathering data relating to linked entities and organised crime groups, by means of network analysis, patterns, behaviours and platforms being used. .
False Registry – Domains registered using details stolen from other persons, by means of crime.In the policy.
https://www.cityoflondon.police.uk/SysSiteAssets/media/images/city-of-london/about-us/pipcu/pipcu—website-domain-suspension-policy–counterfeit-goods-.uk.pdfThe redirection/suspension is a process carried out by Nominet now incorporated in their terms and conditions. There is no law used by PIPCU to demand any redirection.
3. This has only been discovered where there has been a compromise on a website and there has been an injection of a HTML page somewhere on the site, or the seller is using an online platform, where sub-domains are used at the beginning of the site to uniquely identify the shop.In these cases, if identified, action will not be taken to suspend the site, unless we believe that there is a serious risk of harm to the site owners themselves.
In these instances, a suspension notice will be sent to them informing of the infringement, with a request to contact PIPCU.
No sites have been redirected in these instances.
4. Communication is by email along with personal contact where required. We comply with Nominet terms and conditions. No contract exists between Nominet and CoLP. 5. Defined in the process documentation (there is no specific judicial oversight of this process) 6. None 7. None 8. No personal information, exchange of visitor data, or monitoring of such data is monitored PIPCU at this time. 9. Specific list of domain names redirected: I would argue that this should not be released on the basis that the sites were created for criminal purposes and are suspended for a time-limited period. Releasing the list could result in OCG’s becoming aware of sites whose suspensions are about to come to an end, enabling them to be re-registered and used again for criminal purposes. This has been the subject of much discussion over a long period of time and in essence we believe that the list and the relevant information belongs to Nominet – it is therefore their decision.Decisions reversed: None.
Requesting commercial entity: I would argue that we should not disclose this information under FOI as it would involve releasing the details of organisations who have had their intellectual property compromised and have reported this to the police. This would be akin to releasing the details of people/organisations who have been the victims of crime.
Statistics gathered: PIPCU does collate any statistics from the redirection/suspension (i.e. visitor numbers) at this time.
Reasoning: Section 2 of the Fraud Act 2006 – Fraud by false representation
Section 92(1) of the Trade Marks Act 1994In keeping with the Freedom of Information Act, we assume that all information can be released to the public unless it is exempt. In line with normal practice we are therefore releasing the information which you requested, via the City of London Police website.
I hope that this information meets your requirements. I would like to assure you that we have provided you with all relevant information that the City of London Police holds.
The City of London Police is responsible for an extremely small part of London, comprising of the financial square mile in the centre of the City. The resident population is also extremely small, comprising of fewer than 9,000 individuals.
If you are dissatisfied with the handling of your request, or the decision which has been reached, you have the right to ask for an internal review. Internal review requests must be submitted within two months of the date of this response and should be addressed to:
Freedom of Information
Information Management Services
Bishopsgate Police Station
182 Bishopsgate
EC2M 4NP
E-mail: [email protected]Please mark your complaint clearly and remember to quote the reference number in all correspondence. You have the right to ask the Information Commissioner (ICO) to investigate any aspect of your complaint. However, please note that the ICO is likely to expect internal complaints procedures to have been exhausted before beginning his investigation.
Thank you for your interest in the City of London Police.