Last week, The Wall Street Journal detailed the challenges that drug safety authorities like the FDA face when tackling the illegal and unsafe distribution of prescription medicines via the Internet. The WSJ analysis discussed role of the Internet Corporation for Assigned Names and Numbers (ICANN) as accreditor of domain name registrars, and noted ICANN's response, or lack thereof, to registrars who permit the use of their services by rogue Internet pharmacies.
The article was implicitly critical of what was portrayed as ICANN's anemic response to registrars. One example in the WSJ article was China-based BizCN, which reportedly failed to act on complaints about websites used to illegally sell prescription drugs. The article's implied conclusion was that ICANN should do more.
In response, a number of blog posts or comments on the article have decried "Internet censorship," accused the WSJ of having an anti-ICANN bias, or applauded registrars (such as BizCN) for pushing back by insisting on a court order prior to shutting down illegal online pharmacies. Do those criticisms have merit?
Rogue Internet Pharmacies and Domain Name Registrars
Online prescription drug sales are big business: my company, LegitScript, estimates that there are roughly 35,000 online pharmacies at any one time, and IMS Health estimates prescription drug sales overall total nearly one trillion USD worldwide. Nobody knows the size of the online drug market, but estimates range from $10 billion to $100 billion. Either way, it's a lot.
Unfortunately, the most salient feature of the global Internet pharmacy market is its dirtiness. Both LegitScript and the National Association of Boards of Pharmacy reckon that over 95% of Internet pharmacies operate illegally, by 1) selling substandard prescription drugs 2) without a valid prescription or 3) without a valid pharmacy license. The consequences can be serious: the WSJ cited as an example airmailchemist.com, which was shut down following a customer's death and the FDA's subsequent notification to the registrar.
So who is supposed to "do something" about this problem? The FDA? ICANN? Or someone else?
It's not quite right to say that ICANN "governs" the Internet: after all, it doesn't turn websites on and off. Think of it this way: in order to get a website name (like "legitscript.com" or "huffingtonpost.com") you have to go to a domain name registrar, and for most types of website names, like those that end in .COM, the registrar has to be accredited by ICANN.
The most recent accreditation agreement requires a registrar to investigate, and take reasonable action, if a website is allegedly used for illegal purposes. This loose contractual structure is designed to give someone (registrars) the ability to "do something" about child pornography, fake prescription drug sales, and other dangerous and illegal activity. And if registrars don't investigate and respond appropriately to the complaint, ICANN is supposed to "do something" about those registrars.
In that way, it's less accurate to think of ICANN as the Internet police, and more accurate to think of it as the body that is supposed to keep domain name registrars honest, if necessary, by holding the registrar in breach or terminating the accreditation.
With that as background, let's take a look at BizCN, the domain name registrar that was referenced in the WSJ story.
Thinking Like a Criminal: Choose Your Registrar Wisely, Part I
Rogue Internet pharmacy operators are, if nothing else, rational economic actors: knowing that most registrars voluntarily suspend domain names used for illegal prescription drug sales, a rogue Internet pharmacy operator will often choose a registrar who will protect his or her domain name, especially in the face of complaints from anti-abuse advocates or law enforcement.
The WSJ noted that China-based BizCN has been one of a handful of registrars that has consistently ignored complaints from law enforcement and anti-abuse organizations. In fact, since 2010, LegitScript has emailed BizCN over 30 times about rogue Internet pharmacies on its platform, with nearly all of our abuse complaints ignored. According to the WSJ, when the FDA went to BizCN to notify them about rogue Internet pharmacies it was sponsoring, BizCN demanded a court order -- a fact that one blog, TechDirt, lauded as an appropriate response.
But did TechDirt have all of the facts? As we explained in more detail in an investigative blog, the head of BizCN's abuse department (responsible for responding to complaints about illegal online pharmacies) had been running a separate website that marketed BizCN in "black hat" forums as a safe place for illicit Internet pharmacies, all the while claiming that he couldn't do anything about those very rogue Internet pharmacies he was recruiting.
Thinking Like a Criminal: Choose Your Registrar Wisely, Part II
But, as TechDirt argues, why couldn't the FDA just get a court order to close the websites registered at BizCN anyway? (TechDirt's Mike Masnick bylines his blog on the WSJ article the "what's-wrong-with-a-court-order dept.") Let's answer that question in detail, first noting that ICANN disagrees with TechDirt on this.
If you are using a website to illegally sell drugs into one country, it is important to choose a registrar in another country where you aren't shipping the drugs. Why? Simple: so that the courts in the registrar's country never have a basis to issue an order and close your website. After all, a registrar in one country doesn't have to follow a court order issued by a judge in another country. In this way, the rogue Internet pharmacies that were registered with China-based BizCN weren't selling drugs in China; rather, they were targeting the US, EU and other locations. As a result, it's not that the online pharmacies were legal in China; rather, Chinese laws simply aren't relevant to the analysis.
And that's why the endless braying about "get a court order" is intellectually lazy: tweet-sized solutions to complex problems usually aren't really a solution at all. Last we checked, the Internet is multi-jurisdictional (or, perhaps, "jurisdiction-less"), and the easiest thing in the world for a rogue Internet pharmacy operator to do is to select a registrar in a jurisdiction where they aren't shipping drugs to, making a court order from that jurisdiction impossible for anyone to get.
Where ICANN Comes In
The point of the WSJ story, as I read it, was to show how ICANN's compliance process is, or isn't, holding rogue registrars accountable. In some cases, the process works: LegitScript submitted over 2,500 rogue Internet pharmacies to TodayNIC, another China-based registrar; the registrar failed to act; ICANN issued a finding of a breach; and most of the websites are now offline. That's a recent success story, and I think it's to ICANN's credit.
In other cases, however, registrars have been allowed by ICANN to leave the rogue Internet pharmacies operating, including in one case where the registrar told us that it would not take action against the illegal websites because "from the business wise, it could be millions of dollar losses (sic)." These were websites selling prescription drugs, including controlled substances and drugs unapproved for sale, without a prescription or valid pharmacy license.
Ultimately, an important reason for ICANN's existence is to to support the Internet's stability and security by giving the World Wide Web some sort of contractual structure. One of the ongoing challenges related to cybercrime is the emergence of "safe haven" domain name registrars -- the clustering of illegal or fraudulent websites at a small number of registrars who the bad actors know will tolerate, shield and happily profit from such activity. Any response to this problem has to recognize that the notion that court orders can have any effectiveness in a jurisdiction-less Internet is so...well, so 1990's.
And that, I think, was the point of the WSJ's story: if ICANN doesn't keep its accredited registrars honest, then who will?