Be Careful in Choosing Internet Providers -- Will They Defend Your Privacy? (Consumer Law & Policy Blog)

by Paul Alan Levy

Public Citizen jumped into a case where a federal judge in San Francisco tried, albeit without success, to shut down the entire Wikileaks web site, based on a claim by a Swiss bank that among the leaked documents posted on Wikileaks were some highly sensitive documents revealing private customer information. (Wikileaks "invites people to post leaked materials with the goal of discouraging 'unethical behavior' by corporations and governments." A New York Times editorial denouncing the order is here). The case raises very serious issues about the First Amendment and prior restraint, which deeply affects consumers. It also affects groups like Public Citizen, which depends on access to leaked documents to better advocate for consumer safety and other rights. A discussion of how leaked information can be used to protect consumers appears in the first few pages of our motion to intervene in the case. Access to the affidavits described in the brief is here.

In our brief, though, we focused instead on the lack of “complete diversity” because there are subjects of foreign states on both sides of the case -- the Swiss bank on one side, and on the other side a Swiss former employee who took the documents when he left the company and Wikileaks, many of whose members are abroad. In addition, we point out that the main cause of action on which the bank relied, section 17200 of the California Business and Professions Code, applies only to unfair or unlawful "business practices" and hence does not apply to completely non-commercial web sites like Wikileaks. Others, including the ACLU and EFF, and a coalition of media organizations, have filed briefs addressing the First Amendment issues.

There is another serious consumer issue here that has received too little attention. The judge entered two separate orders. Although we have no way of knowing what the judge would have done without a stipulation, the broadest of the orders in the case was entered as a permanent injunction, without any findings of wrongdoing or basis for the order, that was submitted to the judge by the plaintiffs with the agreement of Dynadot, the domain name registrar. So far as I can tell, Dynadot simply rolled over, apparently to avoid having to defend against the relief that the bank was seeking. And that, to my mind, poses a significant consumer issue concerning the extent to which Internet providers protect their customers’ rights, and the considerations for consumers in choosing their Internet providers.

What Dynadot Agreed

One of the orders simply enjoined Wikileaks from posting the bank's documents on the Internet. A second order, however, compelled Dynadot, through which Wikileaks had registered the domain name wikileaks.org, to freeze the domain name wikileaks.org (so that it could not be moved to a different registrar) and disabled the name so that it could not refer to anything more than a blank page. This permanent injunction, which was submitted with the consent of the domain name registrar, would if successful have prevented public access to ANY of the documents or comments on documents that appear on wikileaks.org. (In fact, the order was unsuccessful because the foreign Wikileaks sites, which carry the same information, were unaffected).

Dynadot gave the judge a stipulation that got it dismissed from the case, saving it from further legal fees. Attached to that stipulation was an order that Dynadot “disable” the domain name and prevent it from referring to anything more than a blank page. Any judge receiving this stipulation and order would assume that Dynadot was agreeing to this order.

Should Dynadot Have Rolled Over So Easily?

This need not have been an expensive issue to fight. Under two different lines of federal court cases, each well accepted in the Ninth Circuit, Dynadot was immune from liability for what its customers do with the domain names that they register, and it was up to Dynadot to raise that immunity. (Although when I talked to Dynadot’s lawyer it was not clear that he was aware of the relevant cases). It could also have pointed out, as we did in the brief that we filed yesterday, that the Court had no jurisdiction of the case. We learn about the requirement of “complete diversity” in the first year of law school.

Wired recently carried a story quoting a press release from Dynadot in which it tries to avoid the calumny that it deserves from the Internet community. Specifically, Dynadot claims that it never agreed to the part of the injunction that makes wikileaks.org refer to a blank page.

I called Dynadot’s lawyer in surprise; he articulated a tricky reading of the language of the stipulation showing that Dynadot did not agree to some parts of the order that was being attached for the judge to sign; in fact, he told me, Dynadot specifically told the judge orally that it was not agreeing to the order itself, and especially to the provision taking down the web site. He said that this would appear in a transcript of the meeting with the judge. But there is no transcript on the court’s PACER site open to the public. Perhaps Dynadot can furnish one.

One may well feel sorry for a small domain name seller that got caught up in a huge case. But one reason that Internet users go to companies like Dynadot is to preserve their privacy, and when that privacy gets challenged it would seem to be at least implicit in the mutual expectations of the parties to that relationship that the registrar will not simply roll over. I want to be clear -- I assume that Dynadot's terms of service leave it free to do whatever it wants, so that, I rather expect, Wikileaks cannot sue them for rolling over (assuming that the Wikileaks community is itself coherent enough as an entity to sue anybody, itself a dubious proposition). But the fact that Dynadot would not be liable doesn't mean that it should roll over.

Dynadot cannot unring the bell. But one thing it could do is appear in court at the hearing on Friday morning and tell the judge what it wants to tell the world in its press release -- that it thinks the order against it was wrong, and that it wants that order revoked.

Consumers Beware in Choosing Internet Providers

When choosing an Internet Service Provider, a web site host, or a domain name registrar that promises privacy, Internet users should pay attention not just to the big print promises, and not just to the fine print in the Terms of Service, although that can be significant. Consumers should try to get a line also on how fiercely a given provider fights for its customers’ rights.

For example, Greg Beck and I have been critical of Domains by Proxy and Go Daddy which are often, in our view, too quick to give up their customers’ privacy, or too quick to take down web sites in response to challenge. See here, here, and here for example. Their record sometimes improves in response to public criticism, and sometimes they backslide.

Right now, Dynadot deserves criticism, and consumers should consider whether to use it in the future.

Comments

I agree that domain registrars should be aggressive in protecting customer privacy agreements, but always obey court orders to divulge the owner's identity when necessary to pursue a civil or criminal matter.

I think the much bigger issue here is the basis for requesting the identity of the domain owner. I think the Swiss bank was absolutely right in being defensive of sensitive, confidential data that might harm its customers if made public. The problem with Wikileaks service is that it is possibly inciting at least a portion of its customer base (i.e., "contributors") to break the law (hack, invade privacy) to obtain "content" for upload.

An opposing argument is that the fair use doctrine would defend Wikileaks position, as long as there was lack of sufficient eveidence by the claimant (the Swiss bank) that the percentage of information illegally pilfered as a direct result of the opportunity to post to Wikileaks was higher than a de minimus level.

The bottom line is that if the Swiss Bank cannot at least obtain access to Wikileaks customer base and find out who uploaded what, it has no opportunity of finding out whether or not the fair use doctrine applies. It is on this basis (reasonable cause) that I support the position of the Swiss bank. This point notwithstanding, the domain registrar should refuse to divulge the domain owner's bona fides until a court order is delivered.

Posted by: Stewart Engelman DNI Services | Tuesday, November 03, 2009 at 01:38 AM