Why IIS is not the internet police

I don’t think a week has gone by that I don’t have to explain at least once why IIS is unable to act against websites that are suspected of dishonest or illegal activity. This happens in all our contacts with individual consumers, businesses and authorities.

Läs det här blogginlägget på svenska.

But in the matter of The Swedish Trade’s (Svensk Handel) head of security on Twitter recently arguing that IIS should do more than we do, I thought I would clear this up by talking about addressing and content a little more thoroughly.

We start with the first little bump that we need to go over, which goes something like:

  1. “–I don’t get it, domain name and website, it’s the same thing!”

No, it’s not. Domain names are only signposts (aliases) that help visitors to find web content / sites / pages. In actuality, our computers visit each other through IP addresses telling where they are, but since, as a rule, people remember words better than number combinations, DNS, the Domain Name System, was created to translate domain names to IP addresses.

For example, iis.se is only an alias or signpost to the IP address, which is the IPv4 address for this website, and even if the address iis.se should disappear, the website would still be there. To make it even more complicated, there is no limit to how many “aliases” a website can have, for example, visit nic.senic-se.se or why not iis.nu. Anyone can link their domain name to someone else’s website without their knowledge. One example is hjalpa.nu.

For those who want to learn more about domain names or how DNS (the Domain Name System) works, we have two very good guides. Domännamn and DNS – internets vägvisare.

  1. IIS and the law

IIS is a domain name registry for all registered domain names that end with .se or .nu (which are so-called country top-level domains for Sweden and the tiny island nation of Niue). The Conditions of Registration differ a bit between the two, but for .se, IIS is subject to a special Swedish law called “The Top-Level Domain Act” (SFS 2006:24) which it must follow. PTS, the Swedish National Post and Telecom Agency is responsible for making sure that we follow the law.

In addition, IIS needs to relate to the Personal Data Act, which means that IIS is unable to display the personal data for holders who are either individuals or sole proprietorships via the contact information on iis.se.

IIS in its turn works through retail channels, or registrars, as our accredited partners are called. Many times this is a web hotel providing other services such as web space and email. But a partner can also be a simple domain name registry service, or a law firm that protects its clients’ brands, for example. These registrars are located around the world, and as of this writing there are 147 .se registrars in 13 countries and 88 .nu registrars in 13 countries.

It is through these registrars that customers register their domain names and become holders (also called registrants) of the domain name. It is here that conditions are accepted and agreements concluded between registrars (partners) and the registrant (holder). In the same stage as the registrar registers the domain name, data is sent to IIS who registers them in the database of holders. This makes IIS the register holder for .se domains in the same way that the Swedish Companies Registration Office (Bolagsverket) is the register of company names and the Swedish Transport Agency (Transportstyrelsen) is the register of vehicle registration numbers.

  1. ”–But, the name of the holder is on the fraudulent webpage!”

So, we have a holder of a domain name. The holder has the freedom to use their registered domain name in the manner they find appropriate, but it is also their responsibility. For the Swedish law also applies to the outside as well as on the internet (where it is applicable). But does this mean that the holder of the domain name needs to be the same as the owner of the webpage content? No, not at all. A holder can rent out a domain name or can be registered as a private person while the content is operated by a corporation or another person or vice versa.

In the role as abuse manager at IIS I get cases that involve the sale of counterfeit drugs or clothing, sale of narcotics, image and text theft, defamation and slander, weapon sales and hate crimes, stolen goods and spam, trojan and virus spreading, phishing and smishing, identity theft, fraud and much, much more in various severity.

But there are things that can and should be mentioned: If we say that for example anytrademarkoutlet.se leads to a page that has many complaints because of taking orders and payments of attractive tech gadgets without delivering them, then it is not the address that is fraudulent, but the webpage content.

As I showed earlier, content doesn’t disappear when you take down an address sign, it’s just quickly replaced by anytrademark-outlet.seany-trademarkoutlet.se or why not anytrademarkoutlet2.se.

  1. ”–But you must be able to shut them down?”

Illegal or fraudulent online content is often reported to the police, but even then there may be aggravating circumstances. In some cases, taking down the web content works with the web hotel’s contract prohibiting “special web content”, which gives the web hotel the right to take down content from the net. But it may well be that the web content is located on a server in another country where Swedish law and the Swedish police have no mandate to act.

In these cases, it may seem natural to turn to IIS, but it is absolutely not obvious that IIS should act. Right now, the responsibilities that IIS can have are being tested in its role as a top-level domain administrator.

It’s actually quite simple: IIS is not the internet police and cannot separate “legal” from “illegal” web content, but must rely just like everyone else on the Swedish legal system. Which means that those who feel they have been victims of a crime should report it to the police. The Swedish police are the police both on and off the Swedish internet and apply Swedish law where possible.

After a final decision in a court of law that a domain name should be deregistered, IIS can act according to 6.4 in the IIS Conditions of Registration.

To sum up, no matter what is written on Twitter, my assessment is that IIS and myself are doing what we can in the form of advice, education and cooperation, against among other things false invoices.

This article has no tags Photo: STOP by planetlight (CC BY 2.0)

About the blogger

Peter Forsman Peter Forsman Abuse Manager Oversees abuse cases for the entire .se zone and has solid knowledge about bullying on the Internet. Peter has been active in the IT sector since the middle of the 1990s and has experience from several different positions within the domain and web hosting services industry.