Update – Aug 22, 2014 – Second FDA Takedown Request Declined
Two days ago the FDA sent us a list of 29 more domain names they would like us to take down. The list included 8 domains owned by a Canadian business we know to be operating lawfully that we brought up for discussion purposes with the FDA in the course of our talks.
We were somewhat taken aback to see the inclusion of this business' domains in their list considering that it is not an online pharmacy, does not deal in materials which are controlled substances anywhere in the world and has no associated exigent circumstances which impelled the original takedown (translation: nobody has died).
After communicating our surprise and asking for clarification (did they really want us to take this business offline?) they responded:
Consistent with your new policy, yes, please.
As for [redacted] – it is not operating legally in the United States and the problem is solved if they do not ship their product to consumers in the United States until they come into compliance with U.S. law. As a start, ask them to register as a drug manufacturer with FDA.
We have since informed the FDA that we will not be taking this business down without a valid court order. We will also not move forward on any other extra-judicial takedowns until we have completed a review with our legal team.
Where this is probably headed
After being implored to "do the right thing", because "exigent circumstances", "people are dying", etc to then be sandbagged like this with a completely over-the-top takedown request absent any similar conditions (this was supposed to be all about taking down rogue pharmacies, not renegotiating NAFTA on-the-fly) it has become clear to us that from now on, no matter who you are, no matter what you want and no matter what terrible calamities you think will befall humanity if we don't take some domain offline right now:
We tried doing it the other way and we got suckerpunched.
What About Online Pharmacies?
We are sticking with our revised policy that you have to be PharmacyChecker or LegitScript approved. We basically don't want unlicensed pharmacies selling "controlleds" without a license. As a trusted friend who is in the industry put it:
" I personally have no issue with self-policing to make sure that the sale of controlleds online does not happen, because the impartial evidence that kids and addicts buy this stuff online and then OD is substantial. I suspect that you feel the same way. I'm not averse to selling controlleds online if, say, the patient can produce a real Rx, but presumably that would be full of holes as well as addicts will say and do anything to get a fix.People who are giving you a hard time about taking a controlled substance pharmacy offline need to understand that selling controlleds online amounts to knowing that people will almost certainly OD and deciding to do it anyway. If somebody else thinks that's ok, let them provide DNS services to them. "
Update – Aug 18, 2014
I will post a follow up on why soon. This has been quite a situation.
Yesterday morning we summarily tookdown a pharmacy website at the request of the FDA.
We found out (rather belatedly) that the FDA had named us in a complaint with ICANN after a US citizen ordered a controlled substance over the internet (via a website whose domain was on our registrar tag and using our nameservers), and subsequently died of an overdose of that substance.
We only became aware of the situation after a reporter contacted us asking questions about it. We initiated a conference call with ICANN compliance and on that call it came out that the FDA had indeed named us specifically in their complaint. Because we have not yet signed the 2013 RAA, ICANN did not notify us. The FDA also emailed our abuse queue, but we missed it (long story).
So after a long talk with ICANN compliance, and a long talk with the special agent from the FDA, a long talk with our lawyers, we took down the domain in question and are adding a new provision to our Terms of Service effective immediately:
Any website / domain shipping drugs over the internet must be able to produce a valid pharmacy license on demand for any country they are shipping to or face summary suspension / termination of services. (Update: OR they are approved by PharmacyChecker.com)
Our customer has pointed out to us that this is inconsistent with our currently stated Takedown Policy. Yes it is. It begs the question:
Where do you draw the line?
Well, coincidentally, as all this was happening we received another notice from our pals at the London Police Intellectual Property Crime Unit:
Dear Sir or Madam,
Notice of Criminality
[domain name redacted]
EASYDNS TECHNOLOGIES, INC.
Receipt of this email serves as notice that the aforementioned domain, managed by EASYDNS TECHNOLOGIES, INC. 28/03/2014 is being used to facilitate criminal activity, including offences under:
Fraud Act 2006
Copyright, Designs and Patents Act 1988
Serious Crime Act 2007
We respectfully request that EASYDNS TECHNOLOGIES, INC. give consideration to your ongoing business relationship with the owners/purchasers of the domain to avoid any future accusations of knowingly facilitating the movement of criminal funds.
Should you require any clarification please do not hesitate to make contact.
PIPCU Anti-Piracy | Operations | Police Intellectual Property Crime Unit | PIPCUantipiracy@cityoflondon.police.uk<PIPCUantipiracy@cityoflondon.police.uk > | Address: City of London Police Economic Crime Directorate, 21 New Street, London, EC2M 4TP | ü www.cityoflondon.police.uk<http://www.cityoflondon.police.uk/>
I'm not sure what they're asking us to do. It doesn't matter because there is nothing to do. We have once again informed the PIPCU that we eagerly await the outcome of a legal process and will certainly comply with any valid court order or warrant that results from said process.
So in one case we have people allegedly pirating Honey Boo Boo reruns and on the other we have people dying. We don't know where exactly, but the line goes somewhere in between there.
We have always done summary takedowns on net abuse issues, spam, botnets, malware etc. It seems reasonable that a threat to public health or safety that has been credibly vetted fits in the same bucket.
As a private company we feel within our rights to set limits and boundaries on what kinds of business risk we are willing to take on and under what circumstances. Would we tell the US State Department to go to hell if they wanted us to take down ZeroHedge? Absolutely. Do we want to risk criminally indicted by the FDA because of unregulated drug imports? Not so much.
Keep in mind that Fedex was just indicted for shipping drugs for online pharmacies, it's just a matter of time before some registrar or DNS provider meets with the same fate. We have no desire to be that registrar.
Free Webinar: The 7 Deadly Risks You Are Exposed To Through Your Domain Names
Reserve your spot today for Mark's upcoming O'Reilly Webcast where he deconstructs the 7 distinct types of risk that any organization is potentially vulnerable to by simple fact of having a domain name. Click here.