back to article Registrars turn blind eye to sites selling illegal steroids

Next time you see websites brazenly pushing anabolic steroids, thank GoDaddy, Dynadot and a half-dozen other US-based registrars, which allow them to operate even though they're illegal, claims a new report. Released Monday, the report catalogs 156 websites offering steroids without a prescription or verifying that the would- …


This topic is closed for new posts.
  1. RW
    Thumb Down

    "Domain registrar"

    The name says it all: they register domain names.

    Don't expect them to enforce other laws & rules.

    For that matter, there are any number of domains that sell cheap Rx pharmaceuticals out of India. Absolutely legal per Indian law. What then?

    This article implicitly endorses the idea of a totalitarian, unitary state where all organs of the state (including corporations) are expected to act as police. Can we say "fascism"?

  2. Anonymous Coward
    Anonymous Coward

    Evidence, Judgement and Order

    I disagree that's it's the place of the registrar and ISP/web host to make such judgements. The appropriate (i.e. in their jurisdiction) law enforcement agency should apply to a court for a take-down notice, which, if approved based on the evidence presented, should be issued to the resgistrar and ISP/web host (if applicable) for immediate action. The offender should also have the right of appeal.

    Is it just me, or is there a paucity of people these days who believe in due process, natural justice and the rule of law?

  3. Anonymous Coward
    Anonymous Coward


    Since when was it down to domain name registrars to police the internet ?

    They sell domain names, you take the names away and use them. If the public thought that they would lose the names due to the registrar then the registrar would be out of business quite soon. Anyway, it's not like there is an ownership dispute over the names themselves.

  4. Ben winnipeg
    Thumb Down

    Are these guys serious?

    they want to blame a company that converts a name to an IP address? they say that the companies that host spammers websites are the ones that sell cheep domain names? Whats thier solution raise the cost of domain names? If they want to blame the people that sold me my domain names, then get the politicians to change the laws. and while your at it, what about drug dealers that wear hoodies?

  5. Nick Stallman

    Erm what?

    Shouldnt they be complaining about the web hosts, not the domain registrar?

  6. Shannon Jacobs

    Registrars and spammers both divide by zero

    I'd say the fundamental problem here is that both of them think they can divide by zero and generate infinite RoI. In the case of the spammers, they think email is free, so the marginal cost of tossing off another 10 million spams is ignorable if they find a few more suckers to give them credit card numbers for herbal viagra dietary supplements.

    The registrars' version is that they imagine they are creating 'valuable Internet real estate' out of nothing. It doesn't cost anything to string some letters together and say this is a new place on the Web. All they are concerned with is spewing out as many domains as possible. What if they actually had some costs of enforcing policies? Heaven forbid! That could destroy their zero.

    By the way, here's my latest suggestion for what Gmail could do to reduce the spam:

  7. Kanhef

    Possible solution

    If the registrars are violating ICANN's rules, ICANN should be able to impose sanctions. Such as removing every domain registered with that company from the root servers until they comply with the rules. Similar to the Usenet Death Penalty, it shouldn't take long to have an effect. When you tell thousands of customers that their domains are unreachable because their registrar doesn't enforce its own TOS, they're likely to switch registrars unless the situation is resolved quickly.

  8. Erik Aamot

    sure .. make companies law enforcement

    I don't see where a registrar is responcible for policing the use of domain names at all, for registrars to do so would invite lawsuits and such policing would drive the costs of domains up

    When I pay $7.05 including ICAAN fee for a domain name at GoDaddy, they aren't making enough to act as policemen of the internet, and laws vary state to state in the US, and vary country to country

    If you go down this road at the registrar, do you expect them to say, pull down a .org site owned by a Chinese resident that protests China's human rights abuses because that is illegal in China ?

    One might say that a webhost is slightly more responcible for content on thier servers, however they should not be made into law enforcers either

    If there is illegal activity, first get a legal shutdown order to the webhost and go arrest the owner ..

    Of course in many cases, the person doing the illegal activity can set-up or find another webhost .. then I suppose you could make a legal order for a registrar to turn off the domain, however ...

    that too would be futile, as a criminal or criminal organisation would have no problem buying new domain names

    Again, asking registrars or webhosting firms to act as law enforcement is not effective nor wise .. if a person is acting illegally, it's the job of the law enforcement, the courts and procecutors to arrest, convict and sentence these people.


    No liability to Registrars

    It has always been agreed since the first ICANN conference in the 1980s - and indeed in the pre-ICANN conferences - that the Registrars do not have a liability to police the use of domain names. The meetings have frequently endorsed the "good registrar practice" that certain activities such as kiddie-porn etc may be subject to notification from LOCAL law enforcement authorities to the Registrar and that the Registrar will voluntarily suspend domain names concerned; however for 15 years it has been recognised that it is impossible for Registrars to police domain use. (Although your records related to domain names will be readily provided to law enforcement).

    The issue is the administrative cost of administering the take-down notices etc. Godfrey v Demon and the line of domain cases have repeatedly confirmed non-liability of domain registrars as web-pages change daily. Take the position where a Zimbabwe Police notification of illegality occurs to a US domain registrar - who decides whether the notification is really from the Zimbabwe Police, whether the notification is legal, constitutional etc.

    If you want $500-$2000 domain names etc- make the registrars police the internet. As far as net-pharmaceuticals are concerned, if police officers were better trained in internet crime, they would be able to carry out test purchases and commence local prosecution (even though the registrant is not present). The commencement of the prosecution would be sufficient for most registrars to suspend domain names (subject to appeal rights).

    Leave the Registrars alone!

  10. Anonymous Coward
    Anonymous Coward

    ICANN World police?

    So ICANN dictates the rules to the registrars who will enforce the rules by civil contract regardless of legal jurisdiction.....

    IMHO all the more reason why the rest of the world should split ICANN up and cooperate via agreement rather than this phoney 'multi' national organisation.

    Already they're requiring everyone keep their domain details up to date, so effectively removing anonymous blogging.

  11. frymaster

    GoDaddy tried this before and got slated...

    "We believe web site content is the responsibility of the site owner (registrant) and (if that fails) hosting or bandwidth provider. If the whois contact data is valid, registrars shouldn't be involved without a court order. " (From the nmap webpage)

    And I agree, if the owner of a website won't deal with the issue, you contact the host, not the domain registrar. If you much about with the domain registration, all you're doing is potentially making it harder to track the owner of the site*

    *Yes, I know most of them will be fake details registered with stolen cards, but still :P (Ironically, fake details registered with stolen cards _is_ a legitimate reason for a registrar to get involved)

  12. Edmund Slackbladder

    Re: Khanef

    Two points:

    1. Individual domains aren't put on the root servers. Only registries are pointed to by the root servers.

    So every customer of that registrar gets punished, regardless of their guilt? And if the provider is a big one, like say, Network Solutions, that means lots of big names lost their ability to do business - like Amazon and Ebay (both with the prior mentioned registrar).

    Come one here - I know, some sort of action needs to be taken, but with proportionate response. What you propose is like Gigatonne nuclear weaponry for parking violations.

    (oh, btw, I'm a developer for a domain registry)

  13. Mark

    erm registrars?

    How would a registrar know at registration that the domain will be used for an illegal site? Surely what is actually needed is some central site for reporting abused domain names, if the use of the domain name breaks ICANN (or regional) rules then it is removed without a refund and blocked from use for a given period.

  14. Anonymous Coward

    or by comparison

    in the UK one registers a physical company at "companies house". One is forced to conform to local laws by the local police force, the national fraud office, the various legal, tax and accreditation departments and all is empowered by the local law courts. Companies House just says "thanks for registering, now off you go".

  15. Anonymous Coward
    Thumb Up


    Why don't we simply make each and every browser have a button that allows the user to report "offensive" domains to the ministry of truth. That way as soon as anyone tries to publish a site which offends, you could enjoy the knowledge that you are cooperating in the justice process. This way if the evil content provider changes registrars, domains, or hosting companies it would make no difference, as soon as they put up a site with wobly content, it wouldn't be long till the plods were breaking down their door. An added bonus here is that the general public would get to choose what is acceptable and what is not, in true democratic fashion(!).

    Come on lads, 1984 was over 20 years ago - lets get a move on already! I personally welcome the day when we have absolutely no personal control over anything we say, think, do or see. "It is touching to see how they love Big Brother..."

  16. Tim J


    There's nothing wrong with steroids anyway.

    Are you looking at me? Are you looking at me funny eh? Yes, I did used to be a women, but what's it to you, eh? You'd better start running...

  17. Anonymous Coward
    Anonymous Coward

    Protecting liberty

    It's not often you look at the activities of big business and say, yes, their behaviour here is a good thing. This is one of those times. You can't have arbitrary companies policing each other. You can say the registrars should do policing, but why not the electricity company, or the post office, or their window cleaner? Having each and every company checking up on each and every customer in this way is an obvious non-stater.

    Leaving aside the difficulties of jurisdiction there are freedom of speech and civil liberty issues. If I wish to register it is not for the registrar to decline it based on the fact it may be illegal in one particular jurisdiction, just as I don't want to explain my business model and prove its legitimacy to the company that supplies my paper clips. That is the role of law enforcement whose job is to know what they are doing. A domain registrar is not in the business of law enforcement and has no expertise to judge sites even if they had the right to do so.

    More importantly from the straightforward impedance to commerce that this idea represents, it would also invariably become a method of arbitrary censorship. What to register Tough, you can't since it might be slanderous and so whatever complaints you had about El Reg go unnoticed no matter how serious and how legitimate they may have been.

  18. Anonymous Coward
    Anonymous Coward

    Been a long day

    But for some reason I read the headline as "Registrars turn blind eye to sites selling illegal asteroids", and I thought it was or clamping down on bogus sites :o)

    Mines the one with the title deeds to Uranus in the pocket.

  19. Bill Mercer

    Poor reading comprehension makes me sad

    The point isn't that registrars should enforce laws. The point is that registrars should enforce their OWN POLICIES.

    The "Turning a blind eye" thing doesn't mean that the registrars should be actively investigating every single domain name registered with them. It means that when they receive reports that their customers are violating their policies, they should investigate and take appropriate action.

    If you're a registrar and you don't want people reporting violations, don't have such a policy in the first place. It's stupid to make a policy and then ignore it.

  20. Franklin

    Interesting dilemma...

    On the one hand, the comments here do have a point; a registrar can't and shouldn't be held accountable for policing the Web. That way madness lies; should a registrar suspend a domain that details human rights abuses in China? How about a Web site that hosts porn that's legal in some jurisdictions but not others?

    On the other hand, though, there are some cases that are clearly not borderline. And even a handful of registrars that appear to have set up a lucrative business specifically aimed at the criminal underworld. I'm looking especially at EST Domains here, the registrar of choice for VXers. Every domain I've seen whose purposes is to distribute computer viruses, most often the W32/Zlob virus--is registered by EST Domains. (I'm not even talking about sites that talk about virus writing, or that distribute sample code or toolkits to other VXers; I'm talking about sites that pretend to be porn sites, which try to trick useers into downloading Zlob masquerading as "movie player software").

    Seems to me that in that kind of case, the registrar is acting in bad faith by knowingly and intentionally selling services to criminals which they know will be used in the furtherance of illegal activity. Which puts them, in my opinion, in a different place.

    Registrars that engage in these sorts of activity don't even enforce their own terms of service, which is particularly telling.

  21. Anonymous Coward
    Anonymous Coward

    re: Interesting dilema...

    Dear Franklin,

    Do you know for a fact that the practice you call VXers is illegal? Is it illegal in every country of the world? Are you in law enforcement?

    The point is: you do not know nor have you done any research about it. Why should a registrar take your word for it?



  22. Erik Aamot

    upon careful reading ...

    ... there is nothing in several registrars terms of service, including GoDaddy, that prohibits a person's or business' use of a domain name for illegal purposes .. it's all about restrictions of use of the registrar's SOFTWARE and SERVICES, that usually includes webhosting, email and such, however, it does not include your activities in the use of a domain name .. in fact ...

    The ToS INDEMNIFIES the registrar should you be found to be using a WEBSITE for illegal activity with a domain name purchaced there

    and think about it .. how can a domain name itself be illegal except for terms on specific TLDs such as:



    If You are registering a .CN domain name You also agree to:

    Limitations on Registration

    You may not register or use a domain name that is deemed by China Internet Network Information Center (“CNNIC”) to:

    Be against the basic principles prescribed in the Constitution of the Peoples Republic of China (“PRC”);

    Jeopardize national security, leak state secrets, intend to overturn the government, or disrupt the state of integrity of the PRC;

    Harm national honor and national interests of the PRC;

    Instigate hostility or discrimination between different nationalities, or disrupt the national solidarity of the PRC;

    Violate the PRC’s religion policies or propagate cult and feudal superstition;

    Spread rumors, disturb public order or disrupt social stability of the PRC;

    Spread pornography, obscenity, gambling, violence, homicide, terror or instigate crimes in the PRC;

    Insult, libel against others and infringe other people’s legal rights and interests in the PRC; or

    Take any other action prohibited in laws, rules and administrative regulations of the PRC.


    however, again, it's not up to the registrar to determine the *illegality* of a .cn domain, it's up to CNNIC to notify the registrar to delete the domain name from the root registry. That's a contractural obligation between the registrar and the PRC

    if a registrar has a provable pattern of selling domains for illegal activity, then a legal case should be made with ICAAN to shut down the registry

    good luck there ..

  23. bob

    Not sure everyone understands

    FD: I am part KnujOn. This report and other work by KnujOn is to make the registrars follow Their own policies and ICANN's policies as a way of slowing down spam and crime in general. I am a strong privacy advocate and do not like the idea of being the internet police, however, we are talking about businesses, not individuals. Businesses are already required to have public information about themselves (eg the SEC for public companies, business IDs for the IRS, state registration of the business name and bank accounts). Pharmacies are licensed business and the fake pharmacies do not have licenses. Be sure that Law Enforcement will be visiting them. The registrars who cater to illegal businesses will also be visited. The average registrar is supposed to verify the whois data, so in fact they should refuse to give a domain name to someone who has not provided accurate information. The criminals rarely provide accurate data and mostly honest businesses do. This is not about censoring anyone or being politically correct.

  24. John
    Thumb Up

    A note from LegitScript

    This is a pretty natural follow-on to Bob's email, above. I also consider myself to be a strong privacy advocate (hence our insistence that online pharmacies have strong privacy protections, for example) and this isn't about forming an Internet police or ministry of truth. This is about the registrars following their own policies, which allow for termination of websites that are engaged in illegal activity. (The language in each User Agreement varies, of course, but they basically all allow termination, and many require it, for illegal activity.)

    The report we released actually addresses all of the points raised above. To take one point (about steroids being legal without a prescription in some countries), remember that these sites are specifically marketing to the US, and the default shipping option in many cases is to the US. None of these sites are marketing primarily (or in most cases at all) to their home country. Reaching a conclusion that there's nothing illegal or harmful going on here requires some convoluted logistical acrobatics. Anyway, I encourage anybody with questions about the logic behind our argument to read the report (which I just don't want to retype here in this little comment box).

    Also, some background about LegitScript might be helpful here. We don't charge the pharmacy websites to be verified. If they are legit, then they're legit. They shouldn't have to pay extra money to prove it. It's essentially a project to create a "whitelist" of the legitimate actors, which helps consumers and businesses. As far as why LegitScript should do it (regarding and earlier post asking, who gives these companies the right to say who is legit?) our standards are actually recognized by the National Association of Boards of Pharmacy. (The Boards of Pharmacy police the pharmacies and pharmacists, so in fact, we have the ability to say who is legitimate or not, at least related to pharmacy websites.)

    More info available to those who want it, but the bottom line is, I don't think that anybody really wants true anarchy on the Internet without serious attempts to keep the spammers, phishers, and other bad actors (including rogue Internet pharmacies) at bay. And, it sounds nice and politically correct to say that "registrars aren't supposed to police the Internet" but actually, their User Agreements sort of give them the ability to take action against the bad actors. And as Bob said, registrars are supposed to verify WhoIs data and shouldn't give a domain name to somebody who hasn't provided accurate information.

  25. Alan Brown
    Paris Hilton

    Fake registrars

    It's worth noting that Knujon recorded 67 _registrars_ have having no contact details at the beginning of this month.

    Following an ICANN crackdown, 20 of the registrars are now listed at one location and at least one of the registrars (Parava) involved in the story above has FAKE registration details.

    ICANN has played fast and loose with accountability, they have a consistent history of not following up to registrars on complaints about fake domain registration details (ICANN only created a procedure to handle this after sustained complaints of registrar inaction) and now they clearly aren't even bothering to verify if a registrar actually exists.

    Given what i know about the people within ICANN, I'm not particularly surprised, Style over substance every step of the way...

    Paris, because she's fake too.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020