LegitScript Comments on IRTP-D Recommendations

[John Horton <john.horton@xxxxxxxxxxxxxxx>]

LegitScript <http://www.legitscript.com/> appreciates the opportunity to
submit comments on the *Inter-Registrar Transfer Policy (IRTP) Part D
Policy Development Process (PDP) Recommendations for ICANN Board
Consideration. *

*About LegitScript. *LegitScript works globally with Internet platforms and
governments <http://www.legitscript.com/about/> to make the Internet
pharmacy and healthcare product sector safer and more transparent for
individuals and businesses. LegitScript is utilized by, endorsed by or
authorized to represent government drug and pharmacy regulators in multiple
jurisdictions.

One of the most important ways that LegitScript fights online healthcare
fraud and criminality is by partnering with registrars to provide
information about rogue Internet pharmacies abusing the registrar's
services. Without exception, these domain names are used to sell
prescription or other drugs (e.g., controlled substances that may not
lawfully be prescribed) in a way that violates applicable laws and puts
patient safety at risk. Typically, a rogue Internet pharmacy is engaged in
the following specific practices:

   - Unlawfully selling prescription or other controlled drugs without a
   valid prescription.
   - Unlawfully selling unapproved, falsified or substandard drugs.
   - Unlawfully engaging in the practice of pharmacy without legally
   required pharmacy licenses.

It is important to note that the activity described above is not lawful in
any jurisdiction: rogue Internet pharmacies, by definition, engage in
activity that is unlawful in every jurisdiction. There are numerous
instances of documented patient harms resulting from rogue Internet
pharmacies.

*Response by registrars*. Upon receiving notification letters from
LegitScript, most registrars will suspend and lock the domain names used as
rogue Internet pharmacies, due to a violation of the registrar's terms of
service (typically a provision prohibiting the use of the registrar's
services in furtherance of criminal activity). For registrars accredited
under the 2013 RAA, this is consistent with obligations under Sections 3.18
and 1.13 of the RAA. Predictably, however, rogue Internet pharmacy
operators will, after the domain name is suspended, seek the ability to
transfer the domain name to a "safe" domain name registrar and thereby
continue the illegal prescription drug sales, which can be highly
profitable. In the fight against rogue Internet pharmacies, it is critical
that registrars be granted the discretion to lock the domain name until and
unless a valid pharmacy license is provided and other legal concerns are
addressed: otherwise, the process devolves into a perpetual game of global
"whack-a-mole" from one registrar to another where rogue Internet pharmacy
operators are allowed to operate unimpeded.

Here, it is important to pre-empt possible questions about why law
enforcement cannot obtain court orders in some cases. The answer is simply
the jurisdiction-less nature of the Internet. Consider a case where the
rogue Internet pharmacy selling counterfeit drugs is solely targeting
Japan, but the registrar is in the United States, the content is hosted in
Germany, the website operator is in Russia, and the drugs are shipped from
China. Only Japanese drug safety laws are implicated. However, none of the
entities in other jurisdictions are subject to Japanese jurisdiction, so no
binding court order based on drug safety violations can be issued. It is
not that the Internet pharmacy operates legally in the jurisdictions
outside of Japan; rather, because the Internet pharmacy is not shipping
drugs there, those other countries' laws are usually simply not implicated
one way or another. Thus, taking and keeping the dangerous, illegal domain
name offline relies largely on the goodwill of registrars and their ability
to suspend and prevent transfer of the violative domain names.

*IRTP Comments*. If a registrar has made a good-faith finding that a domain
name is being used for unlawful purposes, particularly when their finding
is consistent with Sections 3.18 and 1.13 of the 2013 RAA, no policy should
require the registrar to thereafter facilitate the transfer of the domain
name, because this would put the registrar in the position of having to
assist the rogue Internet pharmacy in getting back online and resuming its
business. Indeed, depending upon the scenario, requiring a registrar to
permit the transfer of a domain name that the registrar knows to be engaged
in criminal activity could lead to a registrar also being subject to
criminal liability (for aiding and abetting the registrant) or civil
liability (e.g., if a patient were to subsequently be harmed).

Additionally, as drafted, it is unclear whether the IRTP's reference to the
UDRP refers to the UDRP Rules
<https://www.icann.org/resources/pages/rules-be-2012-02-25-en> or UDRP
Policy. If the IRTP refers to the UDRP Policy
<https://www.icann.org/resources/pages/policy-2012-02-25-en>, which
includes paragraph 2 whereby registrants represent and warrant that "...(c)
you are not registering the domain name for an unlawful purpose, and (d)
you will not knowingly use the domain name in violation of applicable laws
or regulations," registrars may refuse a transfer due to use of the domain
for illegal pharmaceutical sales. The application of the UDRP for purposes
of the IRTP is thus important because it provides a basis on which
registrars may deny transfer of rogue Internet pharmacy domains.

For clarity, and as consistent with the UDRP Policy and the 2013
RAA, LegitScript therefore recommends the IRTP be clarified that registrars
may deny transfer under IRTP Section 3 if they have suspended the domain
name consistent with the registrar's obligations under Section 3.18 and
1.13 of the 2013 RAA. Specific to the PDP, we ask that GNSO Recommendation
#6 be amended to allow denial of transfer based on evidence of violations
of applicable law. We propose the following edits to Recommendation #6
(proposed addition underlined):

*Recommendation #6 – If a request for enforcement is initiated under the
TDRP the relevant domain should be 'locked' against further transfers while
such request for enforcement is pending. Accordingly, 'TDRP action,' 'URS
action' and 'other action consistent with the registrar's obligations under
Section 3.18 of the 2013 RAA, such as suspending services based on illegal
activity as defined in Section 1.13 of the 2013 RAA' are to be added to the
second bullet point of the list of denial reasons in the IRTP (Section 3);
the IRTP and TDRP should be amended accordingly.*


The locking and suspension of rogue Internet pharmacy domains is good for
the Community, improves patient safety, and is consistent with the Affirmation
of Commitments
<https://www.icann.org/resources/pages/affirmation-of-commitments-2009-09-30-en>.
As such, ICANN policy, including the IRTP and TDRP, should facilitate this
type of voluntary action. By making this change, the IRTP and TRRP will
clarify that registrars have discretion to deny transfer of domain names
used by rogue Internet pharmacies that put patient safety at risk.

John Horton
President, LegitScript