Home / Blogs

EFF’s Emerging Alignment With Offshore Internet Pharmacies

The last few years have been challenging ones for members of the Canadian International Pharmacy Association.

First, in 2010, they lost their ability to advertise in the US search space after the US Department of Justice noted that many seemingly “Canadian” pharmacy websites “sell drugs obtained from countries other than Canada” when shipping medicines into the US, and major search advertising programs tightened their policies, effectively excluding CIPA’s members from advertising in the US.

Then, one of the organization’s founding Canadian pharmacists was convicted of selling counterfeit drugs to US residents that weren’t really from a pharmacy in Canada.

Then, they began losing their ability to process credit card payments, after we and others helped reveal that the drugs sold by CIPA’s so-called “international Canadian internet pharmacies” often aren’t really from Canadian pharmacies.

Then, one of their flagship members, CanadaDrugs.com, got indicted for selling counterfeit cancer medicines to US clinics through the pharmacy’s wholesale chain.

Then, a director of an internet pharmacy certifier widely used by CIPA members, PharmacyChecker, got indicted for hiding counterfeit drugs supplied by CanadaDrugs in his garage. (The charges were dismissed, reportedly after the guy cut a deal with DOJ.)

There’s more, but you get the point: it’s been a bad few years for internet pharmacies that, even if able to produce a Canadian pharmacy license, don’t necessarily send US residents drugs from real Canadian pharmacies.

These developments have been a threat to the commercial interests of CIPA’s members. In response, CIPA appears to have aligned with the Electronic Freedom Frontier (EFF) to attack the Healthy Domains Initiative (HDI), a collaboration designed to identify best practices for registrars related to child pornography, rogue online pharmacies, copyright violations and online abuse. A key rationale for the HDI is to stave off intrusive government regulation: if private companies can develop and implement reasonable anti-abuse policies, it removes the incentive for governments to come in and regulate the internet.

The EFF calls these initiatives “shadow regulation.” (Cue up the spooky music and Guy Fawkes masks.) Unfortunately, the EFF supports its argument by misrepresenting numerous facts that seem to be taken straight from CIPA’s playbook.

So what’s really going on here—what’s EFF’s ax to grind?

Well, let’s look at the facts, at the EFF’s arguments, and then who stands to lose money from the HDI initiative.

First of all, EFF’s Jeremy Malcolm, the EFF’s point person on this issue, discloses in his blog that he was visiting the Canadian International Pharmacy Association the day of his article, and he advocates for the CIPA and PharmacyChecker certification programs as credible. (Lest you think I consider these companies our competitors: I don’t, because we don’t certify online pharmacies that operate illegally, and they do.) After all, CIPA’s members market themselves as “Canadian” but source many of their drugs from cheaper, offshore (non-Canadian) locations in order to improve their profit margins. PharmacyChecker, meanwhile, has over the years certified multiple online pharmacies selling prescription drugs without a valid prescription, not to mention some engaged in counterfeit drug sales. In any case, EFF out of one side of its metaphorical mouth (inaccurately) attacks the HDI as promoting the commercial interests of “Big Pharma,” but from the other side of its mouth in essence advocates for the commercial interests of “faux-Canadian” internet pharmacies.

Second, the EFF apparently doesn’t know how registrars actually deal with rogue online pharmacies. In nearly all cases I’m aware of where a domain name has been suspended (as in, somewhere between 99.99% and 100%), registrars voluntarily take action against rogue online pharmacy domain names because they used to sell prescription drugs, often controlled substances like Vicodin or steroids, without a prescription. Does the EFF argue that registrars should modify their terms and conditions to permit this? Do they argue that registrars, when they find out that they are (inadvertently) providing services to customers whose activities can kill someone, are supposed to just let it continue and assume the liability—criminal, civil or moral—that could potentially result from that?

Third, the statements made by EFF’s Mr. Malcolm’s are inaccurate. He characterizes LegitScript as a “big pharma trade group” and refers to our “rogue” online pharmacy list, which is widely used throughout the internet and payment industry to identify illegal online pharmacies, as a Big Pharma creation. That’s flat-out false. These false accusations are what the “Canadian” Internet pharmacy industry falls back on whenever anyone has the temerity to criticize them for bad activity. LegitScript isn’t “funded” by anyone (and never has been), the vast majority of our revenue comes from dozens of companies like Google, Bing, Visa, and various payment providers for whom we perform monitoring services, and the only people who create our “rogue” list are LegitScript analysts. No external entity, whether pharmaceutical company or otherwise, has any influence or control over it.

Fourth, EFF in essence appears to argue that if an online pharmacy is offshore, it can’t be illegal because no laws apply to it. This argument fails to understand basic legal principles, and is easily refuted by hundreds of indictments and convictions in this sector. If that were true, how could CanadaDrugs be under indictment for selling fake cancer drugs from offshore locations (many of their drugs have historically been sourced through a warehouse in Barbados, by the way), and how could multiple other offshore pharmacy operators have been convicted at all?

Fifth, whether willingly or unwittingly, the EFF should understand that it is being used by an industry with commercial motives. They are a pawn in a larger game. The offshore internet pharmacy industry is trying to claw its way back into internet companies’ good graces in order to boost sales. But while their marketing campaigns have featured smiling senior citizens and shiny maple leafs, these internet pharmacies have laughed all the way to the bank as they’ve sent cheap, sometimes substandard or fake drugs from warehouses in Turkey, India, Mauritius, Barbados, and other locations. Does EFF believe that these for-profit offshore internet pharmacies merely have the health and safety of patients at heart?

In all of this, it’s important to keep in mind what EFF is really asking of the internet community: to assume the risk of doing business with criminal enterprises and forego reasonable steps designed to avoid more intrusive government regulation. This isn’t to internet users (or registrars’) benefit, but is to the financial benefit of dodgy online pharmacies who want to be back in the game and make more money. Of course, offshore online pharmacies don’t like the HDI’s initiative, but they can’t exactly say, “We don’t like it because we will lose money.” Instead, they need to wrap their arguments in empathy for patients, concerns about internet freedom, and accusations that anyone who doesn’t agree with them is part of a nefarious “Big Pharma” plot. And the EFF is helping them do that.

I’ll stop there. The point is, the HDI is a serious, well-intentioned effort, and it’s not just about internet safety, but is also about creating an internet that in the long term is free from government regulation. The EFF doesn’t help by making inaccurate statements and letting itself be used by online pharmacy trade groups that promote or certify illegal activity. Whatever else they may think, the EFF’s criticism of HDI plays right into the hands of a multi-billion dollar industry seeking to establish its own credibility at the expense of internet users’ health and safety and a healthy, balanced internet.

Editor’s note, 22 March: Some parts of this post revised by author.

By John Horton, President of LegitScript

Filed Under


Big Pharma alliance Gabriel Levitt  –  Mar 22, 2017 1:29 AM

Hi, I’m Gabriel Levitt from PharmacyChecker, the company maligned by Mr. Horton. There’s time enough for us to defend ourselves down the road but here’s what I wrote on CircleID, http://www.circleid.com/posts/20160912_protecting_online_access…. I think you’ll see that Electronic Frontier Foundation is aligning itself with online access to safe and affordable medication and that that’s pretty cool!

I’ll just note that LegitScript is allied with the pharmaceutical and U.S. pharmacy industries and their agenda on the issue of online pharmacies. This is not my opinion but fact. LegitScript, Eli Lilly and the National Association of Chain Drugstores stared Alliance for Safe Online Pharmacies in 2009; a group that supported the Stop Online Piracy Act.

Simply put, 45 million Americans did not fill a prescription in 2016 because of cost. A few million Americans buy real medication from international online pharmacies each year. The drug companies don’t want them to. I believe a full airing of this issue is finally coming to light, which is great and long overdue.

Three questions for John Horton Jeremy Malcolm  –  Mar 23, 2017 9:00 PM

I don’t have time for a full rebuttal of this post just now, but here are three simple questions for John Horton.

1. Isn’t it true that no matter how demonstrably safe an overseas online pharmacy is and despite its compliance with all laws that are legally enforceable against it, it can’t even theoretically satisfy LegitScript’s Internet pharmacy verification standards if it ships into the USA?

2. Who has the responsibility to shut down an online pharmacy (to use your terminology)—is it:

(a) the regulators of the country where the pharmacy operates from, it has has infringed its laws;
(b) the regulators of a country into which it ships product, if it has infringed its laws; or
(c) private companies that it has dealings with, for violating LegitScript’s private verification standards?

3. Isn’t it true that LegitScript verified pharmacy Walgreens was also charged with illegal sales of medicines and agreed to pay a record $80 million to settle the charges? Isn’t Walgreens also a “criminal enterprise”, under your definition?

Three Answers for Jeremy Malcolm (and Three Questions) John Horton  –  Mar 24, 2017 9:45 PM

Hi Jeremy, Thanks for your questions! See below. 1. I think you may be misunderstanding what’s legally enforceable when it comes to the practice of pharmacy or the dispensing of drugs. The subtext of your question (as I read it, at least) is: if an entity shipping drugs into Country A is physically domiciled outside of Country A, the laws of Country A aren’t legally enforceable. That’s incorrect, both legally and in practice. Under the laws of every country I’m aware of, any person or business dispensing pharmaceuticals within or into that country – irrespective of the dispensing entity’s physical location – is subject to the laws and regulations of the country into which they are shipping drugs. In the US, that includes the US Food, Drug and Cosmetic Act (e.g., 21 USC 353(b), et seq.), all 50 state regulatory schemes requiring pharmacy licensure, and several others. For a summary of laws and regulations in about 20 countries most commonly targeted by internet pharmacies, if of interest, feel free to review the laws and regulations summarized in our co-authored guide for banks and payment providers at https://usa.visa.com/dam/VCOM/global/support-legal/documents/online-pharmacy-guide-for-acquirers-vbs-18-apr-2016.pdf. Being physically domiciled outside of those jurisdictions doesn’t mean you don’t have to comply with those laws – unless, of course, you don’t ship to the country in question, in which case, of course you don’t need to worry about that country's laws. To illustrate this: if US laws were not enforceable against CanadaDrugs and Andrew Strempler, which are and who was outside of the US, how would they have been indicted and convicted (respectively)? As to our standards, we require compliance with applicable laws and regulations. Consistent with what I’ve explained above, “applicable” means not only the jurisdiction where the entity is located, but any jurisdiction into which the entity dispenses drugs. At present, prescription drug importation into the US directly to individuals is illegal (as is the case in just about every country). That’s a fact, by the way -- not mere opinion. It’s also illegal, everywhere, to sell prescription drugs without requiring a valid prescription. And so on. As to our program, think about it this way: a credible verification program should, among other things, help verify whether the entity in question is complying with applicable laws and regulations; suggesting that a verification service is supposed to ignore applicable laws and regulations is not, in my view, a credible suggestion for how a verification program is supposed to operate. So hey, want to get LegitScript certified? Not hard. Operate legally. 2. The three options you’ve presented don’t quite capture how this all works. In the payments industry, online ads industry, private carrier industry, hosting industry, domain name registration industry, etc., there are terms and conditions between the customer and the service provider. These are enforceable contracts. Those Terms and Conditions (nearly) always prohibit use of the companies’ services in furtherance of illegal activity. When a customer uses the services in furtherance of criminal activity, they are in breach of those agreements, and the remedy is typically termination of services. In the domain name industry and the payments industry, there are additional layers of contractual requirements put on the registrar or registry, and on the bank or payment provider, by ICANN and the card brands, respectively. (In the interests of brevity, I won’t go into all of those here.) The short version: for a registrar or payment provider not to take certain actions against customers engaged in illegal conduct can be a breach of their accreditation or acquiring license agreements. As to the options you’ve presented, regulators certainly may play a role in some cases. However, there’s no law (anywhere) that says a company can’t enforce their own terms and conditions unless they have a court order or a note from a regulator. Companies, as a matter of routine, are able to use common sense and expert resources to determine whether there has been a violation of their terms and conditions. As to your third option, I think that you are missing the point. It’s not that the rogue online pharmacies fail to meet our standards (although that’s true). It’s that they violate companies’ terms and conditions – in the case of rogue online pharmacies, by virtue of failing to comply with applicable drug safety laws. Which sometimes has dire consequences. 3. What I find most disturbing about this question is that it supports my point about your alignment with PharmacyChecker and CIPA. I think I’ve read this one a few times from Gabe@PC, but I’m not sure I’ve ever seen anyone else ask it. In general, your blogs and arguments make it appear as if CIPA and PharmacyChecker are feeding you talking points – hence my blog about your alignment with them. But anyway – putting that aside, to answer your question, it’s a straightforward difference: Walgreens’ business strategy isn’t predicated on operating illegally. Rogue internet pharmacies’ (and CIPA members’) business strategies are predicated on operating illegally – their entire business plan centers around continuous illegal conduct. To be sure, Walgreens’ behavior shouldn’t be overlooked, but it doesn’t follow that Walgreens’ fundamental business plan relies on ongoing illegality. By the same token, if any of the “Canadian” online pharmacies wanted to start operating legally, hey – I’d be thrilled, and we’ll classify them legitimate. But "legitimate" doesn't mean I hide out offshore and pretend that I can ignore drug safety laws where I do business, or plaster maple leaves all over my website then ship drugs from some non-Canadian location. Questions for you: 1) Do you think drug safety should be regulated or unregulated? 2) Does it bother you that the drugs sold by CIPA members are usually not from a Canadian pharmacy, or often from any pharmacy at all, but are transshipped through warehouses in Barbados, Turkey and other locations as part of an unregulated supply chain? 3) If a company can readily tell that a domain name is used in furtherance of dangerous, illegal activity – let’s take silkroad-pharmacy.com as an example – is it your position that registrars, banks, payment providers, etc. should continue providing services even when they know that their services are being used for criminal activity?

Crime and punishment Gabriel Levitt  –  Mar 25, 2017 12:33 AM

John - Forget about the Internet for this one question. Should it be illegal for someone who is sick to travel to another country to obtain needed medication that is unobtainable due to price where they live -- and bring that medicine back home?

Re: Three Answers for Jeremy Malcolm (and Three Questions) Jeremy Malcolm  –  Mar 24, 2017 11:25 PM

As to your answers:

1. As you know, Strempler only became subject to U.S. law because he was physically in Miami at the time he was arrested.  If you insult the King of Thailand on your blog and then you fly through Bangkok, you might get arrested too.  Do that mean that you were breaking the law when you blogged about the king in your bedroom in Portland?  For readers who want a more impartial account of the Canada Drugs case, read here: http://www.cnbc.com/2015/08/19/canada-pharmacy-charged-in-78m-drug-export-scheme.html.

2. You didn’t actually answer the question.

3. No, I wrote my first article on this topic before I’d ever spoken to Gabe or anyone from CIPA.  After it came to their attention they got in touch with me, but once again, I wrote the two follow-up articles on my own initiative, they neither requested nor reviewed them until after they were published.

Your questions:

1. I addressed this in my last post.  I said that there may be some merit to regulating cross-border sales of medication, but there is obviously a massive conflict of interest in this being undertaken by bodies with close links to U.S. Big Pharma such as ASOP, CSIP and LegitScript.

2. No, but if securing the supply chain were your real concern, look at how this works in Europe.  Or look at the innovations around supply chain certification that are going on with blockchain.  There are lots of other ways to secure the supply chains than to cut off patients’ access to affordable medication.

3. A content host is entitled to apply their own policies and terms of service, which may in turn be determined by industry or supplier requirements.  But they should not be compelled to delete any content without a court order.  See the Manila Principles on Intermediary Liability at https://www.manilaprinciples.org.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign