In the prior issue of CircleID, I described registrations by John Zuccarini. Many of Zuccarini’s registrations are typographic variations on well-known domain names, and Zuccarini typically redirects users to sexually-explicit content and pop-up advertisements. Despite scores of UDRP claims and ACPA suits, plus a major case brought by the Federal Trade Commission, Zuccarini’s registrations remain in effect—more than 5,000 strong, in my research.

Too Little Law

That Zuccarini’s domains remain operational reflects a problem we might call “too little law”—that numerous attempts at law enforcement have failed to effectively constrain Zuccarini’s registrations. There are at least two independent reasons why the law has come up short.

First, some of Zuccarini’s registrations remain in effect because a provision written into the UDRP has allowed Zuccarini to suspend enforcement of certain rulings against him: UDRP rule 4.k lets a registrant challenge a UDRP decision by filing suit in a court of his registrar’s jurisdiction. In other contexts, this rule is both helpful and appropriate, for it properly subjects the UDRP to national law. But when Zuccarini invokes rule 4.k, he causes a considerable expense for the claimant who had brought a UDRP against him: Not only must the claimant re-prove its case before a judge, after having already done so before the UDRP panel, but it must also conduct this case in the potentially-inconvenient and costly jurisdiction of the registrant’s registrar—in Germany, for most of Zuccarini’s domains. Inevitably, some claimants will decide that, despite the merits of their claims, pursuing the cases is not worth the increased time and expense.

Second, the geographic location of a controversial registrant may stop even the most powerful of judicial systems from reaching that registrant. FTC staff decline to discuss the specific details of their case against Zuccarini, but the FTC has not succeeded in disabling his many registrations, as the court’s order demands, nor has it collected the $1.8 million payment ordered by the court. These difficulties may result from Zuccarini’s reported move to the Bahamas—for while the US does have an extradition treaty with the Bahamas, extradition can be costly in time and manpower, and the administrative complexities of this process often cause delay. Moving to the Bahamas may not stop the wheels of justice forever, but for Zuccarini this move has already been successful for nearly a year.

Too Much Law

Zuccarini’s many registrations remain operational—arguably demonstrating law’s failure to address a problem many might expect it to handle. But not all domain name questions escape the law. Indeed, other recent events suggest that the law sometimes goes too far. Of particular concern are two sets of situations in which a country’s law enforcement efforts reach far beyond its borders.

Just last month, German registrar Joker.com received a complaint from a German prosecutor as to ogrish.com, a domain name registered by a Joker customer. The ogrish site offered images of medical examinations—gruesome content arguably prohibited under German law. In response to the complaint, Joker suspended ogrish.com, temporarily disabling the site. Perhaps this is to be expected: Joker is a German company, and its customer was allegedly violating German law. But a mere complaint need not trigger a domain name’s suspension. In the German legal system, as elsewhere, sanctions typically follow a more formal process, complete with judicial oversight and a right of appeal. For Joker to give in without this procedure denies its customers the procedures guaranteed under German law.

In response to Joker’s acquiescence, Ogrish can take its business elsewhere, and indeed it has already done so. Germany has less influence on Ogrish’s new US-based registrar, and for practical purposes the domain may now be safe. But if Ogrish were alleged to violate American law, the site could not so easily escape US jurisdiction: Whatever registrar Ogrish chooses, its .COM name will still use Verisign’s registry services, and Verisign is an American company subject to American laws. There is therefore an asymmetry between the United States and other countries: No matter what registrar non-Americans choose, they cannot avoid doing business with an American registry if they register in the popular .COM, .NET, and .ORG domains. This threat is more than speculative: With US embargoes on Iraq and Libya, there is arguably no legal way for a citizen of either country to get a .COM, .NET, or .ORG name. Mere weeks ago, it might have sounded paranoid to fear the US blocking or seizing domain names. But with the Department of Justice’s recent seizure of several domain names, law enforcement through the domain name system seems an increasingly real possibility.

US law enforcement agencies have abilities that others lack thanks to large US-based registries and registrars, which indirectly result from initial American sponsorship of the development of the Internet. But such sponsorship does not require, as a matter of logic, that the US government retain special law enforcement abilities that other countries lack. Neither is it necessary that any country’s law enforcement be able to reconfigure or disable domain names without the procedural due process ordinarily associated with the criminal justice system. As law enforcement staff become more skillful at persuading registrars and registries to do their bidding, domain name service providers, policy-makers, and end users ought to reconsider service providers’ responses to informal law enforcement requests. If companies submit too quickly, without appropriate regard for their customers’ rights, serious mistakes may result and the system may come to be viewed with great distrust. A more formal dispute process would better assure correct results, and results that more people recognize as fair.