Increasingly often, I find myself writing or saying things that sound positively surreal – as if one of my college seminars on the history of the Soviet Union got mashed up with a digital dystopia. Occasionally I check the mirror to make sure I’m not wearing a tinfoil hat. Writing this article is one of those times.
I want my Bijou community to make the most informed and empowered choices possible, but I am self-conscious about sounding paranoid or extremist. For these reasons, I’ve decided to go ahead and compile my findings & recommendations into a blog post, while also substantiating my claims with “legitimate” news sources. Once the information is yours, you can decide what (if any) actions you want to take.
Due to the sensitive nature of this topic, I don’t want my position to be misconstrued, so please allow me to state very clearly – I do not support or encourage illegal activities of any kind.
let me say it again for the folks in the back:
I only support and encourage organizational and business activities which are peaceful, legal and ethical.
The topic of this blog post is how to protect your business or organization against government overreach – or more specifically, how to protect your online presence – when everything you are doing is peaceful, legal and ethical.
Although the examples I will cite are largely centered around the activities of the United States government, the topics covered here are relevant for people in many other nations.
In fact, even if your activities are completely legal in the country in which you reside and have registered your business, if you have any customers located in the United States or another surveillance state, you may very well be affected by legal practices in any country where you do business. I will cite legal precedent for this as we get further into the article.
Before citing specific cases which illustrate why the topic of this blog post is important, let me first walk you through some technical points.
When most people set up an online presence, they just think about the end result – their pretty website or their social media accounts. In reality, your web presence is the end product of a long chain of component parts. In order to protect your business, every link in the chain of your online presence must be strong. A vulnerability in any one link could allow you to lose control of your entire business.
The first link in the chain starts with ICANN – the Internet Corporation for Assigned Names and Numbers. They are a non-governmental organization whose job is to “manage the internet” – specifically, they coordinate internet protocol (IP) addresses and our global domain name system (DNS).
A typical website address might look like this:
The words after the // and between the dots are your domain name.
In this case, the “www” is the sub-domain, “example” is the second level domain, and “.com” is the top-level domain (TLD).
ICANN is responsible for deciding what words or letter sequences are allowed to be used as a TLD, and who gets to use them. Each country is assigned their own two-letter TLD (for example, .us or .uk or .fr) but there are also many abbreviations and words which are available as generic / international TLDs.
Once ICANN has decided to allow the use of a TLD, they will give permission to a company to serve as the “manager” for that domain. For example, Verisign is the company which manages the famous TLDs .com .net .edu and .gov – an important point which we will discuss below.
A private company can apply to ICANN to create and release a new TLD and then be assigned as its manager – for example, Google manages .how and .meme and Amazon manages .pay and .prime. Additionally, many private companies “speculate” on what TLDs may become popular, and exist only to earn money on licensing those domains.
For example, a company called Donuts, based in Seattle, manages the TLDs .movie and .mba and a company called MMX, based in the British Virgin Islands, manages .yoga and .surf. Want your own TLD? No problem, it will only cost you $185,000 to submit an application! (But there’s no guarantee ICANN will approve it, or assign YOU to be its manager.)
Once a company has become a manager for a TLD, it sets the price for what it wants to charge for the domain and then authorizes domain registrar companies to broker the licensing to end users. A few well-known examples of domain registrars are GoDaddy and HostGator. The domain registrar decides how much of a brokerage fee it wants to charge on top of the manager’s baseline fee, which is why the same domain can cost more to register on one site than it costs on another site.
Once you have chosen an available domain name and leased it, then you have to decide where to host your website. You can also set up customized email accounts using your own domain name, such as firstname.lastname@example.org – your website host might also offer email hosting and webmail, or another popular choice is to use G Suite (formerly Google Apps) to host your customized email on the Gmail platform.
Next, you will probably want to start building a mailing list, and sending your contacts a newsletter using a system such as MailChimp. Alternately, you may choose to reach your customers using a more sophisticated “Customer Relationship Management” (CRM) system, such as Infusionsoft, Salesforce, Hubspot or ProsperWorks.
Lastly, you’ll most likely establish a social media presence, such as a Facebook page or group.
Now that we’ve walked through the entire chain, soup to nuts, of what it takes to have an online presence – let’s go back through the list and discuss the vulnerabilities one by one, starting with your top-level domain (TLD).
As we discussed, several of the most popular TLDs such as .com and .net are managed by Verisign, a company based in Virginia, United States.
Why is Verisign’s location significant? Because if you are using a domain name ending in .com, then even if you are NOT a United States citizen, NOT residing in the United States, and your business is NOT registered in the United States, your business can still be affected by the laws and practices of the United States federal government.
Case in point: in 2012, an online sports betting website named Bodog, which was fully owned by Canadian citizens and operated in Canada – where sports betting is perfectly legal – was seized and shut down by the United States Department of Justice (DOJ). (Source: LA Times.)
Without warning and without a trial, the website suddenly went dark, displaying only a notice about the seizure along with the official seal of the DOJ & Homeland Security. In an instant, the legal business of four Canadian citizens was shut down without due process of law.
How is that possible? Because the website was using a .com address, which allowed the DOJ to petition a magistrate judge for a “seizure warrant” which they then took to Verisign, which was legally obliged to revoke Bodog’s domain registration. Without a domain, the entire chain was broken, and their website went dark.
Bodog’s story is not unique, or even uncommon. In 2008, the “Prioritizing Resources and Organization for Intellectual Property Act” (PRO-IP) was passed by the United States Congress, and signed into law by President Bush. During the administration of President Obama, PRO-IP became the legal foundation for Operation in Our Sites, which has seized thousands of domains for websites accused of copyright infringement. Notice I say “accused” not “convicted” – again, all that is necessary for the domain seizure to take place is a warrant issued by a magistrate judge.
In the words of Oregon Senator Ron Wyden, “The domain name seizure process does not appear to give targeted websites an opportunity to defend themselves before sanctions are imposed. […] I worry that domain seizures could function as a means for end-running the normal legal process in order to target websites that may prevail in full court. […] If the federal government is going to take property and risk stifling speech, it must be able to defend those actions not only behind closed doors but also in a court of law.” (Read the full letter.)
In one notable case, a popular hip-hop music blog provided links to pre-released songs which had been submitted by legitimate copyright holders for promotional purposes. The DOJ sought and received a seizure warrant, took control of the blog’s domain, and held onto it for a year before releasing it without apology or even an explanation. Court documents later revealed that the Recording Industry Association of America (RIAA) was involved with the case, and may have been responsible for “dragging out” the proceedings, causing them to last a full year. (Read more on the Electronic Frontier Foundation website.)
In another notable case, a website belonging to a Spanish company was seized by the DOJ, even after a court of law in Spain found that they did not violate international copyright law. (Source: Electronic Frontier Foundation.) One “justification” for this seizure was that the website’s discussion board contained hyperlinks to copyrighted material – obviously a very difficult circumstance for the website owner to monitor and prevent (and an awfully easy way for a website to be targeted, it’s also worth noting).
The proverbial slope, it seems, is slippery. Under the current administration, the rights guaranteed under the First Amendment have eroded even further.
Until recent times, Americans considered the act of protest to be a fundamental aspect of their culture – something not only permitted, but actually celebrated. Unfortunately, the culture has shifted considerably, making civil protestors not only socially suspect, but also legally vulnerable.
Another case in point –
A dissenting group in the United States organized a protest to take place during the current president’s inauguration in January 2017. Subsequently, the DOJ sought and received search warrants, serving both the organization’s web host as well as Facebook. Information demanded by the search warrants included:
* The IP address of every website visitor
* The contact information of website administrators
* Email content sent using the organization’s email accounts
* Photographs of thousands of people who attended the protest
* Access to the personal profiles of every person who liked this organization on Facebook
* Access to the Messenger chat history of every person who liked this organization on Facebook
This search warrant was not merely a creepy act of surveillance, it was an evidence-gathering expedition, and the information obtained from these warrants is being used in cases against more than 260 inauguration protesters, all of whom are facing more than sixty years in prison on “trumped up” charges. Although DreamHost, the California-based web hosting company served by this warrant, tried to resist, unfortunately they were compelled to hand over the information.
(Sources include Forbes, CNN, and NPR – and dozens of others if you search.)
This case began in January 2017, but facts about the case did not begin to emerge until October, thanks to a “gag order” on the court proceedings. I don’t think it is a stretch to wonder whether and how many other, similar cases are currently in process at the time of this writing, but unknown to the public by virtue of their own gag orders.
How to Take Action
So, how can someone protect their website (as well as their site visitors) from the whims of an overreaching government?
It may not be entirely possible, but I certainly intend to implement the strategy I am developing, just for good measure!
The first step of the strategy is to audit every step in my “chain” –
1-Do not select a domain whose TLD is .com, .net or any other TLD managed by a company in the United States. For that matter, you may want to select a TLD managed in a country with ironclad privacy and free speech laws.
If you are currently operating with a .com and you don’t want to confuse your customers, it’s possible to build your site on a “safe” domain and then run a domain mask or place a 301 redirect, so that your site is still “findable” to your customers or constituents.
NB: I’m making a mental note to write a post on how to maintain your search equity when using website redirects, for those who may be relying on SEO for web traffic. If you’re planning to implement a redirect before I write the blog post, please please please seek out reputable guidance, or you could botch your rankings and tank your traffic.
2-Once you have selected your domain and verified that it is available, again – choose a domain registrar in a country whose laws will protect you from domain seizure.
3-Once you have selected and registered your domain, choose your website hosting company carefully. Many companies may be based outside the United States or other surveillance states, but they may have business offices or servers located within its jurisdiction. If your data lives on a server inside the United States, then it is subject to United States search & seizure warrants.
4-Tempting as it may be to use G Suite, just don’t. Google hands over data for 94% of US law enforcement requests, which number in the thousands. (Source: Forbes.) Note that these are merely requests, not demands backed by a warrant. Again, select an email host based in a “safe” country, and make sure your email data will not be stored on a server within the United States.
5-Full disclosure, this is the point at which my strategy reaches beyond protecting against government actions with existing legal precedent (at least as far as I am aware of), and is merely seeking to protect against a logical extension of current activity. However, the email database and customer relationship history of a business or organization is its lifeblood – if this suddenly disappears, it would feel like being cut off at the knees. If you’re going to take the time to protect other links in the chain of your digital presence, why not protect this one as well, and select a newsletter management or CRM system located in a safe country?
6-Social media. Welp. There’s not a lot you can do here.
Facebook, Twitter and Instagram can and WILL shut off your account without warning and with dubious justification. You have to be aware that when you invest time and money in building a social media presence for your business or organization, you’re essentially throwing a party in someone else’s house, and you don’t make the rules. Social platforms can treat you and your guests however they want. They can kick you out whenever they want. They can allow you to build up a sizeable audience, then suddenly start charging you shocking amounts of money to continue reaching them. They can take all the data they have for not just you, but for every single person who has followed or interacted with you, and hand it right over to the government – and they might not even tell you when they’ve done it. They can and DO also sell that data to private companies. These are the rules of the social media party. You can’t afford NOT to party in their house, but you also can’t afford to be naive.
My first suggestion: tie absolutely ALL your social media efforts back to developing direct leads (email addresses and ideally mobile phone numbers as well), so that if & when your accounts go dark, you can still reach your constituents.
My second suggestion: don’t feel responsible for protecting the information of every person who interacts with you on social media. Everyone who shows up at that party is self-responsible for knowing the house rules, and choosing their behavior accordingly.
Now that I’ve mapped out the strategy, how am I going to implement it?
Firstly, I am going to choose my TLD with care. Top contenders are .is and .no – the country code TLDs for Iceland and Norway. Both countries have laws and judicial precedent coming out strongly in favor of privacy and freedom of speech. (Sources: The Guardian & Al Jazeera, as well as the Government of Norway.)
Also, neither Norway nor Iceland are members of the European Union, and therefore not subject to the “Safe Harbor” decision which deemed the United States in compliance with the EU’s Data Protection Directives. (The Safe Harbor ruling was made before recent revelations about the extent of the United States’ spying activities on European governments and citizens, but the “safe” designation has not yet been revoked.)
Lastly, although these countries do not have hostile relationships with the United States, neither are they deeply enmeshed or dependent on the United States, politically or financially, making them less vulnerable to be pressured into cooperation.
I am also considering creative options with generic TLDs managed by companies situated in similarly “strong” locations.
Once I have selected my new domain name, I am going to register it with a company based outside the United States’ sphere of influence.
I have been using New Zealand based OnlyDomains as my registrar for almost a year, since I first decided to break up with GoDaddy for reasons having nothing to do with domain seizure (and everything to do with the fact that they are just a sleazy company).
Like many divorces, this has been an expensive endeavor, and it’s taking far longer than I’d like.
Expensive why? Because when you register a domain, usually you pay $10-$20 per year (sometimes much more), and possibly you’ve registered your domain for up to five years in advance. If, like me, you’ve registered dozens of domains for multiple years, then it’s not going to be fun to lose your investment by re-registering them all again with a new company, and paying for them a second time when you make the move.
I opted to save some money but to drag out the divorce – meaning I moved my most crucial domains to OnlyDomains immediately, and then I waited for each remaining domain to come up for renewal before moving it away from GoDaddy (when I’d have to pay for them again anway).
Now that the year is nearly done and I only have three domains left to port over, it’s fairly annoying to think about moving away from OnlyDomains to another company.
New Zealand IS a “strong” choice for all the same reasons that recommend Iceland and Norway, but they appear to have a corporate office in Washington, DC as well as several North American servers. Before deciding to stick with them or to move away, I am going to do further research and verify their policies and actual business locations.
In the meantime, I have been looking for alternative companies, and I have found one located in Iceland called “OrangeWebsite” that appears to cater to an international audience looking to move their data to a “safe haven” location. One of the things I like about them is that they request minimal information from you, and don’t store any more personal data than they have to – meaning that even if an Icelandic judge decided to honor a search warrant from the United States, OrangeWebsite simply would not have much information to hand over, anyway.
Another contender for my business is RunBox, based in Norway – but unlike OrangeWebsite, they also have servers in the United States. They claim you can request to keep your data stored exclusively in Norway, but I am curious to know whether a private company would really risk its ability to continue doing business in the United States, just to take a moral stand and protect a customer’s privacy, free speech and property rights. I’d like to think the answer is yes, but I am also cynical enough to wonder if that’s a bet I’m willing to make.
It’s important to note that all three of these companies offer almost everything I need for my online presence: they offer domain registration, website hosting, AND email hosting.
Which leads me to my next dilemma: deciding which web host to use.
I have been using SiteGround, based in Bulgaria, for two years, and I absolutely adore them. SiteGround has a user-friendly website, amazing customer service, great hosting options with great prices (and no tricksy upsells), exceptionally better site load time & very little downtime (compared to hosting with GoDaddy, where my sites were slow as molasses and blinking out literally every week).
I love SiteGround, and I truly don’t want to leave them. However, they have a data center in Chicago, and even if I opt to have my data moved to their servers in Amsterdam, with no data protection policy in place there’s no way for them to guarantee me they won’t mirror my content on their US-based servers (a common practice called “redundancy” which usually protects data, but which in this case ironically could hurt it).
SiteGround’s data protection policy –
Versus OrangeWebsite’s policy –
Totally different vibe, right?
Additionally, Bulgaria is both a member of the European Union as well as a much closer partner with the United States than, say, Iceland, making me think Bulgaria may not wish to evoke the ire of the United States by refusing to comply with a search or seizure warrant.
As with hosting, I am similarly crushed beneath the weight of realizing I need to transfer my Bijou email away from G Suite and over to a protected company. (What the bleep am I going to do with my Drive folders and documents?! Weaning myself off the Googlehol will not be easy.) Of the options, RunBox appears to have the strongest email service – but again, it’s a dilemma to me whether to trust a link in my chain to a company with any kind of business presence in the United States.
Lastly, I need to make a decision about my newsletter database and CRM system. I’m so in love with the simplicity and ease of use provided by MailChimp, which is perfect for my business right now – and when I am ready to upgrade to a CRM system, I know and love Infusionsoft as well, and have always imagined they would be my next choice. Alas.
The good news is, I have found a company called SuperOffice, based in Norway, which offers an “all in one” CRM with marketing email campaign capabilities built in. I am definitely excited to sign up for a free demo and see what their system is like to use. At only $55 per month, they are significantly less expensive than Infusionsoft – so I am very curious to see how their capabilities stack up (the website looks promising).
1-Choose a domain with a safe TLD
2-Register your domain with a company based in a safe country (this protects your email as well as your website)
3-Host your website with a company based in a safe country
4-Host your email with a company based in a safe country
5-Choose an email marketing or CRM system based in a safe country
6-Social media, use at your own risk
Contender for step 5:
I hope it is abundantly obvious, but just in case it’s not, let me conclude: nothing in this blog post is intended to promise or guarantee an outcome, nor was it intended to provide legal advice. As is the case with any business practices you choose to implement, you select and use any of these strategies at your own risk.