On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Friday, 27 January 2012

A close examination of the US claim of jurisdiction in the O'Dwyer extradition

Last few times I raised this it caused a storm on Twitter from people telling me Richard's legal team had to focus on dual criminality.  

I am only trying to augment - not dilute - the discussion.  I know and understand there are various angles of defence.

It is very important to make clear I have not been party to any information not already in the public domain.

I am aware of sub judice implications and have carefully considered these points. I am discussing only the application of the Extradition Act 2003 and related proceedings which do not involve a jury, and this in itself could not possibly prejudice any UK trial of Richard on charges under the Copyright, Designs and Patent Act 1988.

Please also note I am not in full possession of all the facts.  My analysis is limited to the apparent claim by the United States to jurisdiction over all websites hosted on subdomains of .com and .net.  There may be other factors in the extradition I am not aware of that affect this analysis.

The claim under S.137(2) of the Extradition Act 2003

In a hearing at Westminster Magistrates Court, Judge Purdy refers to S.137(2) of the Extradition Act 2003 in sections 4 and 7 of his ruling (pdf).  The text of the act states:
137 (2) The conduct constitutes an extradition offence in relation to the category 2 territory if these conditions are satisfied—
(a) the conduct occurs in the category 2 territory;
(b) the conduct would constitute an offence under the law of the relevant part of the United Kingdom punishable with imprisonment or another form of detention for a term of 12 months or a greater punishment if it occurred in that part of the United Kingdom;
(c) the conduct is so punishable under the law of the category 2 territory (however it is described in that law). 
From (a) it is clear that this section only applies if the alleged conduct occurred in the category 2 territory, i.e. the United States.

From the ruling text is seems undisputed that Richard was physically located in the UK and his servers in Holland, but we know from the Gary McKinnon case this in itself isn't enough to prevent extradition.

However there are significant differences from McKinnon.

Victim residence fallacy 

There is no US "victim", and even if there was, this wouldn't matter in the case of copyright infringement.

It's clear from the letter of the Extradition Act that the only issue to address is where the alleged illegal conduct occurred.  Whilst I'm also sympathetic to the McKinnon case, there is no legal parallel with O'Dwyer because of the very different nature of the alleged conduct.

Whilst the MPAA or any other organisation representing American rights holders might like to claim the copyright in the works of US artists is being infringed (they usually say stolen), this is absolutely irrelevant to the proceedings.

Copyright law is territorial and the precise rules, statutory licensing regimes etc vary country by country.  Therefore, even if US organisations suffered, since Richard was based in the UK, the only possible copyright rules applicable are UK laws.  This isn't as harsh on US victims of copyright infringement as it sounds because they are free to seek redress through the perfectly adequate UK justice system.

Furthermore even if you could argue (and you can't, just to be clear) that copyright was an offence punishable in the territory of the victim, the wording of the Extradition Act makes extradition impossible.

Consider a simplified analogy using physical goods to highlight this point.  A copyrighted work was imported into the UK by a third party with no intention to infringe copyright.  The defendant then acquired the work and communicated it to the public contrary to S.107 (2A) of the Copyright, Designs and  Patents Act 1988.

In this simplified analogy, the offence in question is "communicating the work to the public", not obtaining a copyrighted work from a US-based rights holder; and clearly, referring back to S.137(2)(a) of the Extradition Act 2003, the "conduct" occurs in the United Kingdom so no extradition would be possible.

DNS misconceptions

It is unclear how criminal "conduct" is alleged to have occurred "in the category 2 territory" simply because Richard O'Dwyer hosted his website TVShack.net using .net, a US-administered Top Level Domain (TLD) and I don't see this issue examined in Judge Purdy's ruling.

Perhaps shedding some light on the rationale, an article in the Guardian quotes US Immigration and Customs Enforcement (ICE) deputy director Erik Barnett arguing all web content hosted on .com and .net domains fall under US jurisdiction.  This itself is an amazing claim with many ramifications; but, sticking to the specifics of the claim the Guardian quotes Barnett:
"As long as a website's address ends in .com or .net, if it is implicated in the spread of pirated US-made films, TV or other media it is a legitimate target to be closed down or targeted for prosecution" Barnett said. While these web addresses are traditionally seen as global, all their connections are routed through Verisign, an internet infrastructure company based in Virginia, which the agency believes is sufficient to seek a US prosecution. 
Firstly there's a factual error in the above quote.  Use of a US-based registry does not cause "connections" to be "routed" through US territory.  The wording Barnett used opens up the notion that copyrighted content hosted on .com and .net TLDs is actually flowing through Virginia.

"Routed" implies copyright-infringing material hosted on .com and .net domains is forces to pass through US territory. It does not. Categorically and absolutely the choice of Top Level Domain does not itself cause content hosted on any website to be "routed" through US territory.

DNS, Domain Name System, is a linking system, linking domain names to IP addresses.

Once the IP address has been established, content flows via the quickest route possible between the web browser and the web server.  The exact route is non-deterministic and can vary from request to request based on load etc.

Secondly, because the Domain Name System is both hierarchical and geographically distributed, there's no guarantee that visitors to a .net or .com website will have any contact with servers based on US territory.

In fact it's highly unlikely that any UK-based visitor to a .com or .net website hosted in Europe will have any direct contact with US-based servers, by far the vast majority will use a local DNS proxy.

Additionally, even the small minority of visitors to an EU-hosted .com or .net website not using a DNS Proxy are highly unlikely to come into contact with a US-based server, although this likelihood alters depending on the specific DNS Server Provider chosen by the site owner.

Even Verisign, noted by Barnett, uses geographically distributed servers.

To put this another way, if every web server on United States territory could be isolated or switched off, .net and .com websites hosted in Europe would be unaffected indefinitely. (So long as they hadn't chosen to use a US-based  DNS Server Provider with no overseas mirror - most providers have geographically distributed mirrors.)

How DNS actually works

DNS is hierarchical and distributed. 

Hierarchical because it is divided at each level into sub domains, with no theoretical limit on this subdivision.  

DNS consists of records and servers.  Organisations using DNS are broadly described as registrys and operators, although I only make the distinction between a registry and an operator for ease of explanation. 

A registry is a body responsible for administering the ownership of sub domains it controls.  A public registry sells sub domains.  It can delegate the sale of sub domains to other organisations known as registrars but this is not relevant.

A  DNS server can be operated by, or on behalf of, a registry or an operator. 

A server supplies a DNS record for each sub domain on demand.  If the sub domain is not the end of the chain, the requester is then forced to do the same for the next registry in the chain, and so on, until the server for the site operator is revealed.

Note: DNS records do not provide a direct link to the next server in the chain.  This is of critical importance to Richard O'Dwyer because, as a side effect of this quirk of DNS, the entire .net domain became a domain of global importance

There is no technical reason for the servers for a registry to reside in the same country the registry is located and many registrys use globally-distributed servers to speed up access times and reduce international traffic.

DNS is globally distributed. Resolving a domain name is a multi-stage process which is highly unlikely to involve contact with a US-based server for e.g. Europe-based visitor to a website hosted in Europe, irrespective of the choice of Top Level Domain.

.net is a special case, making it truly global.  

The historical global importance of .net and why .net is demonstrably and provably a truly global domain today

Erik Barnett's assertion (quoted in full above) "while these web addresses are traditionally seen as global..." belies the technical reality that .net is a truly global domain.  Barnett is wrong.

Missing from the preceding section is a description of the first link in the DNS tree, the starting point to the hierarchy.  

This is called the root zone and is of global importance, as it subdivides the internet into regionally administered "country codes" falling under the jurisdiction of each country, e.g. .uk for UK, .fr for France, etc.

No sovereign nation wants to be at the mercy of another sovereign nation for the provision of internet services in that country, and as a consequence 13 independently-operated root name servers deal with the basic subdivision into Top Level Domains (TLDs).

Each Top Level Domain then operates independently of any one sovereign nation, reliant only on the jointly-owned root zone.  

Note that each of the 13 root name servers is not a single computer, but instead is formed of a cluster of computers.  A map of the global distribution of the root zone is available at root-servers.org and is reproduced below to show the global distribution:
DNS root name server locations, courtesy of root-servers.org and Google Maps
As I mentioned above, when traversing the hierarchy, each DNS server in the chain provides a record with only an indirect link to the next in the chain, ie. it doesn't provide an actual IP address for the next link.

Instead it provides a domain name, (or, usually, a list of domain names).  These are exactly identical to the domain names used to access a website, e.g. slightlyrightofcentre.com, only the domain name is used not [just] to host a web site but to find the next DNS server in the chain. 

Now herein lies a catch.  With the exception of the root zone, to resolve a domain name requires DNS. Traversing a hierarchical domain name within DNS requires DNS.  DNS is dependent on itself!

To manage this self-dependence it was decided - by historical design or by accident - to put all the really important servers, such as root zone servers, on the .net domain.

As a consequence .net took on global significance, and because of this significance it was decided .net should be administered from the same servers serving the root zone.  

Whilst not all critical infrastructure is hosted on .net today, the fact remains that .net is still administered from the root zone.  It is today a truly global domain and the above map of the DNS servers running the domain proves this.  

Because it is a global domain, completely isolating the internet infrastructure of any one country, or even a large group of countries, will not prevent the domain itself operating, and any service hosted in a country unaffected by the isolation will continue to be available, even for a prolonged isolation.

The above can be observed/verified on unix machines using the command: whois net

The same is not true from a TLD operated by a country, e.g. whois uk a shows the .uk domain is administered by Nominet, a UK organisation.

So there is actually more ground for the UK to claim jurisdiction over websites operating on a sub domain of .uk than there is for the US to claim jurisdiction of .net.

Incidentally .com is also served from the DNS root name servers because of the global significance the domain acquired in the early days of the internet.  

Implications on jurisdiction

If it can be argued Richard was outside US territory, S137(2) of the Extradition Act no longer applies by virtue of a failure of the condition S137(2)(a).

Instead, S.137(3) could apply, if:
137 (3) The conduct also constitutes an extradition offence in relation to the category 2 territory if these conditions are satisfied—
(a) the conduct occurs outside the category 2 territory;
(b) the conduct is punishable under the law of the category 2 territory with imprisonment or another form of detention for a term of 12 months or a greater punishment (however it is described in that law);
(c) in corresponding circumstances equivalent conduct would constitute an extra-territorial offence under the law of the relevant part of the United Kingdom punishable with imprisonment or another form of detention for a term of 12 months or a greater punishment. 
You will note a slight difference in the wording of the criteria that the conduct would constitute a UK-based offence. S.137(3)(c) requires the conduct to "constitute an extra-territorial offence". 

This I believe is significant, as to the best of my knowledge S.107(2A) of the Copyright, Designs and Patents act is not an extra-territorial offence.  Legislation states clearly where this is the case, e.g. S59 of the Terrorism Act 2000 which I know to be an extra-territorial. If you have access to a legal library I'm told Archbold 2-36a-2-83 contains a full list of extra-territorial offences.

If the jurisdictional claim over .net could be challenged and there are no other circumstances I'm not aware of affecting jurisdiction plus there's no obscure case law defining "conduct" in copyright it appears as though Richard cannot be extradited as I found no other section of law allowing it. Disclaimer: I am not a lawyer!


  1. Charles Oppenheim28 January 2012 at 11:36

    I cannot comment on the DNS question because of my lack of technical knowledge. Where I think the criminal liability lies is in Section 107(1)(d) of the CDPA, in that the defendant allegedly in the course of business exposed for sale or hire an article which he knew, or had reason to know, was infringing. We know he did this in the UK. The key question is whether he was running a business in the USA. I don't think so! To sum up: I have no sympathy for someone who does as O'Dwyer is said to have done. But I think he should be prosecuted in the UK under 107(1)(d) and NOT extradited to the USA on dubious grounds.

  2. Thanks Charles. As I've said in email to some people:

    "In my blog I'm not arguing whether Richard is innocent or guilty under the eyes of UK law and I'm not arguing any moral case about copyright. I'm simply saying the law does not and should not support extradition in such cases."

  3. @James Firth: indeed, but the extradition treaty between the US and the UK is highly asymmetrical, making it difficult for UK judges to refuse US requests event though US judges are under almost no obligation to extradite US citizens. So one defence must necessarily be that no actions took place on US territory.

    The US government must be made to understand that the .net and .com domains are not "territory" even in the most specious reaches of the imagination, and there is no necessity for such domains to have any connection with the US.

    Recent history shows that the US is increasingly unwilling to subject its citizens and its elected and unelected officials to international law. This will probably only end after trials in the Hague, since US behavior becomes more warlike and criminal. Being past peak oil is unlikely to improve US behavior, and it's only a matter of time before the Strait of Hormuz becomes "America's back yard".

    So we have to explain to them that the Internet doesn't work the way they think. Sadly even exculpatory evidence in the UK can, and sometimes must, be ignored in making extradition decisions.

  4. Thanks Steve. Whilst what you say about asymmetry in the Extradition Act is right, I believe UK courts still have a role to play in examining the territorial position as clearly described in the Act, so I hope in this case the asymmetry won't affect the UK court's ability to act independently.


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.