RIPE is the FIFA of the Internet and it Enables Europe’s Internet Crime

This is a guest post  (translated from German) by Volker Rieck.  Mr. Rieck has spent considerable time investigating Private Layer a web hosting company that seems to be favored by many copyright infringing sites. Unfortunately Rieck’s investigation has been stonewalled by the quasi governmental organization RIPE.   

According to Wikipedia: “RIPE or The Réseaux IP Européens Network Coordination Centre (RIPE NCC) is the Regional Internet Registry (RIR) for Europe, the Middle East, and parts of Central Asia. It is headquartered in Amsterdam.”

Ostensibly RIPE gets its authority from ICANN which in turn used to get its authority from The US Department of Commerce via NTIA. That changed at the end of the Obama administration.  ICANN is more less independent now but is supposed to consult closely with government.  Since ICANN has (swank) offices in Los Angeles, we would hope that “closely consulting with government” would include US government.  Including the US Trade Representative. 

Alas, like so many poorly governed international organizations ICANN/RIPE is quickly showing signs of  arrogance and unaccountability.  After reading Rieck’s report I would argue that RIPE is corrupt. They are clearly  transmitting fraudulent information to the public. When the error was pointed out they did not correct it. Thus they are complicit. So it is fair to ask, is RIPE the FIFA of the Internet?  Who knows. We will never know unless someone with authority looks into it. There is no way that rights holders can force RIPE to properly follow their own rules.

However the United States Trade Representative could surely ask the US Department of Commerce/NTIA to look into it.  Aren’t they across the hall? If that doesn’t work why not The Justice Department? Certainly the following questions need to be asked by federal authorities: What part of the RIPE charter allows you to keep in good standing members that provide false public information?  What kind of public interest organization thinks it’s their “duty to provide the public with fake registration data?  What part of your charter mandates you protect members clearly involved in mass copyright infringement? You guys are either total idiots or criminal enabling scumbags: which is it? 

Tweet this at staff of US Trade representatives and Department of Commerce and/or NTIA. Rights holders should exercise their 1st amendment rights and loudly protest this blatant failure of governance. You are the victim. Don’t let them get away with it. 

-David Lowery

++++++++++++++++++++++++++++++++++++++++++

Internet self-government á la RIPE: A paradise for criminals

By Volker Rieck

Every year in January, the office of the United States Trade Representive (USTR) publishes a list of the worst offenders on the Internet for the past year. This concerns both haptic goods, i. e. counterfeits, replicas, etc. and infringements of intellectual property rights in the form of the non-regulated distribution of films, books, music, software, apps, etc.

The list includes names like the Chinese e-commerce giants Alibaba and Taobao, but also websites like Movie4k, Libgen, The Pirate Bay or Openload.

Contributors to the list include associations such as the Motion Picture Association of America (MPAA) on behalf of the US film industry or the Recording Industry Association of America (RIAA) on behalf of the US music industry.

The role of the RIPE NCC Internet self-administration system will be highlighted here.

Groundhog day

The name of one particular host provider has appeared on the USTR list year after year: Private Layer from Panama or Switzerland. In this respect, the report is not all that clear.

This company provides server space and bandwidth to other “companies”.

According to the USTR report, Private Layer’s “customers” in 2017 included sites such as 1337x. to or primewire.ag. Other sites using the services of Private Layer include youwatch.org, firedrive.com or sockshare.com. All of these are sites that violate the rights of third parties.

The USTR report contains a note about Private Layer to the effect that the operators act more or less anonymously and do not react to information about rights infringements, and that Private Layer’s customers act in the same way.

A closer look at the company therefore appears worthwhile.

Private Layer is a member of RIPE NCC (Réseaux IP Européens), one of five organisations worldwide that are primarily responsible for the allocation of IP addresses and so-called Autonomous System Numbers (ASN). Without such autonomous systems and IP addresses, accessing the Internet and individual websites would be impossible.

The area in which RIPE NCC effectively acts as an arm of the Internet self-government ICANN includes Europe and parts of Asia.

It does not include Central and South America, which fall under the aegis of its sister organization, LACNIC.

Nevertheless, a company such as Private Layer from Panama can become a member of RIPE NCC, receive an Autonomous System Number (ASN) and assign IP number ranges that it has previously received from RIPE NCC.

A question to RIPE NCC as to why a Central American company can do business in Europe so easily with the help of RIPE NCC was answered after several e-mails: if a company has activities in Europe, it can also become a member of RIPE NCC.

So far, so logical. But to think that the Panamanian company is running a data center in Switzerland would be to set oneself up for a disappointment: while the address in the RIPE NCC database indicates a location in Zurich, this is merely the address of a letter distribution center. In German law, a PO box cannot be the registered office of a company. And by any understanding, a post box is most certainly not a data center.

Photo: Company location of Private Layer regarding the RIPE NCC Database
© Christian Buetighofer

A visit to Panama

If the company has no registered office in Switzerland, then the company should be located at the Panama address RIPE has recorded.

But even here it cannot be found. A personal visit to Panama in 2015 at the address given by RIPE NCC led to an office building, but no Private Layer Inc. company could be located there. There was no Private Layer office on the 17th floor, no mailbox and no Private Layer bell button.


Screenshot: Official company information of Private Layer at RIPE NCC in 2015

The way to Zurich

RIPE NCC does not operate a so-called GEO IP database. But other services like Maxmind from the USA do. Such a database can be used to determine where the data center assigned to a specific IP is located.

In the case of Private Layer, this is actually Zurich, but not the PO box mentioned above, but one of the Zurich branch offices of the US company Equinix Inc. where Private Layer has either rented servers or space for its own hardware in Equinix’s data center.

So Private Layer uses the infrastructure of Equinix.

The role of Equinix will not be discussed further in this context.

Everything has a price

Let’s have a look at the price list of Private Layer. The smallest server there costs 89 US dollars per month. The servers on offer are not exactly up to date from a technical point of view. They have a processor that Intel introduced to the market in 2010, and it is therefore difficult to compare the server rental price with those of competitors: finding vendors with such outdated hardware is not easy.

Screenshot: Website of Private Layer with server offers in February 2018

In Germany servers with about 4–6 times the performance (better processors, more memory etc.) can be rented for less than half the price. So it is not the ruinously expensive price point that explains why Private Layer has been able to remain operating in the market for so long.

Private Layer’s selling point is, rather, explained by the USTR report: Private Layer offers a so-called hidden feature. The company’s own operators are anonymous, and Private Layer guarantees the same anonymity and uncontactability to its “customers”.

Private Layer’s customers shy away from the public eye. Nearly all of the WhoIs entries (showing who runs the domain) of the sites hosted at Private Layer have been obscured by special WhoIs services. Attempts to reach the site operators in cases of rights infringements only ever lead to a contact form, never to the operator or even to any company at all.

But the route via the renter of the servers, Private Layer, is also a dead end. As described above, the company’s registered office is either a PO box in Switzerland or a non-existent address in Panama. Documents cannot be served with return confirmation of receipt, and nobody can be reached.

So Private Layer is an attractive proposition for those willing to pay far above the market rate for a weak server in exchange for being able to carry out their business undisturbed and without having to worry about unpleasant investigations.

All fake – we don’t give a damn

How can a non-existent company with a PO box in Zurich become a member of an organization (RIPE NCC) that is responsible for the smooth operation of the Internet?

A company whose business purpose is to provide infrastructure and protection for those who violate rights?

This is exactly the question we put to RIPE NCC. The answer we received is astonishing.

Of course RIPE NCC attaches great importance to accurate data. However, a distinction is made between the member data (i. e. internal and highly private data) and the contact data shown externally.

Accordingly, the internal data is checked by comparison with official company documents.

For external data, the RIPE NCC member only has to observe one thing: an address and an e-mail address must be given. Neither are verified, and RIPE NCC emphasizes that it is not possible to ensure that members also respond.

Screenshot: Fake data of Private Layer at RIPE NCC at the 7th of February 2018
Telephone calls useless – no response, e-mails were ignored, the postal address is a joke

In cases of obviously false data, RIPE “can” contact a member for clarification – with the emphasis on “can”.

Only if a member does not reply or if data proves to be incorrect “can” RIPE NCC exclude it according to its statutes – again with the emphasis on “can”. According to its own statements, RIPE does not see itself in a punitive role: it only wants to provide data. It doesn’t really matter what the quality of the data is. On request, it was emphasized that a person reporting abuse has no entitlement to be informed about the further progress of the case.

Nor do law enforcement agencies fare much better in their quest for information. In a separate section on the website, RIPE NCC explains that only public information is shared in response to enquiries from LEA (Law Enforcement Agencies), because the privacy of members is important. As is clear from the example of Private Layer, this information is fake and therefore worthless, quite apart from the fact that these fakes can be viewed in the RIPE NCC database at any time.

Further information would not be released without a court order or another official order. According to Dutch law, of course. As stated on the RIPE NCC website:

“In such cases, the RIPE NCC strives to protect the interests of its members and will not provide any confidential or private information to LEAs without a court order or other legally enforceable order or request under Dutch law.”

In the case of EWEKA, a court in Northern Holland has ruled that RIPE NCC would also be obliged under Dutch law to surrender the owner’s information in the event of copyright infringements without a court order.

It is plain that the diffusion of responsibility prevails at every level from top to bottom.

The victims are the rights holders whose rights are infringed on a daily basis and who have little chance of defending themselves against this, because deception and trickery are rife at every level.

Conclusion

The time has come to look more critically at the role of Internet self-government and at self-regulation through ICANN/RIPE NCC. The way in which this is managed creates almost lawless spaces that are a dream for every criminal. The example of Private Layer proves this conclusively and is unfortunately not an isolated example.
(In 2016, RIPE received 374 Abuse Reports in total (p. 19 RIPE NCC Annual Report). These have apparently had no consequences; most of them are still under investigation.)

Instead of doctoring the symptoms of undesirable developments on the Internet, their root causes should be analyzed and clearly regulated. Just as in the analogue world, where even a small market stall at a weekly market needs to have a clearly identifiable proprietor.

Imagine a situation involving the sale of contaminated food in which the market owner refused to release the data of the seller citing his own rules and the privacy of the seller.

On February the 13th 2018,7 days after the announcement at RIPE NCC, completely wrong data about Private Layer will continue to be published there.

The legislature should ask itself why it allows the most basic rules of the Internet to be determined by a network of non-democratically legitimized institutions that go so far as to cooperate actively in facilitating violations of the law.

Volker Rieck is Managing Director of the content protection service provider FDS File Defense Service. His expertise in the area of Internet piracy is widely recognized. FDS regularly works on studies relating to issues around piracy. It also supports law enforcement authorities with its data.

About Dr. David C Lowery

Platinum selling singer songwriter for the bands Cracker and Camper Van Beethoven; platinum selling producer; founder of pitch-a-tent records; founder Sound of Music Studios; platinum selling music publisher; angel investor; digital skeptic; college lecturer and founder of the University of Georgia Terry College Artists' Rights Symposium.