[ELECTRON] hosting WikiLeaks mirrors - don't try this at home

[Simon Yuill]

Hi,

Got this rather topical email from my hosting provider today which casts
some light on the practical-legal-political life of web servers. It's a
bit long so if you just want the 'interesting' bits scroll down to the
"Risks to your domain name" section near the bottom.

best wishes
Si



*** START ***

Hi,

I've had a few people ask about hosting WikiLeaks mirrors at BitFolk
and whether it is allowed.

These are my thoughts on the subject at the moment. Depending on how
things go they may have to change.

- TLDR version

This is very risky; we recommend you do not do it. Also if you did
do it, UK is not a very good place to do it from. If you feel you
must do it, please read the rest of this email.

- Risk of DDoS

Hosting contentious material such as a WikiLeaks mirror can (and
has) drawn denial of service attacks. If you are the subject of a
denial of service attack then our policy is described here:

http://bitfolk.com/policy/netabuse.html

Should such a mirror hosted at BitFolk become subject of a large
denial of service we would need to ask our upstream to ask their
upstreams to blackhole the IP address of the mirror. This would not
be instant and the traffic received in the meantime would be
chargeable. We would also require you not to put your mirror back up
after the attack stops.

This could result in a bill of thousands of pounds to you.

- Risk of UK government intervention

This is not legal advice, but it is my experience that should UK
government find an interest in knowing who you are and/or stopping
you from doing it then all they have to do is get a court order or
section 22 notice under the Regulation of Investigatory Powers Act.
As a UK company we are legally obliged to act on these and may not
be able to tell you that one has been received.

- Risk of libel action

This is not legal advice, but it is well known that UK has an
extremely harsh libel system that makes it very difficult to publish
information about people that those people do not like. Should you
publish something (say, in a WikiLeaks mirror) that says something
about an individual or company that they do not appreciate being
published, then they may decide to sue you.

If that were to happen, we would ask you to remove the information.
Even if you believe that the information is true, we would ask you
to provide a large (tens of thousands of £) deposit to cover our
possible legal costs should you decide you want to prove the truth
of the statements in court.

Does this mean that anyone with enough money can stop you
publishing, via a cheap UK hosting account, things they don't like?
Yes unfortunately it does, but that is how UK libel laws work, and
there is no UK hosting company that will let you continue to publish
such things once they have received a notice of action for libel,
unless you indemnify them.

- Risks to your domain name

Top level domains in com/net/org are operated by Verisign, a US
corporation. As such they are required to obey US law. As a
consequence of the PATRIOT Act it is possible for the US government
to hand Verisign a sealed, secret court order requiring them to
suspend services. This has been done before for sites that are
alleged to assist in the sale of counterfeit goods and illegal
distribution of copyright material.

The effect of the above happening would be that your domain name
stops resolving and you can't work out why, and neither can your
registrar.

They may not even need to go that far as Verisign may choose to
react on a mere *request* from their government, and if they don't
then your registrar may decide to act upon a *request* also.

- In summary

Given all of the above, I believe that hosting a WikiLeaks mirror on
a BitFolk VPS is one of the more risky things you could do. I
personally would not do it and would not recommend doing it. I also
think that any UK host is a poor choice for such a mirror and the
resources would be better sent elsewhere. If despite all of the
above you still want to do it, so be it.

Should the risks get worse, for example if the encrypted file that
WikiLeaks have been distributing as insurance has its key released
and mirrors start getting overloaded or attacked, we might need to
change our policy on this to "absolutely do not do this".

Cheers,
Andy

*** END ***