The Background Dope on DHS Recent Seizure of Domains

As has been reported, it looks like ICE, which is the principal investigative arm of DHS, has begun seizing domains under the pretext of IP infringement. But it’s actually not ICE who is executing the mechanics of the seizures. It’s a private company, immixGroup IT Solutions. Here is what is going down.

In May of this year, immixGroup IT Solutions is awarded a one year IT Services contract with DHS. The particulars of this contract:

Under this new contract, immixGroup will provide information technology operational services and support, implementation, and maintenance of DHS ICE C3’s software applications, network and CyberSecurity systems, as well as the maintenance and enhancement of applications that support law enforcement activities.

The contract includes one base year, one 12-month option period, and two six-month option periods; covers all four divisions of C3 (Child Exploitation, Cyber Crimes, Computer Forensics, and Cyber Training); and is critical to C3’s pursuit of criminal activity. immixGroup’s services in this effort include network maintenance, application development and support, forensic lab assistance, data storage maintenance, and information assurance.

On November 24th, immixGroup IT Solutions registered the domain SEIZEDSERVERS.COM, and primary and secondary nameservers, NS1.SEIZEDSERVERS.COM, NS2.SEIZEDSERVERS.COM, with Network Solutions, which is the registrar for this domain. Since the DHS contract is provisionally for one year only, the domain was only registered for one year(expires in one year).

immixGroup IT Solutions is using CaroNet to host their domain, including the authoritative name servers(NS1.SEIZEDSERVERS.COM, NS2.SEIZEDSERVERS.COM) for this domain. They have setup a simple web page, or which is the same “Notification of Seizure” page you will get if you type in one of the seized domains in browser address bar(if you’re paranoid: yes, they are tracking using both Google analytics and piwik).

ICE is not actually “seizing” any servers or forcing hosting companies to remove web content from their servers; what they are doing is using immixGroup IT Solutions to switch the authoritative name servers for these “seized domains.” But they are not doing it at the Registrar level(by contacting the registrar for the domain and forcing them to update the authoritative name server info to point to NS1.SEIZEDSERVERS.COM, NS2.SEIZEDSERVERS.COM), but rather through the agency who controls the top level domain. In this case, all the “seized domains” appear to be .com and the agency/company who has the ICANN contract for this TLD is VeriSign(which also controls .net TLD). The changes are being made at the top-level authoritative name servers for the .com TLD, which would be the [a-m] These are controlled by VeriSign(note: these top-level name servers are also authoritative for .net and .edu TLDs).

So, VeriSign, the owner of the .com TLD, is working in cooperation with DHS, and it appears immixGroup IT Solutions has what we might call an “IT Support Ticket system” setup with VeriSign.

That web servers are not being seized and web content not being deleted can easily be verified by clicking this link,, which is the original IP Address of a seized domain, It’s still up, and it appears it has registered a new domain,, that resolves to the original IP address. This site is being hosted by SoftLayer Technologies in Dallas, TX. So, it is certainly within US jurisdiction to be shut down if there was “a case to be made.”

Now the .info TLD is not controlled by VeriSign; it’s controlled by Afilias. So, an interesting little experiment would be to see if the domain remains up. As of now, we can only conclude that there is back deal between DHS and VeriSign that makes any .com or .net domain subject to seizure by the actions of immixGroup IT Solutions.

Lastly, there has been some speculation that this recent business of “domain seizure” portends the same tactics being used to seize the “” domain. From a technical standpoint, understand that the .org TLD is not controlled by VeriSign; it is controlled by the Public Interest Registry. An interesting thing however: PIR has contracted out the technical operations to Afilias. So, if we were to see similarly seized, then this would mean that Afilias is also in cahoots with DHS, which could imply the .org TLD could be subject to the same type of “domain seizures.” As of now, there is no evidence of that. And, it should be clear, these type of domain seizures are completely different than the 2008 attempted shutdown of by the US government. In that case, a U.S. District Court issued an injunction ordering Dynadot, which was the registrar for the domain, to remove all traces of Wikileaks from its records. That didn’t hold up.

26 thoughts on “The Background Dope on DHS Recent Seizure of Domains

  1. That site seems to be up.

    It will be very interesting to see if a warrant is served on PIR for this domain, or if they deliver it to Afilias. I’m not surprised that VeriSign didn’t fight it, but I would be very surprised if PIR didn’t put up at least token resistance. I’ve no idea what Afilias would do, probably punt it to the PIR Board.

    1. Yes, the test is to see if this type of tactic extends beyond TLDs controlled by VeriSign. I would suggest that it will not because these seizures aren’t legal…this is what COICA is for, to establish the “legality” of this. ICANN is stipulated to obey US Law, so you can easily see how “evil” COICA is, because it is the death of the domain name system subjected to arbitrary public-choice political corruption. ICANN, to adhere to it’s supposed “democratic mandate” would have to de-incorporate from the US and incorporate elsewhere. But where? there’s nowhere to go…

      In the meantime, VeriSign, which controls the .com/.net TLD, is cooperating with DHS. And you can see the future. Private-contracted flunkie companies trolling the internet imbued with the “legal” power to effectively steal your domain. Welcome to the 21st century political economy…

  2. Can’t people outside of the reach of the United Snakes rulers set up their own name servers, any one of which can be placed at the top of a user’s list of name server IP’s, whose sole function would be to provide the real, original IP numbers of domains that have been hijacked by the U.S. government? If I understand correctly, if the first name server on a list doesn’t return a positive response, the user’s computer will just try the next name server in its list.

    1. Different animal. That looks to be an instance where ICE shows up at the Datacenter with warrants to seize the server/content and/or directly goes to the registrar to seize the domain. Under existing copyright law, the US government, on a case by case basis, can do this for any domain or registrar for that operating within US jurisdiction. The TLD is irrelevant.

      This is totally different than the US government, or those under private contract with it, manipulating the domain name system.

  3. Two points.

    1. Isn’t it illegal for VeriSign to take your domain away
    just because someone asks it to? Is someone going to sue
    VeriSign for this?

    2. Some easily avoidable vagueness entered the article when it said
    “IP infringement”. Presuming “IP” means “intellectual property” and
    not “Internet Protocol”, that term refers to a dozen or so unrelated
    laws. Practically speaking, they have nothing in common, so the term
    is gratuitous vagueness.

    I think that is accused (perhaps falsely) of
    copyright infringement and only that — so the clear thing to say is
    “copyright infringement”.

    If, that is, the accusation is even relevant. If the DHS can take
    your domain without due process, it could do so because it doesn’t
    like the background color of the home page.

    1. Thanks for commenting.

      (1) I’m not a lawyer, but ordinarily this type of conduct would violate the “Registry Code of Conduct” Appendix to the Agreement VeriSign has with ICANN. However, ICANN is subject to the “laws” of the United States. There has been new information that has come to light since my original post.
      (i) This was part of an ongoing “Operation In Our Sites” crackdown.
      (ii) Even without COICA, there is apparently “legal authority” to do this. There is a LA Times article that I found last night that sheds some further light on the matter.

      Here we find verification that it was executed through VeriSign. Although immixGroup IT Solutions is not mentioned, it is obvious, from my analysis in the above post, that they executed the mechanics of the domain seizures. Where I was a bit wrong in my speculations is that while ICE admitted it doesn’t have the manpower resources to “track down” these sites, it’s not actually immixGroup that is trolling for “violators.” It’s the MPAA and RIAA who are doing that. So we have:

      MPAA,RIAA trolls for “violators” and submits these to ICE. ICE gets a court order and then uses immixGroup to carry out the mechanics of the domain seizures by changing the name server data for these domains in the .com TLD Zone Files to point instead to NS1.SEIZEDSERVERS.COM, NS2.SEIZEDSERVERS.COM, whose local zone records then resolve the applicable host names + the second-level domain to a single IP Address of a web host that configures it’s host header configuration to serve up the same web page.

      (II) I’m actually quite aware of your writings/opinions regarding the proper distinctions between Intellectual Property, Copyrights, and Trademarks. However, in my post, I linked to the specific ICE Page:

      which is entitled:

      “National Intellectual Property Rights (IPR) Coordination Center.” This is the division of ICE/DHS who is enforcing this stuff. So I wrote:

      “under the pretext of IP infringement.”

      The purpose of my post was not to editorialize on the proper distinctions of Intellectual Property. And I assume readers can differentiate contextually between IP meaning Intellectual Property and not Internet Protocol. I think your nitpicking in this regard.

      Lastly, concerning “background colors.” Pantone colors could fall under Intellectual Property, which could mean you would have to a “license” to use them in a web page. The same applies for fonts. And a background images could be using copyrighted images. So yes, if Pantone, Adobe, or Getty lobby enough, protecting pantone colors, embedded fonts, and unauthorized images could become a matter of National Security.

      1. What about the seizure of the domain? Does Verisign also control cc, or is there more going on than just Verisign cooperating with the government?

  4. Houston, we have a problem.

    The scenario where our government, the USA, can seize, search and detain without any reason whatsoever is here. The laws are now administrative, arbitrary and far reaching with no review by the taxpayer citizen. These administrative laws and its accompanying enforcement is similar to the IRS, there is no recourse, no justice, no due process and the jurisdiction is boundless.

    These administrative law are secretive and pervasive and render our so called democracy, founded on due process and the rule of law and equal rights, an utter joke in name only.

    WikiLeaks are a correction factor. Extreme but necessary.

    My daily rant.

    1. don’t use .com,.net TLDs for domains that host any web content, including links or references to content, that could the the target of the MPAA or RIAA…

  5. .org is run by Afilias which is headquartered in Dublin Ireland, unlike Verisign. So would it act like the US’s bitch?

  6. I didn’t know how this whole procedure works. Since they can’t seize the .info domain then what’s the use of seizing .com or .org domains. There is no meaning of doing so because there will always be .info domain again.

  7. FYI, American Infotech Solutions out of Reston, VA has replaced Immix as the prime contractor at DHS-ICE C3 Immix is still working there as a sub.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s