Hidden Content
When a domain appears on the ‘Infringing Website List’, it means that UK police have concluded its activities are most likely criminal. Advertisers and other intermediaries are advised that knowingly supporting crime, is a crime in itself. The IWL is not open to scrutiny but we have learned that for the last four months, a GitHub subdomain has been labeled "massively infringing."

The ‘Infringing Website List’ (IWL) is operated by the Police Intellectual Property Crime Unit (PIPCU) in the UK under the banner ‘Operation Creative’.

Launched in 2014, its purpose is to disrupt pirate sites’ ability to make money when takedown notices and other efforts by the “private sector have had limited success.”

The IWL is considered a proportionate response to rampant online piracy, and given the nature of most domains currently on the list, it would be foolish to argue otherwise. That said, the IWL is a completely closed system and as such there is close to zero public transparency.

Pirate site domains are nominated for inclusion by rightsholder/anti-piracy groups such as the MPA, BPI, IFPI, Publishers Association, and FACT. Once the police have conducted their own investigations, any domain added to the IWL finds itself blacklisted by the advertising industry and then shared as part of the full list with other stakeholders, rightsholders, and anti-piracy groups.

As the UK government noted in its 2020-2021 IP Crime Report, “such sites are accepted for disruption,” meaning that for owners of domains on the list, which is integrated into numerous other databases for automated processing, nothing good lies ahead.

The not-for-profit Internet Advertising Bureau, the industry body for digital advertising in the UK, advises its members that the IWL contains confirmed illegal domains. It is the responsibility of IAB UK members to ensure that no one does any business with any domain on the list – or else.

“The IWL works as an inappropriate schedule and allows you to exclude known illegal sites from your ad buying, selling or trading,” IAB UK says. Similar advice is provided by the Gambling Commission, the official regulator for most types of gambling activities across Great Britain.

“You must ensure that you do not place digital advertisements on websites providing unauthorized access to copyrighted content and must take all reasonable steps to ensure that third parties with whom you contract do similar,” the regulator warns.

The suggestion here is that advertising entities not only have to ensure that their own conduct is impeccable but must also shoulder some responsibility for the conduct of others. This chaining of responsibility is not uncommon in business but the climate around the Infringing Website List is more loaded than others.

Linking >>> Linking >>> Linking >>>
The messaging is clear: if a domain appears on the IWL it is confirmed as illegal and most likely engaged in criminality. By extension, the operator of the domain is a suspected criminal. The police make this clear when they write to the owners of listed domains, warning of offenses under the Fraud Act 2006, Copyright Designs and Patents Act 1988, and even the Serious Crimes Act 2007.

At this point we’d like to make it absolutely clear that, as far as we can determine, most of the domains on the list do seem linked to infringing activity. And, in most cases, the listed domains appear to have no real purpose than to infringe copyright. That’s exactly the type of domain the IWL was intended to accomodate.

That raises the question of why the Microsoft-owned domain Github.io was added to the Infringing Website List on June 28, 2022, and has remained there ever since. Importantly the culprit is not Microsoft or GitHub, but a user of the latter. It appears the Github user created a repository on Github pages containing information on how to gain access to The Pirate Bay and that was determined to be a crime.

The page, published in the usual username.github.io format, doesn’t contain any infringing content and doesn’t link to any infringing content. It does link to other domains that in turn provide proxy access to the front page of The Pirate Bay, but that doesn’t carry links to any infringing content either.

Elsewhere on The Pirate Bay, embedded magnet links do link to IP addresses offering infringing content, but users still have to fire up a torrent client to find out.

But the IWL Entry Also Adds a Github.io Subdomain?
The individual who discovered Github.io on the “never do business” list is responsible for implementing the list in their line of work. They think that the IWL is a good idea and had previously blacklisted all main domains plus their extensions and subdomains for the sake of simplicity.

That approach was prompted by a) some domains on the list having multiple infringing subdomains and b) sites operating a mobile version on a subdomain but not having their main domain listed on the IWL, despite carrying exactly the same content. Some decisions are easier than others but blacklisting the entire Github.io domain was an entirely different proposal.

Perceived Threats to Business and Livelihoods
The underlying problem is a genuine concern that under-blocking could lead to severe consequences for people in the advertising chain. A report published in 2021 by French anti-piracy agency Hadopi reveals why some in the industry are apprehensive.

“A PIPCU contractor (Pathmatics) monitors [sites on the IWL], using dedicated software (AdRoutes) to trace the chain of advertisers that place ads on the site. It informs any non-partner advertisers that they may be regarded as accomplices in the infringement of intellectual property law,” Hadopi’s report reads.

“PIPCU has contacted the authority responsible for issuing gambling and betting licences (the Gambling Commission). The latter has informed licensees that their licence could be revoked if they advertise on illegal websites.”

The IWL is Considered Secret, Police Refuse to Comment
Over the years, reporters and other interested parties have filed Freedom of Information Act requests to learn more about the IWL, but with few results.

“All sites on IWL are identified and evidenced as infringing by rights holders and then verified by PIPCU. We are not making the IWL public. The List will be ever changing as new sites appear and older sites comply,” one response reads.

Another, which asked PIPCU to supply evidence to back up claims that the IWL is “successful”, received the response: “No information held.”

Criteria For Blacklisting Are ‘Confidential’
It would be useful to know what prompted police to add Github.io’s subdomain and domain to the IWL when it’s obvious that less aggressive options exist. We’ll never know because as Hadopi’s report notes, “the criteria used by the police are confidential.”

We could speculate that since several domains with ‘proxybay’ in their URLs are already blocked by UK ISPs due to a court order concerning The Pirate Bay, proxybay.github.io may have been considered a legitimate target.

Other domains with ‘proxybay’ in their URLs – proxy-bay.dev, proxy-bay.co and proxybay.center – are also listed on the IWL but a) none of them currently link to pirate sites and b) proxybay.github.io is not blocked in the UK.

Given that high standards need to be met for a domain to be blocked in the UK, there is zero chance that the High Court would knowingly authorize a GitHub domain to be blocked by ISPs, unless other options had been exhausted first. The IWL blacklist seems more straightforward but according to Hadopi’s report, it shouldn’t be.

To be included on the IWL, domains reported by rightsholders must be “massively infringing” to the extent that 50% of their content must be illegal. That doesn’t apply to Github. And here’s more ‘fun’ for the “massively infringing” dev platform:

“When a website is added to the list, a letter is also sent to the relevant registrar or to the organization that manages the extension under which the domain name is registered, requesting that the domain name be suspended,” the report notes.

Perhaps for obvious legal reasons, that hasn’t happened in GitHub’s case, but voluntary agreements that go beyond normal legal requirements can make things harder to predict.

The Uncertainty of ‘Soft Law’
Other matters involving proxybay.github.io include this Australian court order sent to Google. It does not order Google to do anything, it simply prompts Google to remove GitHub’s subdomain/domain from its search results based on an earlier agreement.

In 2019, Google reached a voluntary agreement with local ISPs and rightsholders to deindex domains from google.com.au if they have been blocked under Australian law. Similar voluntary arrangements exist in Europe too. Their existence had to be discovered, they were not publicly announced.

Voluntary Agreements Gain Momentum
In GitHub’s case, the company complies with actual legal requests under U.S. law, in this case the DMCA. As far as we can determine, from the full list of complaints that Github always makes public, the platform was not even sent a basic DMCA notice before a domain it owns was placed on the blacklist.

GitHub probably won’t be too alarmed about advertising issues on GitHub.io but being branded potentially criminal, over a page they didn’t create, that links to other sites, which in turn link to another site, which is freely available in the U.S., probably isn’t ideal. Not knowing that your domain is even on the list brings a whole new set of problems.

Whether The Pirate Bay or facilitating proxies should actually be available in the U.S. is another matter but, should that ever be contested in court, trust-building transparency will feature in all legal proceedings, meaning that at a bare minimum, people will know where they stand.

Infringing Website Lists are gaining momentum all around the world and they are a black hole as far as public information is concerned. Countries including the UK, Italy, Germany, Spain, Indonesia, Malaysia, Hong Kong, Vietnam, and Taiwan, either have them already or are currently building them.

We’d certainly be interested in hearing more about their operations moving forward because copyright holders view these as the future. They may have good intentions but more often than not, the public simply isn’t allowed in.

Additional note:The IWL also includes subdomains/domains of other companies and organizations that are known to respond to straightforward takedown requests, if their users breach copyright law.