Establishing baseline criteria for the mitigation of the illegitimate sale of health-related products using the DNS

ABSTRACT

There is no unified framework or accepted set of recommendations concerning the sale of health-related products online, which negatively impacts the most vulnerable populations. We propose the DNS as an avenue for advancing solutions via the broader DNS community, outside ICANN’s remit. The existing mechanisms available to curb malicious action are inconsistent due to a combination of jurisdictional conflicts and a lack of guidelines, and the establishment of baseline criteria would lay the groundwork for regulation and the creation of relevant Trusted Notifiers. The current status quo hinders legitimate online pharmacies while facilitating illegitimate operations. Our scope is limited to legal medicines, focusing on medicines requiring a medical prescription. Making use of the DNS in this manner may be a blunt tool, but it is effective if used in a measured manner to stop threats to human safety. We conclude by proposing that there are recommendations that can be transposed to the online world to help assess actor legitimacy, with the following initial criteria: requirement of a valid prescription; requirement of a licensed pharmacist on staff; clear indication of the country in which the pharmacy is based; and limited dispensing of controlled substances.

KEYWORDS:

• DNS
• DNS abuse
• global health policy
• internet governance
• trusted notifiers

Introduction

Overview

There is no unified framework or widely accepted set of recommendations concerning the sale of health-related products online, including medicines requiring prescription. Despite health normally being a stringently-regulated subject at the national level, the introduction of the Internet into the equation has created grey areas in which legitimate and illegitimate (rogue) actors coexist equally. This most negatively impacts the poorest and the elderly, who may seek access to health-related products at lower prices, becoming exposed to illegitimate online pharmacies. We propose that the DNS can be an avenue for the mitigation of malicious action in this space, based on the collective action of its specialised community. This would help establish a robust and patient-centric environment for legitimate online pharmacies.

Online pharmacies have existed for almost as long as the commercial Internet has been available (Gallagher and Colaizzi 2000), but their services were at first associated with the sale of medicines for sexual performance enhancement (Eysenbach 1999). That scenario has been changing, with interest in the sector steadily increasing, and major global companies such as Amazon joining the space and even selling prescription medicines online in some territories (Business Insider 2020). This a market valued at over US$63 billion overall (Transparency Market Research 2022), and with a criminal side valued at over US$4 billion (OECD 2020). Products sold by illegitimate online pharmacies may work as intended, but may just as well be ineffective, misleading or outright lethal (OECD 2020).

The abuse of medicines legally sold in pharmacies has been increasing since at least the 2000s, and therefore should not be considered a recent phenomenon (Compton and Volkow 2006; Lessenger and Feinberg 2008). With that said, the intensity with which the problem is escalating becomes more significant as time passes, and the need for action increases. So much so that the health practitioners’ community has been calling for the collaboration of all stakeholders in order to achieve progress in this fight (Bolshakova, Bluthenthal, and Sussman 2019).

The upsurge in the online sale of medicines requiring prescriptions over the past decade encompasses several products, but there has been particular increase in the sale of controlled medicines with analgesic effects – aimed at reducing physical pain – out of which the powerful opioids are both some of the most effective and addictive available; fentanyl and oxycodone stand out in terms of demand (Martin et al. 2018). We propose that the misuse of prescription medicines poses danger to human safety and the well-being of families, sometimes commensurate with that of the use of illegal drugs.

The regulation of this market consists of a patchwork of regimes and laws developed and enforced around the world by organisms that do not act in coordination by default. This is partially due to there being a strong national sovereignty component attached to questions involving health, but also due to there not being clear directives for these multiple parties to follow at a global level. An extensive review of the sale of online medicines in all jurisdictions of Latin America and the Caribbean has also demonstrated that some countries are devoid of any law to address the online sale of medicines to begin with (Datysgeld, Tavares, and da Silva 2023).

Usually, the organisms tasked with the regulation of the health sector are the national regulatory agencies (NRAs), which carry out the supervision of pharmaceutical products, vaccines and biological substances within a given jurisdiction.¹ A significant part of their work is overseeing the manufacturing, storage and distribution of medicines, attempting to ensure their quality, safety and effectiveness (Etienne and Califf 2016; Twesigye, Hafner, and Guzman 2021).

Determining the quality of medicines is a complex and specialised task, which is why governments entrust NRAs with that responsibility. However, numerous countries lack the capability to efficaciously oversee these products, generating an imbalance in the standards of each jurisdiction and consequently posing a challenge to global health policymaking (World Health Organization 2014). Only an estimated 30% of NRAs in the world have the capability to effectively regulate health-related products in their countries (Twesigye, Hafner, and Guzman 2021), and quite distinct levels of maturity and harmonisation are observed among the different NRAs (O’Brien, Lumsden, and Macdonald 2021).

The regulation of pharmacies is either rolled into the obligations of NRAs, assigned to self-regulated pharmacy regulatory authorities (PRAs), or at times handled by a government ministry. The lack of clarity in how coordinated regulatory action is supposed to take place within this fragmented landscape has raised concerns over the need for better communication and transparency to generate greater trustworthiness for the public (Morrison, Boyle, and Mahaffey 2022).

The UN-affiliated World Health Organization (WHO) promotes the International Conference of Drug Regulatory Authorities (ICDRA) every two years, serving the purpose of updating NRAs on trends, but not engaging in action coordination (World Health Organization 2021). Possibly the only international institution capable of coordinating NRAs towards joint action is the voluntary International Coalition of Medicines Regulatory Authorities (ICMRA), but it counts only 24 members as of late 2023. Out of those, only 6 are LMICs², which are the jurisdictions in which problems are most likely to arise.

This policy gap that exists at the edges of the authority and capabilities of different NRAs is what enables the illegitimate sale of health-related products online, as these activities often go unchallenged. Technical barriers are also a relevant question, seeing as, roughly speaking, both the medical and the Internet communities lack technical expertise in each other’s field, which is expected but also undesirable given the emerging challenges presented.

Background

When looking into how this problem has manifested in the existing literature, significant attention has been paid to the USA’s market,³ particularly concerning the importation of medicines from Canada as a tool to counterbalance the country’s elevated health-related costs (Scheckel and Vincent Rajkumar 2021), as well as assessing the influence that online pharmacies might have on the USA’s ongoing opioid crisis (Mackey 2018). Another important insight is that illegitimate online pharmacies often target the elderly of the developed world, who are pursued in part due to their lower average digital literacy (Lovett and Mackey 2013).

The targeting of older populations is as a relevant variable because, while a portion of illegitimate medicine sales take place in darknets or other complex online environments, the existence of valuable targets without enough digital literacy to be part of those networks means the web remains a key channel for criminal action. In fact, almost half of accesses to illegitimate online pharmacies start from links posted to social media platforms (Zhao, Muthupandi, and Kumara 2020), in such a way that the DNS ends up being the conduit for these interactions.

This is not only an issue in the developed world, however. Studies are starting to show that the question of illegitimate online pharmacies also increasingly impacts the developing world (Alwhaibi et al. 2021; Lobuteva et al. 2022). This is particularly relevant when it is considered that out-of-pocket expenditure for the purchase of medicines is disproportionately concentrated in low- and middle-income countries⁴ (World Bank 2020). In such cases, the direct financial transactions between patients and medicine suppliers often result in a reduced oversight of these purchases.

It has proven difficult to estimate the overall prevalence of illegitimate online pharmacies, but evidence suggests that they take up a significant portion of the ecosystem (Monteith and Glenn 2018). A recent systematic review signals that ‘almost half of the online pharmacies were not adequately regulated and fraudulent issues were uncovered’, with varying degrees of seriousness. A recurring problem is that of the improper labelling and packaging of generic medicines, which deviates from the rigid international standards that are in place to protect patients, particularly in relation to the indispensable accurate signalling of dosages (Long et al. 2022).

To illustrate the scale of the problem, we can look towards Interpol, the leading international institution combating illegitimate online pharmacies under its large-scale Operation Pangea. Since 2008, this operation has removed from global circulation over 100 million potentially problematic health-related products, while also generating over 3,000 arrests. Interpol estimates that 10% of all health-related products sold online are problematic in some way, based on the samples apprehended during its raids (Interpol 2019).

That manner of law enforcement action has proven to be an effective aspect of curbing the activities of criminals involved in health-related abuse, but evidence suggests that malicious actors constantly shift and reorganise themselves to continue profiting from this market (Décary-Hétu and Giommoni 2017; Krebs 2014). This is in part enabled by the fact that they operate under an affiliate model, in which the producers and heads of operations are not involved in the sale of products to patients, relying instead on smaller storefronts operated by diverse owners (McCoy et al. 2012).

Given this context, we reason that: (a) the prevalence of illegitimate online pharmacies and the impact of their actions are significant; (b) their numbers are likely to remain high or even increase in the absence of greater countermeasures; and (c) incentives need to be lowered to reduce the viability of these operations, which requires the mobilisation of relevant actors to effectively interfere in the operations of illegitimate online pharmacies.

DNS ecosystem

A sequence of conversations within the community of the Internet Corporation for Assigned Names and Numbers (ICANN) eventually led to the establishment of the GNSO⁵ Council’s DNS Abuse Small Team, which carried out an extensive consultation to compile and discuss what the most pressing issues relating to technical abuse were. In late 2022, the group issued a report which included potential changes to base contracts between operators and ICANN. Previously, operators only had the obligation to acknowledge technical abuse, but it was proposed that they adopt instead an obligation to combat it (DNS Abuse Small Team 2022).

Subsequently, operators entered into a negotiation with the ICANN organisation to make contractual changes that reflected the spirit of the community’s recommendations. The aim was to consistently combat, at the DNS level, instances of malware, botnets, phishing, pharming and spam as a vector of these harms (ICANN CPH 2023). The consensus that these issues are matters that need to be addressed by operators demonstrates an opportunity for the names industry to play a more active role in preventing the exploitation of the Internet by malicious actors.

The connection of these evolving debates with the issue of illegitimate online pharmacies was directly established in the DNS Abuse Framework, an ongoing voluntary set of norms drafted in 2019 by operators from the domain names industry, which has since been signed by several of the major players within that space. It promotes the takedown of websites with the following content: ‘(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence’ (DNS Abuse Framework 2020).

In a parallel but related effort, the US Food and Drug Administration (FDA) ran a pilot in 2021 with the registries Verisign, Public Interest Registry (PIR) and Registry Services with the goal of curbing the ‘illegal sale of opioids online’, in a series of actions that proved effective in taking down illegitimate online pharmacies offering opioids indiscriminately. According to the agency, ‘domain name registries are a critical part of the solution to the illegal sale of opioids online since they play a role in the registration of domain names’ (US Food and Drug Administration 2021).

The FDA has also issued several warning letters since 2011 notifying pharmacies of irregularities and demanding compliance with US laws from those that ship to the country (US Food and Drug Administration 2023). Analysis of the effects of over one thousand letters submitted by the agency to online pharmacies also showed a strong focus on the combat of opioid sales. The study found that there appeared to be a correlation between the receipt of warning letters and online pharmacies toughening rules relating to opioids (Limbu and Huhmann 2023). The scope of that intervention is restricted to the FDA’s jurisdiction, however, only indirectly benefitting others.

Addressing the illegal distribution of opioids is undoubtedly important, as previously noted. However, opioids are just one aspect of the broader issue of health-related abuse. To effectively combat these criminal activities, it is crucial to establish a comprehensive set of norms to inform the DNS community of the rationale and methods needed for the effective oversight of malice. Acting in concert, the DNS community could significantly disrupt the operation of illegitimate online pharmacies. To support this vision, a proposal for baseline criteria for the mitigation of the illegitimate sale of health-related products using the DNS is offered in the ‘Proposed criteria’ section.

Another step that complements the previous one is the establishment of guidelines for the formation of health-related Trusted Notifiers (TN). TNs have been in existence for several years, but only recently has there been a formalisation of the role of these entities under the CPH⁶ Trusted Notifier Framework (RySG 2021). A TN aggregates data and suggests actions against malicious actors within a niche, such as is the case with existing reporters on matters such as terrorist action, for example.

A TN establishes one-on-one relationships with registries and registrars to point out cases of interest that they feel need to be evaluated or outright taken down. Such relations assist in the handling of questions that are beyond the scope of what would normally be expected from the knowledge of the operators. In the case of a specialised field such as that of health, this would be a valuable mechanism.

Using the DNS to combat illegitimate online pharmacies is promising, but it is not a solution that stands on its own. This article is aimed at bringing this issue to the attention of the DNS community and proposing avenues for practical action within the limitations of our means. The question presented here is not how the DNS community can solve this problem, but rather what role it can play in improving the situation.

Methodology

Methods

The materials used in this research consist largely of peer-reviewed academic sources. A literature review was undertaken, and our search strategy focused on the PubMed database, making use of the keywords ‘online pharmac*’, ‘Internet pharmac*’, and ‘online health*’, as well as employing the MeSH ‘Pharmaceutical Services, Online’. The author’s own prior published research from 2021 and 2023 on access to medicines online served as a basis for the bibliographic references and argumentation of this article.

Due to the technical nature of some of the discussions involving both the Internet and health, select non-academic publications from trusted organisations in these fields have been incorporated, in particular (but not limited to) those released by ICANN and its suborganisations and the WHO and its suborganisations. The governmental agency of the US Food and Drug Administration was also a relevant source of information.

Our understanding of policies relating to the DNS follows that of the ICANN organisation, taking into consideration the bylaws that define the remit of its action (ICANN 2022). Documents and processes from within and around the ICANN ecosystem were analysed under the author’s lens as a participant in the policymaking process of the institution, thus resulting in an ‘insider’ positionality (Chavez 2008), which is better discussed in the ‘Biases and limitations’ subsection.

The term ‘health-related’ is used here to encapsulate the typology outlined in our large-scale study on the sale of medicines online in Latin America and the Caribbean (Datysgeld, Tavares, and da Silva 2021): (a) hygiene, beauty, cosmetics and food supplements (‘non-drugs’); (b) medicines without the need for a medical prescription (over-the-counter); (c) medicines requiring medical prescription; and (d) psychotropic drugs. Added to those are non-medicine products that Interpol found to have been counterfeited internationally, such as COVID-19 test kits, syringes and surgical equipment (Interpol 2021).

When considering medicines, our scope is limited to legal ones, not including those commonly classed as illegal (MDMA, PCP etc.), which require a different set of considerations that are not contemplated here. We understand that two dimensions coexist (and may overlap) when it comes to the sale of legal medicines online: issues related to the quality of the medicines being sold, and issues concerning the irresponsible sale of medicines that require a valid prescription.

In relation to the quality dimension, the consensus of the existing literature accounts for three categories of problematic legal medicines: substandard, falsified and unregistered.⁷ While other terminologies exist, these are the ones widely adopted by the global health policies community (Rojas-Cortés 2020; World Health Organization 2020). Taking this dimension into account was considered to be beyond scope due to how difficult asserting quality is to most actors, being a task best left to NRAs and large research teams.

As such, our study is more concerned with the irresponsible sale of medicines requiring a valid prescription, although we emphasise that both dimensions put patients at risk. Within the subset of legal medicines, two groups presented themselves as more relevant to the theme of online pharmacies in the literature: (a) ‘lifestyle drugs’ (or ‘image and performance-enhancing drugs’), which broadly include medicines that enhance sexual performance or promote some manner of aesthetic change (Koenraadt and van de Ven 2018); and (b) the wide variety of medicines that serve legitimate purposes in combating illnesses but also come with a high potential for addiction, or that can be abused for recreational purposes, or both (Sarker, DeRoos, and Perrone 2020).

As far as the drafting of the list of baseline criteria for the mitigation of the illegitimate sale of health-related products using the DNS is concerned, we emphasise that it was informed not only by the literature presented in the references section, but also by extensive consultations organised and carried out between 2019 and 2023 in international workshops on the subject of online pharmacies, notably at the UN’s Internet Governance Forum (IGF) and at RightsCon.

In terms of the adoption of the proposed criteria, we look away from ICANN’s policy development processes, with the understanding that the subject of health is classified as content in ICANN’s current understanding, and any subject that diverges from technical harms is not considered to be within their remit.

Nevertheless, participants in the DNS ecosystem can (and do) act at the DNS level without depending on ICANN’s policies. We propose that action should take place within two spaces: (1) the emerging Trusted Notifier (TN) environment, which enables qualified actors to recommend malicious content for takedown; and (2) on a voluntary basis within the broad group of actors that composes the DNS ecosystem, here termed the ‘DNS community’.

As far as TNs are concerned, we look towards the CPH Trusted Notifier Framework (2021), which is the first document to establish in clear terms what the expectations of the operators around this theme are. The requirements outlined in the document are: proven experience in a given theme; consistent adherence to high diligence standards; confidence in their reports; confidence in a low rate of false positives; and clear process when recommendations are challenged by the accused party.

The term ‘DNS community’ is not formally established, although it exists as a phenomenon. We propose this encompasses both parties contracted and non-contracted with ICANN, who can take decisions that actively combat malicious actors. This includes, but is not limited to: domain name registries and registrars; RIRs; hosting companies; blocklist maintainers; cloud providers; non-contracted business and civil society actors; and governments.

The most significant precedent for the management of rules by the DNS community itself comes from 2019s Framework to Address Abuse, independently signed by several operators, which promotes the voluntary takedown of websites whose content is considered to be ‘so egregious that a registry or registrar should act when provided with specific and credible notice’ within the previously cited four categories of: CSAM, opioids, human trafficking and credible incitements to violence (DNS Abuse Framework 2020).

In summary, the objective of this research is the furthering of the combat at the DNS level of illegitimate online pharmacies that sell health-related products without safeguarding patients with minimal standards of safety, thus posing a credible threat to the well-being of patients around the world.

Biases and limitations

One of the significant limitations of researching the subject of online pharmacies is that there is a great concentration of literature and governmental action around the late 2000s and early 2010s, followed by a subsequent drop in interest, and a re-emergence in the 2020s. This leaves a chasm that is difficult to reconcile in terms of what was taking place in the interim period. This study focuses on resolving an observable policy gap, but further research and process-tracing efforts are needed to better understand the evolution of this field as a whole.

Also of great importance is the disproportional emphasis that the literature puts on North America. This distorts debates around the issue, which we attempt to mitigate by focusing on higher-level concerns rather than specific topics. As a clear example, issues with opioid abuse are a growing concern globally, but the crisis is more acute or better noticed in the USA, which leads to a significant amount of research and actions around illegitimate online pharmacies being focused on opioids.

There is also a lack of data concerning online pharmacies themselves. Having engaged with some representatives of this cohort, it is our perception that there is uneasiness in the sharing of their data and practices. Even though this might be born out of legitimate concern over the preservation of their business model, this still adversely impacts research being carried out on this subject.

Finally, as mentioned in the methodology section, the author comes from an ‘insider’ positionality, due to currently being an elected member of ICANN’s GNSO Council. This comes with advantages and disadvantages. Internet technical standards bodies demand a significant amount of specific knowledge to be productively engaged with, and it can be difficult for an outsider to glean the minutiae that often delimit what aspects of their policies and mechanisms can be acted upon and under what circumstances.

This may be considered to provide an advantage in terms of the accuracy of the research presented by an insider, as well as increasing the subsequent possibility of acting upon it. However, as a niche community that gravitates around a few hundred main players, it is essential for researchers to distance themselves from prevailing intragroup narratives and attempt to look past what is taken for granted by the community. Significant effort has been put into mitigating this bias, particularly thanks to insights provided by this journal’s referees and editors. Any insufficiency is the author’s own responsibility.

Analysis

The reliable technical management of the Internet is a fundamental element of its success and continued operation. The separation of technical and content abuse as enshrined in ICANN’s bylaws and contracts ensures that the capture of a single institution does not lead to the global subtraction of personal and collective rights. Objectively speaking, ICANN itself is not the venue for the discussion of content-related policies.

Based on that premise, the DNS community has historically adopted the stance of not acting independently in relation to matters that may be understood as content, relying instead mostly on orders from law enforcement agencies (LEAs) to orient their decisions (Bridy 2017). This is supported, we posit, on a homogenous definition of ‘content’, which is that content is anything that is not objectively a technical matter.

Within that understanding, both an instance of credit card fraud and a case of credible threat to human safety fall within the same category of problem from the operator’s perspective – and this mostly also applies to other key actors, such as maintainers of reputation blocklists. This is not ideal because it bundles general harms in with harms that are of a critical nature. In the case of some limited, specific harms, the operator should be able to act against the domain name first (while collecting evidence of the malice) and notify LEAs afterwards.

The DNS Abuse Framework formally acknowledged the necessity of intervention in borderline cases which are unacceptable, including websites that facilitate the ‘illegal distribution of opioids online’. This in itself represents a partial victory in the fight against illegitimate online pharmacies, considering that the framework has major industry players as its signatories. It also flags to the community that the question of illegitimate online pharmacies is a serious one that cannot be bundled together with broader issues under a general definition of content.

To review the available options for interfering in the operation of a dangerous website, we shall consider that it is possible to execute such interventions at several levels (or layers), although for the purpose of doing so at a global scale, we find it more reasonable⁸ to consider the following alternatives: web hosting, IP addresses and the DNS.

In principle, it would seem that removing content from the web host itself would be an ideal solution, and this is indeed something that is often suggested and pursued as a first line of action (Buiten, de Streel, and Peitz 2019). However, hosting providers have varied incentives, are largely self-regulated, and there is no harmonised culture or shared set of norms that they need to adhere to other than that of their own jurisdictions.

While there are cases in which the hosting provider is also the registrar of the website, this cannot be counted on. Given this environment, malicious content is often purposefully housed inside so-called ‘bulletproof hosts’, who do not answer requests for intervention, since they might either operate in jurisdictions that have lenient laws⁹ or be making use of compromised servers outright (Goncharov 2015).

IP addresses have been used to combat malicious actors to varying degrees of success, but have their own set of limitations. This is particularly true in environments where there is shared hosting, a situation in which the same IP address may be used for multiple websites. In that case, blocking an IP address can result in the unintentional blocking of access to unrelated websites (Lacnic 2023).

Regardless of that, malicious actors can make use of a technique (widely employed by botnets) called Fast Flux Service Networks (FFSNs), which periodically swaps the underlying IP address of a domain name to minimise the usefulness of blacklisting attempts. This alone makes it so that IP blocking against a moderately sophisticated adversary becomes unattractive (Al-Duwairi, Jarrah, and Shatnawi 2021).

Exactly due to its dynamic nature, the DNS is usually responsible for the longer-term operation of services on the Internet. As noted above, underlying hosting providers and IP addresses can be changed in ways that are mostly seamless from the perspective of users and search engines, but a change in domain name carries significant implications for the availability of a website. In that sense, the domain name is the most significant part of a website’s identity on the Internet.

An illegitimate online pharmacy that can no longer make use of its domain name(s) is expected to be forced to reinvest in its spam and search engine optimisation campaigns, as well as relaying address changes to existing partners and customers. By systematically forcing the malicious actor to move domain names and reporting them to LEAs along the way, the viability of their continued operation is lessened. In other words, they would have progressively fewer places to go to as operators become accustomed to pursuing them.

The takedown of domain names from the DNS has been frequently described as a ‘blunt and disproportionate tool’ (DNS Abuse Framework 2020), which it is. The call for caution when actioning a website using the DNS is justifiable. Conversely, it is also important to state how effective it is in mitigating threats. When employed in a measured and accountable way, much malicious action can be stopped faster than it would otherwise.

Action at the DNS level does not only entail deleting a domain name, and in fact that is potentially the least desirable option. There are five actions that are available to registrars: (1) hold the domain name so it does not resolve on the public Internet; (2) lock the domain name so it cannot be transferred, deleted or have its details modified; (3) redirect name services for sink-holing to identify victims for the purposes of remediation; (4) transfer of the domain name to a different registrar; and (5) delete the domain name (Internet and Jurisdiction Policy Network 2021).

Let us adopt as an example a domain name belonging to an illegitimate online pharmacy that gets reported to a registrar because it does not meet one of the criteria outlined in the second part of this article, such as not demanding a prescription for medicines that clearly require one. A reasonable immediate action would be to hold and lock the domain name while forwarding the report to relevant LEAs. This would almost certainly stop a malicious actor while at the same time allowing for swift reversion in the case of an honest misinterpretation.

The question of substantiality – meaning how much of a website is dedicated to a given purpose and if that is enough to warrant action – is a concern that comes up when mitigating problematic websites using the DNS, but it is not as much of a concern in the case of illegitimate online pharmacies. Unless the suspicious health-related product is being sold within the structure of a larger platform (such as eBay), it is unlikely for the pharmacy business not to be the primary focus of the website, since the involvement of a licensed pharmacist and the structure for processing prescriptions are both rather specific requirements of a legitimate operation.

Another concern might be that even if adopted by a large number of generic TLD operators, these norms to combat illegitimate online pharmacies would still leave out the country code TLDs (ccTLDs), which generally only answer to the sovereign laws of their own territories. While that is true, the generics space is of greater importance in this case, considering that an online pharmacy within a ccTLD is both easier to correlate with a jurisdiction (or the impersonation of one) and easier for patients to identify as potentially dangerous if they are from a country that is not their own or trusted by them. On top of that, the concept of involving the DNS community makes it so that ccTLDs are actually welcome to join in the effort if they so desire.

As previously discussed, we believe that the best venue to concentrate these actions is a Trusted Notifier (TN), who can not only discover and report malicious websites, but also assist the community in tracking these illegitimate operations in the longer term, by identifying activity patterns and trends, and disseminating knowledge about their tactics. By studying incidents, TNs would become ideally positioned to recommend how best to carry out actions at the DNS level.

A credible TN should be able to gather, organise and deliver to partner operators a continuous stream of reports denouncing illegitimate online pharmacies with a low margin of error, generating confidence and repeatability, and consequently enabling the operator to act promptly. Considering that malicious actors evolve their methods in reaction to industry developments, it would be necessary to employ progressively more granular measures to evaluate legitimacy, but for the time being, the criteria presented in this article would accomplish that goal.

There is no large-scale health-related TN in existence at present¹⁰, and further steps need to be taken to make such a structure viable. The global health policies and DNS communities need to advance their understanding of the variables involved in this illegitimate market to be able to foster an environment that is appropriate to combat it. We reiterate that the distance between these communities is one of the deciding factors that enable malicious actors of this kind to thrive.

An initial step that can be taken immediately and would carry little cost or added liability would be the acknowledgement and tracking of illegitimate online pharmacies as their own category of threat within the databases of reputation blocklists, as well as within the systems of ICANN contracted operators. Currently, it is necessary to make inferences and educated guesses to track these criminal operations, and the disposing of databases detailing their activities would already advance the goal of enhancing patient safety significantly by generating higher quality research based on diverse data sources.

A more involved, but still manageable, step would be for operators to experimentally implement the criteria listed in this article in their abuse-reporting processes, which would not only potentially help the ecosystem head in a better direction, it would also test these premises in a real-world setting and demonstrate their limitations, helping to strengthen future research and recommendations.

In the following section, we propose the aforementioned criteria.

Proposed criteria

This is a non-exhaustive set of criteria based on empirical research and the mapping of industry experience, which we believe can help assess the legitimacy of an online pharmacy or equivalent online salespoint of medicines. The intended audience for these criteria is the DNS community. Each criterion is discussed from the perspective of exploring what validates its inclusion as a recommendation, justifying its utilisation for the evaluation of online pharmacies.

These criteria need to be further studied and validated, and are largely based on accepted international pharmaceutical standards that were found to be transposable to the online world. These ideas should be built upon in order to continue with the creation of a set of norms that brings expectations around online pharmacies closer to those of traditional ones, enabling legitimate actors to consolidate a stronger market that increases access to medicines worldwide.

The flowchart below (Figure 1) serves as a summary of the criteria, for quick reference and easier understanding.

Figure 1. Flowchart of the baseline criteria for the mitigation of the illegitimate sale of health-related products using the DNS.

Criterion 1: requirement of a valid prescription from a licensed physician for the purchase of medicines which are not over-the-counter

Rational medicine usage is promoted by ensuring that patients only receive medications when necessary and in appropriate doses, which means that prescription systems help ensure appropriate treatment plans by requiring patients to engage with a chain of health professionals (which may involve nurses, doctors, pharmacists and others) before accessing medications. This not only enhances the overall quality of healthcare provision but also reduces the risk of potential complications arising from misdiagnosis (Laing, Hogerzeil, and Ross-Degnan 2001). It has also been observed that adherence to long-term therapies is facilitated by the proper implementation of prescription systems (World Health Organization 2003).

The inappropriate use of medicines can lead to adverse drug events (ADEs), which are a significant source of medical complications worldwide, particularly in relation to elderly populations (Garcia-Caballos et al. 2010). The prevention of ADEs not only reduces patient risk, it also generates significant savings for healthcare systems, avoiding costs associated with additional treatments, hospitalisations or extended care (Bates et al. 1997; Najafzadeh et al. 2016).

Finally, the implementation of robust prescription systems plays a critical role in mitigating the risks of addiction and abuse related to certain categories of medicines, such as opioids. By regulating access to these potentially harmful substances, there is a reduction in drug-related health risks and associated societal burdens. An age-adjusted opioid overdose death rates survey in the USA, considering data between 1999 and 2014, demonstrated that states from that country with more robust prescription-drug-monitoring programmes had fewer prescription opioid overdose deaths than those with weaker ones (Pardo 2017).

Criterion 2: requirement of a licensed pharmacist(s) responsible for medicine dispensing, available for consultation upon request

The need for pharmacists to review medical prescriptions when dispensing is crucial for safeguarding patient safety and ensuring proper medication use. Pharmacists play a role in detecting medication errors, discerning the potential for abuse, helping with adherence strategies¹¹ and preventing ADEs (Garcia-Caballos et al. 2010).

Pharmacists are responsible for identifying and addressing potential medication errors, such as incorrect dosages, medicine choices and administration routes. By reviewing prescriptions, they can detect these issues and prevent potential harm, improving overall patient safety. This is often best accomplished by communicating with the patient directly (Ilardo and Speciale 2020), reinforcing the need for such a channel to be available in online purchases.

Pharmacists must adhere to stringent regulatory requirements when dispensing controlled substances, narcotics and other medications with a high potential for abuse. This is particularly relevant to combat cases of ‘doctor shopping’, which ‘typically refers to patients that seek controlled substance prescriptions from multiple providers with the presumed intent to obtain these medications for non-medical use and/or diversion’ (Delcher et al. 2022). In such cases, the implementation by governments of digital control systems can be a valuable tool.

A large-scale survey carried out in the USA evaluated respondents who misused prescription pain relievers (such as opioids), identifying where their medications were obtained from. Only around 5% of respondents indicated illegal drug dealers as a source, pointing instead towards legitimate obtention, and particularly the sharing of such medications between friends and relatives (Lipari and Hughes 2017). This further corroborates the need for pharmacist monitoring of potentially dangerous behaviours when dispensing medicines, in person or online, including the reporting of suspicious activities to relevant authorities.

Criterion 3: clear and verifiable indication of the country in which the pharmacy is based and the jurisdiction it operates under

Knowing the country in which an online pharmacy is based and being able to verify that claim is important for assessing the safety of the purchase of medicines online. By considering the country of origin (and consequently its jurisdiction), a better evaluation can be made of which actors to trust, as well as enabling patients to inform themselves or be advised in relation to regulatory standards, enforcement capabilities and potential risks associated with online pharmacies from specific jurisdictions.

Monitoring the country of origin of an online pharmacy allows for the evaluation of existing data on the standards required for their operation, and comparisons between said standards and how they are enforced by the pharmacy. It is notable that it has been advanced by existing research that ‘online pharmacies asking for a prescription were significantly more likely to declare their geographical location than were online pharmacies that did not’ (Orizio et al. 2011), tying together this question with that of prescription requirement.

Online pharmacies operating in different territories are subject to varying levels of regulatory oversight and enforcement capabilities. This is not a static datapoint, as an increase in efforts has been noted in some countries from the African and Asian continents over time (Lee et al. 2017). Seeing as one of the main factors influencing the inability to take down illegitimate operations is them being in jurisdictions that do not have the capability to enforce adequate regulations (Krebs 2014), the possession of this knowledge allows for better risk assessment by TNs and operators.

Criterion 4: limited dispensing of controlled substances, including but not limited to opioids and anabolic steroids

Being vigilant in limiting the dispensing of controlled substances is perhaps the most important aspect in the protection of public health that can be performed by actors external to the pharmaceutical process.

Due to great diversity in the permissiveness of the sale of medicines in different jurisdictions, calling for a global ban on certain products is a difficult proposition. Thus, observing pre-existing jurisdictional limitations and pairing that with the aforementioned need for legitimate prescriptions is a more attainable criterion. While opioids represent a significant category with substantial existing research, there are other notable categories, such as the increasingly popular anabolic steroids (Bond, Smit, and de Ronde 2022).

Abusive behaviour can involve even simpler over-the-counter (OTC)¹² medicines, but is most concerning when related to tightly controlled medications, given their proven higher risk of causing addiction. Long-term treatments with opioids, for example, have been associated with the development of addiction or abuse in many patients, leading to morbidity and mortality (Compton and Volkow 2006). Many patients who misuse opioids start taking them for genuine medical purposes, but develop addictive behaviour with time and then seek ways to have continued access to them (Bolshakova, Bluthenthal, and Sussman 2019).

As mentioned in this article’s introduction, the USA’s NRA, the US Food and Drug Administration (FDA), has officially collaborated with the registries Verisign, Public Interest Registry and Registry Services, with the goal of curbing the ‘illegal sale of opioids online’, in a series of actions that proved effective in taking down illegitimate pharmacies offering these medicines indiscriminately (US Food and Drug Administration 2021). Efforts such as these need to be systematised and scaled up to achieve greater impact, involving more operators and thus increasing our understanding of the phenomenon.

Conclusion

There has been significant growth in the online pharmacy market, both in terms of legitimate businesses and illegitimate activities. The regulation of this market is fragmented and lacks coordination among different jurisdictions, which brings progressively greater challenges to the oversight of the online sale of health-related products, particularly prescription medicines. Malicious actors purposefully target the most vulnerable, creating situations that present risk to human safety, including the indiscriminate sale of opioids and other highly addictive medicines.

While intervention can be accomplished via web hosting and IP addresses, the DNS is the space where we can find the most leverage against these criminal actors, by making use of the collective strengths of the DNS community. By disrupting the domain names of illegitimate online pharmacies and reporting them to law enforcement agencies, the viability of their operations can be undermined in significant ways. The enforcement of baseline standards on the DNS would help safeguard good actors while mitigating against malicious ones, ultimately benefiting patients.

Our longer-term suggested approach involves both empowering the DNS community and leveraging the trusted notifier space to recommend the takedowns of malicious content. Our proposed criteria should be seen as a minimal point of reference, to continue to be developed based on experience and further research. In its initial iteration, we recommend:

• Requirement of a valid prescription from a licensed physician for the purchase of medicines which are not over-the-counter.

• Requirement of a licensed pharmacist(s) responsible for medicine dispensing, available for consultation upon request.

• Clear and verifiable indication of the country in which the pharmacy is based and the jurisdiction it operates under.

• Limited dispensing of controlled substances, including but not limited to opioids and anabolic steroids.

An immediate, low-cost and low-liability action would be to recognise and monitor illegitimate online pharmacies as a distinct threat category in the databases of reputation blocklists and in the systems operated by entities under contract with ICANN. This would facilitate future research and increase our understanding of relevant patterns.

We advocate for a more prominent role for the DNS community in addressing threats that, until now, have been peripheral in policy discussions. Enhanced collaboration and a focused approach are essential to effectively challenge these malicious actors. The extent of their potential harm has been underestimated, allowing them to operate with relative ease. It is crucial to shift this perspective, recognising the significant impact the DNS community can have in safeguarding patients.

Acknowledgements

This research would not have been possible without the support of the DNS Research Federation, which graciously provided partial funding for this effort. I thank my mentor Ron Andruff for helping me understand the urgency of tackling public health challenges and motivating me to develop solutions. I thank Christiane T. da Silva for being my invaluable co-researcher in several of the papers that led to this study. Finally, I thank the efforts of the GNSO Council’s DNS Abuse Small Team, who worked tirelessly with the community to propose ways to make the Internet a safer place for end users.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Correction Statement

This article has been corrected with minor changes. These changes do not impact the academic content of the article.

Additional information

Funding

This work was supported by DNS Research Federation.

Notes

1 Their main functions are: the registration and licensing of products; inspection and licensing for manufacturers and distributors; post-marketing surveillance; the regulation of statements for commercial promotion of products; and the authorisation of clinical trials (Pan American Health Organization 2020).

2 Brazil, China, Mexico, South Africa, India and Nigeria.

3 The USA has its own complex set of regulations for the sale of medicines online centring around its National Association of Boards of Pharmacy (NABP) and the Verified Internet Pharmacy Practice Sites (VIPPS) programme. The NABP is also the operator of the ‘.pharmacy’ generic Top-Level Domain (gTLD). While some of the literature assumes these elements to be a key part of the debate, this research opts to focus instead on a more global perspective.

4 As a complement to that, it has also been estimated that 96% of the world’s preventable deaths (‘amenable mortality’) occur in LMICs (Alkire et al. 2018). The causes of these losses are often correlated with diseases that are preventable and treatable – such as diseases affecting the circulatory and respiratory systems (OECD 2022).

5 Generic Names Supporting Organization.

6 Contracted Party House: those who have direct contractual relationships with the ICANN organisation.

7 Substandard: which fail to meet quality standards, specifications or both; falsified: that deliberately or fraudulently misrepresent their identity, composition or source; unregistered: which are not approved by the national or regional regulatory authority of the market in which they are being sold (Rojas-Cortés 2020).

8 For example, DNS filtering is a different technique that can be employed at the ISP or organisational level, but that is not particularly effective in stopping actors on a global scale.

9 Goncharov (2015) offers the following countries as examples of territories where bulletproof hosts are concentrated: Bolivia, China, Iran, Panama, Lebanon, Luxembourg, Netherlands, Russia, Switzerland and Ukraine.

10 The author is aware of at least one smaller-scale health-related TN in operation as of 2023.

11 Nonadherence is particularly high among the elderly, with practices such as the improper rationing of doses, unfortunately, being commonplace (Briesacher, Gurwitz, and Soumerai 2007; Kleinsinger 2018).

12 OTC substance abuse has been overlooked in spite of it also representing a serious threat to the lives of patients, with medicines such as aspirin, cough syrups, sleep aids, laxatives and antihistamines leading to hospitalisations with alarming frequency (Lessenger and Feinberg 2008; Sansgiry et al. 2016).