I totally agree. Namecheap probably had to tell Facebook, "get a warrant". If they DIDN'T do this, they would then be responsible for policing EVERY site they provide WhoisGuard for, and that would be ridiculous.
Facebook is trying to use this as a way to show they are concerned about privacy and security, but they're coming across as bullies that didn't get what they wanted and now they have to use the necessary legal methods to do so.
Yeah, Facebook's trying to strong-arm registrars, but the fundamental premise comes off to me as entitled. It's like they're asserting they're too important and they don't want to go after these domain holders one-by-one, so the registrars should do their bidding.
Standard Oil was concerned about Oil. Resource companies generally are concerned about the resource they exploit, and especially about keeping all access to it for themselves and none for others.
Doing something once does not, contrary to popular (on the internet) theory, create an obligation to do so perpetually and in all situation. That’s the whole point of Section 230 of the DMCA, for example.
Judging by this thread, this faulty logic has been embraced wholeheartedly, and it leads to the strange position that is actually immoral, apparently, to make any judgement calls in the cause of your everyday life or business. When you are asked to work for a scammer, you are supposed to throw up your hands, say “who am I to judge”, and take their money.
Courts are, apparently, the only unfailing entities that can tell right from wrong. Even when something is universally agreed to be wrong, you are supposed to ignore it lest you feel tempted or required to then make decisions in more nuanced cases.
It’s a rather convoluted scheme to abdicate all moral responsibility.
Who are they advertising to though? They might look like bullies to people in the industry but that's probably not who they're trying to market themselves as privacy/security concerned towards. Combined with how dire the state of mainstream tech 'news' is, I'd be surprised if this actually backfired regardless of which way the lawsuit goes.
Sort of related: one time a scammer conned my grandma out of thousands of dollars by calling her and pretending to be me in distress. She wired the money to my name (I think it was Western Union or something), in a foreign country, and somebody "showed ID" as me.
We reported it to the police, of course, but I don't think it was ever really pursued. I wanted to dig in myself but whoever the company was said they wouldn't give up the records without a subpoena. Very frustrating as I am the person who was being impersonated.
It seems like there are times where you should have standing as an individual to get a subpoena for information directly related to you.
Thanks for reminding me about this. One thing I've established with my siblings was that none of us should transfer any money via a service like Paypal, Venmo, etc to each other without an explicit casual phone call first. It can't just be a text or a phone call asking for money, you have to have a casual conversation first. How is work? How's blah blah, what are you getting for dinner tonight, etc. For the case of elderly parents, I'm lucky that they would immediately hand that off as busy-work to siblings. Like they would never go to Western Union, they would call a child and say hey your sibling requested such and such can you go do that which would then raise all of the alarms.
If they impersonated you, aren't you technically requesting information about your self ?
Under European law, "you can request access to the personal data a company or organisation has about you, and you have the right to get a copy of your data, free of charge, in an accessible format." [1]
Im sorry that sucks, but we should not give up rights because some customers are easily fooled. This is a slippery slope you do not want to start on, because where does it end?
But that's more an issue of identity confirmation.
I believe there has to be a reasonably high bar that a person has to clear before a company should be even allowed to assume they are who they're claiming to be, but once that bar is cleared no information regarding or directly linked to the person in question should be withheld from them.
But then, hasn't the company already shown that it's bad at identity confirmation? Why would you expect them to be better at it in the other direction?
Isn't this problem solvable by looking at it differently? To me, the problem is that it's easy for scammers to impersonate someone. What if there was a way to reasonably check a person's identity in a standard way accessible to everyone without going through hoops?
That ideal won’t come true for a very long while. I appreciate your idealism, but for better or worse, we need a reasonable and attainable solution in the interim.
That's frightening. When we drew up our household information for babysitters, we put in codewords to identify ourselves and for the babysitter to identify him/herself to us in case of an emergency.
We felt more than a little paranoid (and the babysitters probably thought we were nuts) but anecdotes like yours reinforce the need to be careful when relying on easily-spoofed caller ID for identity protection.
This is a great reason for why modern data laws like GDPR and CCPA enshrine right of access so highly, I believe. I think it would be interesting to persue civil cases against fraudsters whose data you manage to collect out of PayPal audit logs or whatever, but you'd probably be contending with international courts and it would be an expensive and time consuming affair.
> If they can't make sure that their clients are legit, they shouldn't be in the business at all.
Banks are required to have Know Your Customer systems. Domain registrars, hardware stores, and grocery stores are not. Do you really want to extend this additional expense to all the businesses from which you buy?
I personally would want it see extended in areas where fraud is common. I don't think grocery store fraud is very common, misleading domain names however are exceedingly common and a huge problem so I don't really see what the issue is with extending those expenses.
Mind you someone always has to pay these expenses when fraud occurs, they don't vanish and I would like to see it allocated in such a way that it gives an incentive to prevent fraud, not protecting it.
KYC laws in banking, to the extent that they even do anything anymore, were always for investigations of organized crime. They only work for large, high value targets. They discover that the mortgage on a mob restaurant is getting paid by some "Tony Johnson" so they freeze the account and see if "Tony Johnson" shows up to complain. If there is no such person or it's a stolen identity, you lose all the money in your account because there is nobody to show up and claim it. If there is such a person, now they're building a racketeering case and have somebody they can try to flip. It was never really useful for fraud.
The same thing in most other contexts is useless. There is no equivalent to "money in the account" to worry about losing so people will just use made up names or stolen identities with impunity, and the legal process for proving it's a stolen identity wouldn't reasonably be any easier than the existing legal process for having the domain seized whether or not you know who registered it.
Also, arbitrary foreign nationals can have domains. What do you even expect to do with the information that the domain was registered by Sergei from ScrewYouistan which has no extradition treaty?
Most registries have requirements that domain registrars must know their customers identity.
Such requirements are not always enforced, especially by ICANN, and the punishment for failure is pretty rare. That could however change at any moment, and the consequences (beyond possible legal ones) would be that the registrar would loose accreditation.
By design, contact information is registered along with domains. One function of this is to allow people to report abuse of that domain to a webmaster, and ultimately to pursue action against the registrant if abuse continues. By allowing people to frustrate this resolution process Namecheap are serialising the abuse process through themselves, as they are now the only party with that formerly public information. So yes, I do think it would be appropriate in this case to extend the expense of policing domain abuse to Namecheap and other registrars who provide WHOIS privacy
Companies aren't anonymous in the US. Corporations must have registered agents in each state in which the corporation is registered, the name and address of whom is public in order to facilitate service of process. LLCs in most states must include at least one member, manager, organizer, or authorized individual in the public filing, and even in states that don't require this, a bank will want it in the public paperwork before opening an account in the LLC's name.
Ownership of land, legal entities, and domain names should be public information because that would be better for society.
EDIT (HN won't let me reply or post any more):
> Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.
Sure there are edge-cases where anonymity would be desirable, but they pale in comparison to the real harm done every day to regular people through anonymously registered domain names.
I can think of many legitimate reason that a site owner might want to be anonymous. Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.
Maybe they have weird sex fetishes or are flat earthers etc. One has the right to be weird in certain contexts (swing clubs, flat earth rallies) and still have a public persona that’s professionally, politically etc valuable.
I totally agree that in some cases anonymity is good, useful, etc.
But creating phishing sites for Facebook is not that. There is no good reason to register the domain "facebo0k-login.com"
I get that it's difficult to work out if the domain is going to be used for a legit purpose, but surely that's easier to do at the point of registration than it is to police afterwards?
It takes a human about 2s to work out that "fuck-facebook.com" is a legit protest domain, while "facebo0k-support.com" is a phishing domain. It's not even about trademarks or ownership of the word "facebook", it's about the intent of the domain.
I think insisting on ownership information for a domain that looks like it could be used for phishing, while allowing "furries-r-us.com" to be anonymous would be a better system than we have now.
> I get that it's difficult to work out if the domain is going to be used for a legit purpose, but surely that's easier to do at the point of registration than it is to police afterwards?
How could it be easier? I could always start legitimate[1] and then switch later. Now, if you think about the context of "faceb00k.com is probably not legitimate" you get in all sort of discussions about what is okay, what is not okay, what is an edge case.
All these proposals bring us further into a domain where private persons/companies are deputized to rule what is okay under the law, because court processes take so long and are so complicated. It ignores that there is a reason they are long and complicated. We've learned the hard way what happens if they are not.
[1] For the sake of this post let's assume legitimate means 'okay under the law' and split away the question of morality
Yes, this is complex. I agree; so far we've been pretending it's not complicated, and that's not really working any more.
The law is based on moral decisions, so I think "splitting that away" is probably circular - eventually a law will be made to deal with an immoral situation. We might as well consider the morality now and save some time.
I think we should get into all sorts of discussions about what's OK, what's not OK, and what is an edge case. People should be held responsible for what happens on their domain. There should be a discussion about whether the potential registration of "faceb00k.com" is legitimate or not.
What if there was a jury of 12 random people who had to approve every domain registration, and also decide whether that domain registrant should be anonymous or not? Would that lead to better results than we have now?
And to be honest, the actual cause of the harm to these people done every day, is not in fact the result of the lack of transparency in domain registration, but in fact the unwillingness of police in their local jurisdictions to go after criminals. A good example of this would be Jim Browning, who has offered information to police departments operating within India relating to scammers and... he has never got a response.
With all due respect, that's not an answer, that's just reiteration of the same statement with a "because it would be better". The answer to "why" is a rationale and yours so far is "bad people doing bad things so better somehow force business to make sure their clients are legit and make things transparent", which is a perfectly fine opinion, but devoid of any actual analysis. That's my interpretation, though, and my apologies if it's incorrect and not what you've meant - I don't intend to introduce a strawman here.
I would recommend actually analyzing the pros and cons. What are the benefits for the society, why they're real (not a snake oil/security theatre, where bad actors would be easily able to work around), and why they overweigh the harm from the negatives (e.g. the obvious privacy concerns).
This idea conflicts heavily with GDPR first of all. Secondly, why should that information be public? Does car ownership need to be publicly disclosed even though tons of car crashes happen every day? No, because the driver is liable, not the manufacturer, and the driver carries insurance to reduce cost of liability.
The real issue is enforcement. Namecheap should not be there as an arm of the law. Instead, the people BUYING the domains should be held accountable for their fraud.
This gets messy quick. How does Namecheap verify the validity of an individual? What constitutes a valid individual? What evidence is required to prove this to a registrar? How does Namecheap verify the legitimacy of intent for that domain? How does Namecheap keep up with every possible brand that may be subject to abuse? At what point does a brand become protected in a way that restricts the selling of similar domains?
For KYC in the financial world, answers exist to ALL of these questions. There is some inherent level of identity tied to your personal finances. These systems are built around a real identity that can be validated, so it's easy to apply. The same is not true for any internet service.
> For KYC in the financial world, answers exist to ALL of these questions
This might offend us IT types, but I'm not sure there's always just one answer.
Anecdote #1: I can walk into the local branch of my bank - where all the staff know me - and withdraw money from my account without showing any form of ID, telling them my account number, or even stating my name. They know me, I just have to sign the form.
Is that in the KYC regulations, or even the bank's SOPs?
> Anecdote #1: I can walk into the local branch of my bank - where all the staff know me - and withdraw money from my account without showing any form of ID, telling them my account number, or even stating my name. They know me, I just have to sign the form.
They shouldn't do that. I am not saying they don't but they shouldn't. And in this scenario, you've already established your real identity over time in order to open the account and regularly withdraw or deposit funds.
You didn't build this relationship in a day without any evidence of who you are. And then you are physically showing up, which is proof that you are the person they have been dealing with over the course of the relationship. You could have lied initially and established a lie over time, but that stuff happens in the KYC process as well. KYC isn't a perfect system and it's completely possible to 'lie'.
> Is that in the KYC regulations, or even the bank's SOPs?
I would bet that it is in the Bank SOPs to NOT do what you described. But, as a person that does a lot of compliance, it's inevitable that people will ignore SOPs or policy to some extent.
> (in the same way that land ownership isn't private)
You can make land ownership private by holding it in certain entities. I personally don't think land ownership should be public anyway. Nor do I think home ownership should be public.
Maybe in your country, where corporations make the laws.
In most of the world, the ownership of "entities" is also public data. The privilege of being an entity is bestowed by the public through the state, and any status or license granted by the the collective (the state) is and ought to be public information.
> In most of the world, the ownership of "entities" is also public data. The privilege of being an entity is bestowed by the public through the state, and any status or license granted by the the collective (the state) is and ought to be public information.
Under that theory, bestowing the privilege of privacy doesn't seem any difference to bestowing the privilege of being an entity.
So why should we do one but not the other? What are the trade-offs?
That seems like an attempted insult on the US but your comment is dishonest. There are a lot of layers to laws (Constitution, Congress, state's rights and their laws, local laws, etc).
What country are you from? I'd be interested to read up on any country that doesn't have corporate lobbyists or special interests involved in lawmaking.
Anyway for future reference, unless specified, most readers are going to assume you are referring the US.
Facebook is trying to use this as a way to show they are concerned about privacy and security, but they're coming across as bullies that didn't get what they wanted and now they have to use the necessary legal methods to do so.