[HN Gopher] Facebook sues Namecheap for registrants of phishing ... ___________________________________________________________________ Facebook sues Namecheap for registrants of phishing domains Author : whoisjuan Score : 142 points Date : 2020-03-05 19:49 UTC (3 hours ago) (HTM) web link (about.fb.com) (TXT) w3m dump (about.fb.com) | Mistri wrote: | Is Facebook targeting Whoisguard directly? I am incredibly | thankful for Whoisguard -- back when I purchased my first domain, | I didn't know about it, and to this day, I get 5-10 spam emails | per day regarding my domain. It's so bad that I've had to change | my primary email to something else. | | There definitely should be a mechanism by which large companies | like Facebook can approach Whoisguard and ask for a site to be | taken down, though. | Thorentis wrote: | Why does Facebook want to know who these people are? That itself | seems a bit creepy. Sure, get the domains taken down, get | Whoisguard to block them from registering more domains in future. | But what does Facebook want, names and addresses? Weird. | jpeg_hero wrote: | > But what does Facebook want, names and addresses? | | Uhhhh, to help in the investigation and arrest of the ring of | people that are scamming and fishing Facebook customers? | Thorentis wrote: | Shouldn't law enforcement have that information rather than | Facebook? Or does Facebook see itself as the internet police | now? | forgotmypw16 wrote: | Seems like a good opportunity to say, I've been a Namecheap | customer for more than 10 years and I am very happy with them. :) | andy_ppp wrote: | Haha, imagine a company suing another for the way people use | their platform, as if it's _their_ responsibility to police the | people using it for harmful purposes! Ridiculous! | gruez wrote: | Tangential question: what are the chances that, if namecheap | disclosed the identities of registrants, facebook would be able | to do anything with it? You'd expect that if the domains were | registered with the intention to do Bad Things, that they would | be registered with fake information. You can use a throwaway | email addresses, fake mailing address (doubt they would validate | it), and pay with cryptocurrency. | edmundsauto wrote: | If the registration information is falsified, + trademark | dispute, FB has the inside track on getting ownership of these | domains transferred to them. After all, the registered owners | don't exist -- doesn't that make them up for grabs? | duxup wrote: | Depends on where they are located I suspect, and what | information is provided. | | It is possible knowing the information behind them is in fact | fake would facilitate taking the sites down too. | stevenjohns wrote: | For what it's worth, I reported dozens of domains used in | phishing scams to Namecheap and their support could not possibly | give less of a crap. I reported about 26 domains used in SMS | scams in Australia and Namecheap refused to action more than one | domain. As far as I'm aware, the remaining 25 or so are still | active. | | Their chat support is unable to take spam complaints and instead | directs you to their "Legal & Abuse Department" based in Eastern | Europe. And what you get is basically what you'd expect from an | underpaid, disgruntled level one IT support. | scsh wrote: | Not attempting to excuse their lack of action, but there are | cases where it's somewhat understandable why a registrar may | not take action. For instance, if the only service they're | actually providing is registration, the domain belongs to a | long time customer, and they aren't hosting the site or dns, | they're only left with one very blunt action they can take. | It's frustrating for sure, but registrars are very hesitant to | take such harsh action on long-standing customers. | | In that example the domain is likely compromised though, so you | need to be reporting to all the hosting providers involved as | well and not just the registrar. | nomel wrote: | You should report illegal activities to the authorities, not | companies. | | I wouldn't expect Namecheap, a low cost registrar with "cheap" | in its name, to have the legal resources to investigate or make | a conclusion for each accusation that comes their way for one | of their 10 million domain names. | | As with everything internet related, I think there's a vast | misunderstanding of scale, and difficulty in automation | (domains sniping!), for what they're facing. | | I also wouldn't expect them to hand out information to anyone | that asks for it, especially a large company known for misusing | any information they can get their hands on, without a | subpoena. | | I think the real solution would have to come from a third party | group(s) that could collect, monitor, and produce high quality | reports, with a high level of accuracy, that all of these | registrars could use. Who would fund these groups? Probably | whomever gains/loses less from the phishing scams being | terminated. | p0sixlang wrote: | This probably comes down to narrowing the number of people who | can take action on these requests, as per the potential abuse | that could come from taking action on invalid requests. | Nextgrid wrote: | It's ironic how Facebook uses all kinds of lies and dark patterns | to steal data from their users but gets pissed off when someone | else does it (or provides services for it as it is in this case). | magduf wrote: | 2 wrongs don't make a right. And sure, FB uses "dark patterns", | but that's a lot more subtle than registering obvious phishing | domains. There's simply no defense for that at all; it's | obviously aiding and abetting criminal activity. | AlexandrB wrote: | > it's obviously aiding and abetting criminal activity. | | Criminal activity like election interference? Has Facebook | been fined for that yet? | chopraaa wrote: | Yes, that's because phishing is an actual crime. | ep103 wrote: | so is wiretapping, but in our household we have a running | joke that if we're too lazy to google something, or say "ok | google", we can just say "ok facebook bed frame bed frame bed | frame" in the direction of our phones, and fb/instagram will | start showing us ads for bed frames in a few hours. It works | a surprisingly large amount of the time. | magduf wrote: | Wiretapping is only illegal if you don't give permission | for it. By having a device that's always recording audio, | you're implicitly giving permission for what you describe. | bcyn wrote: | I can't speak for other platforms, but if you've ever | developed apps for iPhone, you'd know this is pretty much | impossible for FB to do. | onlyrealcuzzo wrote: | Pot calling the kettle blue... | ArchReaper wrote: | One is illegal, the other is not. Apples and oranges. | | Edit: what's with the downvotes? I'm not defending the | practice, just stating facts. | wolco wrote: | Everyone worries about google. Google will become part of the | public infrastructure after some external challenge forces it | to. At what point does facebook turn hostile and start exposing | personal secrets to the public unless you pay or at least come | back and visit to change settings? You can feel it coming... | NamecheapCEO wrote: | Is it not enough that Facebook and Zuck tread all over their | customers privacy on their own platform? Now they want other | companies to do it for them with their own customers as well. | | This is just another attack on privacy and due process in order | to strong arm companies that have services like WhoisGuard which | is intended to protect millions of customer's privacy. | preommr wrote: | ^ Namecheap CEO | | Can you explain the legal details of what's happening here? | Who's responsibility is it to deal with domains that are | potentially dangerous, what exactly is facebook suing you for? | What rule are they talking about when they say you're supposed | to provide the WhoisGuard information (someone else mentioned | that's only for government requests)? | | I've also seen some complaints by other people here that there | are some namecheap domains that are sometimes scammy and | namecheap sometimes deals with them and other times they don't | (based on user comments here). Can you clarify if namecheap | does indeed take action and if so, why they haven't here? | | Also in the future, you might want to sign off at the end of | the comment since it's really easy to ignore the username as | it's grayed out. And FWIW, great job with namecheap, I've had a | really good experience with it. | a13n wrote: | I mean, FB is trying to stop phishing here, and it doesn't seem | like your company is cooperating with FB's investigation. A | lawsuit seems like what they had to do to get you to take | action here. | | Why do you want to take money from criminals, in exchange for | helping them to do criminal activity? From a risk management | perspective, you should very much not want these customers. | caffeinewriter wrote: | I feel like the title "Facebook sues Namecheap for registering | phishing domains" is somewhat misleading. | | > We found that Namecheap's proxy service, Whoisguard, registered | or used 45 domain names that impersonated Facebook and our | services, such as instagrambusinesshelp.com, facebo0k-login.com | and whatsappdownload.site. We sent notices to Whoisguard between | October 2018 and February 2020, and despite their obligation to | provide information about these infringing domain names, they | declined to cooperate. | | Specifically, they're suing Namecheap _and their proxy service_ | for not providing information about the true registrants of the | allegedly infringing domains. | EE84M3i wrote: | Well, their whois proxy services. Namecheap has other proxy | services (email for sure, I think also some configurations like | parking and redirection use an HTTP proxy), so not specifying | whois proxy is pretty confusing. | dang wrote: | We've edited the title in an attempt to thread that needle. If | someone can suggest a better--more accurate and neutral--title, | we can change it again. | bagacrap wrote: | "This week we filed a lawsuit in Arizona against Namecheap | [...] for registering domain names that aim to deceive people | by pretending to be affiliated with Facebook apps." | | The press release says "for registering domain names" so I | think the original title was accurate. | | Previous similar court case where Verizon won a judgment | against OnLineNic on the basis of trademark infringement: htt | ps://dockets.justia.com/docket/california/candce/3:2008cv... | | So it doesn't seem like this suit is just about discovering | the identities of the registrants. | CydeWeys wrote: | And to be clear, all Namecheap had to do to prevent this | lawsuit was identify the owners of or delete the obviously- | phishing and obviously-TM-infringing domain names. They didn't, | so now Facebook is taking them to court over it. | ensignavenger wrote: | According to ICANN they cannot simply delete the domains- | https://www.icann.org/resources/pages/help/dndr/udrp-en | | "Under the policy, most types of trademark-based domain-name | disputes must be resolved by agreement, court action, or | arbitration before a registrar will cancel, suspend, or | transfer a domain name." | caffeinewriter wrote: | Honestly, I'm glad they didn't. There's not much use in a | whois privacy service if they'll give up the info just | because a company says "this is infringing". | xorcist wrote: | Namecheap is responsible for administrating domain ownership. | They are not free to unilaterally change or remove ownership | at will. | | That doesn't mean it's impossible to deregister infringing | domains. It means that there is a process to follow, which is | probably what we're seeing right now. | JoshTriplett wrote: | Or, alternatively, remove the domain names, since they're | blatantly phishing domains. | | I think anonymous domain registration is an _important_ | property to preserve. Many people need such services for | their safety. However, if you 're going to serve as an | anonymity shield for another party, you're taking on some of | that party's liability, and in particular you need to take | down malicious domains. | StreamBright wrote: | This pretty much depends on the details. | throwaway3157 wrote: | I know some attorneys are on HN, so question: does | Namecheap/Whoisguard have a legal obligation to reveal that | requested info? | mmanfrin wrote: | Facebook listed 3 of the 45, including one that I'd argue | does not at all violate TM or phish. In a post like this, | they'd likely pick the most egregious examples, so your | statement about how obvious this is is entirely baseless. | Furthermore, I'm absolutely okay with Namecheap not honoring | a demand for information without a subpoena. Those | whoisguards protect _me_ from spammers, scammers, and anyone | who would want my information from a whois. | notRobot wrote: | Agreed 100%. I'm a huge fan of removing all PII from whois | info. Get a subpoena if you want that data. Otherwise next | thing you know they'll be demanding registrant info for | "facebookisevil.com" because it "infringes on our | trademarks!!!" | rstupek wrote: | Actually all PII information is already removed from | whois info. I think it was a consequence of gdpr | notRobot wrote: | Nah namecheap made whoisguard free for all long before | GDPR if memory serves correctly | rstupek wrote: | They may have but regardless of them doing so, gdpr | resulted in the making of whois data not generally | available to anyone. | [deleted] | jfengel wrote: | Isn't "getting a subpoena" basically what they're doing? | tptacek wrote: | Why do I care about the other examples if the egregious | examples include obvious phishing sites? | sieabahlpark wrote: | Well what's the point of protecting the domain owner if | anyone who comes by and asks can get that info? | blackearl wrote: | It sounds like Facebook asked, not a court. Just because | you're a big company doesn't mean others need to bend to | your will. | disiplus wrote: | what value is there in whoisguard if anybody can strong arm | you in giving the data away. | AlexandrB wrote: | How is "instagrambusinesshelp.com" impersonating Facebook | services? Is the argument here that using "Instagram" in a | domain name inherently not allowed? | | Edit: Would "instagramsucks.com" or "facebooksucks.com" also be | infringing? | tinus_hn wrote: | One name implies it's related to the company, another does | not. That's why there are judges instead of robots in court. | gentleman11 wrote: | Almost every windows website in existence is liable under | this description. It is confusing, but protecting domain | names via trademark law seems undesirable to me in most | cases | swiley wrote: | The name only loosely suggests it might be related, it | doesn't (at least to me) directly imply it. | cooljacob204 wrote: | But you have to consider your everyday user who has no | real understanding of how companies use domains outside | of being a name. That domain suggests it's business | support for Instagram. | gibolt wrote: | Instagram has a business portal. When your site could easily | be mistaken as an official company channel, that should not | be allowed. | AlexandrB wrote: | But the language on Facebook's press release implies that | the names themselves are misleading. They don't mention the | content. | | I'm not disputing that the sites themselves are | scammy/phishing, but what Facebook is saying here sounds | like an overreach that amounts to "using Facebook | trademarked names in a domain name is misleading and | inherently untrustworthy". | bavell wrote: | This seems like a bad knee-jerk reaction, not a real | solution. | | My company also has a business portal. Can I take down | domains that are similar to it as well? Or is this power | just reserved for MegaCorp Inc. who can afford large legal | teams? At what point does a company become large enough to | warrant "protection" of domains similar to their own? Who | makes that decision and is there any dispute process? Etc, | etc... | | So many questions and potential pitfalls surrounding this | approach. I don't know if there's any better realistic | "solution" than to let users ultimately be responsible for | the domains they visit. Not much of a solution but I don't | see any better options that are both realistic and helpful. | Kalium wrote: | There's an ICANN process that allows you to file exactly | this sort of domain-specific takedown notice. | https://www.icann.org/resources/pages/help/dndr/udrp-en | | The big drawback of the process it that it doesn't work | well for phishing attacks, where taking down one domain | is of limited value. It's designed more for things like | nissan.com | shaneprrlt wrote: | So if you started a small consulting company helping people | advertise or build a brand on Instagram, and your website | was instagrambusinesshelp.com, Facebook has the right to | say "not allowed"? | | Do I also have the right to impose rules on other | businesses naming conventions [1], or no because I'm not a | $500B company? | | [1] In a fair use context, not blatant copyright/trademark | infringement or posing as the company in a phishing | context. | derision wrote: | There is no fair context for that under the law. The name | is trademarked so unless you have approval from Facebook | to use their trademark then using it is not legal. It's | not that complicated. | jbob2000 wrote: | My assumption is that "instagrambusinesshelp.com" was | impersonating Instagram to scam people. Instagramsucks.com | probably isn't trying to impersonate them, just complaining | about them. | rstupek wrote: | And likely wouldn't be infringing Instagram tm. | koolba wrote: | They don't even like you use "book". | ck2 wrote: | The really interesting thing about namecheap is they are not a | registrar for most TLDs, they are simply a very large enom | reseller (last I checked a year or two ago) | markdown wrote: | Uh, the utter hypocrisy makes me sick. | | Facebook takes money from people spreading fake news to influence | the elections in my country and they refuse to reveal the names | of the people funding this fake news. | onetimemanytime wrote: | so people should sue FB if someone uses FB to say bad things | about them??? | | File a UDRP, it works with proxy services as well. NameCheap | can't manually check or approve every name. | keanzu wrote: | It's 45 domain names. | | Facebook sent them a list. | | No-one said anything about manually checking every name until | you did. | onetimemanytime wrote: | they sent "notices" so unless you know something more.... One | cannot just ask for them divulge the names, that's the point | of privacy. File a suit or whatever. It's cost of doing | business | PeterisP wrote: | Filing a lawsuit is the whole point - facebook has grounds | to sue the domain owners, so either Namecheap can disclose | who they are so they can be sued, or Namecheap can be sued | (i.e. what's happening now) to be forced to disclose who | they are so they can be sued. | | One _can_ just ask for them to divulge the names (FB did | that); one can refuse to divulge the names (Namecheap did | that); and then a judge can force that privacy to be | revoked. | onetimemanytime wrote: | Yes, but you sue John Doe 1-45 under https://en.wikipedia | .org/wiki/Anticybersquatting_Consumer_Pr... . NameCheap | is then forced by the court to notify them. You shouldn't | directly sue the service provider, NameCheap in this | case. They were right to refuse to unmask the owners | without a court order. | PeterisP wrote: | It seems to me that as far as domain registration is | concerned, Namecheap's subsidiary Whoisguard is | technically the domain owner in this case. Of course, | they're doing this with the intent to be a proxy, but | technically they are the owner and so it seems that it | would be appropriate to sue them for the misuse of that | domain. | | I.e. "We found that Namecheap's proxy service, | Whoisguard, registered or used 45 domain names" - it's | not that 45 John Does have registered these domains and | we want their identities, we know who is the official | owner of these domains is - it's Whoisguard; and it's up | to Whoisguard to either accept full responsibility for | the [mis]use of these domains or provide some arguments | why someone else should be held responsible instead. | | If "internet standard process" is that they should do | something else other then sue Namecheap - well, that | works as far as that other thing works | faster/better/cheaper than suing Namecheap directly. If | it does not, then the legal process is that they _can_ | sue Namecheap if it feels more effective. | | In essence what seems to be happening here is testing in | a court whether the current practice of domain "privacy | proxies" can be done without the proxy accepting any | liability for the domains they're shielding. Such | services were implemented in the notion that they don't | intend to accept any liability, but as far as I know it | has not yet been tested in courts whether they can get | away with it. | | It's worth noting that in many other similar aspects | (e.g. copyright issues for user generated content, etc) | the default position was that proxies _can_ be held | liable as accomplices, and that changed only when | specific laws were passed saying that such proxies are | immune from liability if certain conditions are met (e.g. | common carrier, dmca, etc, etc). So, depending on how the | courts rule, it 's plausible that we might get precedent | that domain privacy proxies _do_ have to bear some | liability if they happend to protect the anonymity of | criminals, which would de facto mean that those proxies | won 't exist, that all such services would shut down. | onetimemanytime wrote: | You miss the point entirely: FB cannot do anything | without suing, even if they had their names and | addresses. These things are solved either via ICANN | procedures or through federal courts. In both cases, | NameCheap would be forced to notify owners or divulge | their info. | mmanfrin wrote: | Facebook sues Namecheap for _allowing people to to register_ | phishing domains | Volundr wrote: | Facebook sues NameCheap for allowing people to register | phishing domains, _and failing to meet their obligation to | provide information about those domains when notified_. But it | 's not near as good a headline. | mmanfrin wrote: | Namecheap has no obligation to give out customer data at | _all_ unless directed so by a court. | ceejayoz wrote: | Is it possible there's something in the ICANN registrar | policies that requires them to do so? | | If not, isn't this sort of suit _how_ you 'd get a court to | issue such an order? | Volundr wrote: | It appears there is: | | https://www.icann.org/resources/pages/approved-with- | specs-20... | | See section 3.7.7.3 | lsaferite wrote: | Which specific obligation are you referring to? | Volundr wrote: | The article doesn't reference, but I'd assume: | | https://www.icann.org/resources/pages/approved-with- | specs-20... | | 3.7.7.3 Any Registered Name Holder that intends to license | use of a domain name to a third party is nonetheless the | Registered Name Holder of record and is responsible for | providing its own full contact information and for | providing and updating accurate technical and | administrative contact information adequate to facilitate | timely resolution of any problems that arise in connection | with the Registered Name. A Registered Name Holder | licensing use of a Registered Name according to this | provision shall accept liability for harm caused by | wrongful use of the Registered Name, unless it discloses | the current contact information provided by the licensee | and the identity of the licensee within seven (7) days to a | party providing the Registered Name Holder reasonable | evidence of actionable harm. | crobertsbmw wrote: | They aren't even sueing for _allowing_. You can't expect | namecheap to know every possible domain that could be used to | impersonate Facebook. They are sueong because namecheap isn't | cooperating in their investigation.. | [deleted] | [deleted] | sdan wrote: | Thank you Namecheap. | | Been using Namecheap since 2017 and was thinking of switching | over, but this decision (although malicious, protects users | privacy). | ArchReaper wrote: | Title is misleading, from the article: | | > We sent notices to Whoisguard between October 2018 and February | 2020, and despite their obligation to provide information about | these infringing domain names, they declined to cooperate. | | Title should be closer to "Facebook sues Namecheap/Whoisguard for | not providing information on phishing domain registrants" | yuters wrote: | The phishing sites should be taken down no questions, but | what's the obligation for WhoisGuard to provide information to | an Internet company? Shouldn't they provide information only to | legal authorities? | bagacrap wrote: | opening paragraph: "This week we filed a lawsuit in Arizona | against Namecheap, a domain name registrar, as well as its | proxy service, Whoisguard, ___for registering domain names_ | __that aim to deceive people by pretending to be affiliated | with Facebook apps " | [deleted] | zadokshi wrote: | Yes, the title should be fixed. | dbg31415 wrote: | Slippery slope, and I hate Facebook more for doing this. It | shouldn't be on Namecheap to police for Facebook. Tomorrow, | Facebook could open something like cnn.facebook.com -- would | CNN.com be off limits then? It'd be impossible to predict, track, | and respond -- also it's fundamentally not Namecheap's | responsibility to protect Facebook. Facebook could, and certainly | has the money to, register anything they want -- anything that | resembles a domain in their apps. | preommr wrote: | > Our goal is to create consequences for those who seek to do | harm | | Rich coming from FB. | | On the one hand, scam sites should be stopped, on the other, I am | not sure we should let companies wantonly decide which domains | other people register are bad. | | I can't even tell what the legality of this is. What does | facebook even sue for, trademark infringement? Or is it fraud | related which I would assume they'd go to the courts for. If | namecheap is breaking the law, then the justice system should be | involved, otherwise it's namecheap rolling over anytime facebook | decides to sue them for anything they want. | driverdan wrote: | Is Namecheap obligated to respond as FB claims? Isn't this the | proper way it should happen, through the courts? I don't want | Namecheap giving my personal info out just because a business | claims a domain infringes their trademarks. | derision wrote: | I'd say it's a little different if you're running a blatant | phishing site, it's more than just trademark infringement | driverdan wrote: | Is it? Doesn't that responsibility fall to law enforcement, | not a company? | ensignavenger wrote: | As a Namecheap customer, I am glad that they aren't giving up | their customers privacy. Facebook claims they have an obligation | to do so- but they don't provide any citation for such an | obligation. | | ICANN has an established process for handling these types of | disputes, and Facebook should avail themsleves of that process. | https://www.icann.org/resources/pages/help/dndr/udrp-en | | (It isn't clear if Facebook is seeking a financial judgement or | just a court order to delete or transfer the domains to | Facebook?) | NamecheapCEO wrote: | Is it not enough that Facebook and Zuck tread all over their | customers privacy on their own platform? Now they want other | companies to do it for them with their own customers as well. | This is just another attack on privacy and due process in order | to strong arm companies that have services like WhoisGuard | which is intended to protect millions of customer's privacy. | gruez wrote: | >ICANN has an established process for handling these types of | disputes, and Facebook should avail themsleves of that process. | https://www.icann.org/resources/pages/help/dndr/udrp-en | | Facebook wants information on the registrants. A quick skim of | the link you provided suggests that the process only results in | the domain being taken down, not information revealed. | | >Under the policy, most types of trademark-based domain-name | disputes must be resolved by agreement, court action, or | arbitration before a registrar will cancel, suspend, or | transfer a domain name. | Kalium wrote: | ICANN's process for taking down domains works, if sometimes | slowly. It's not always great for preventing the next | phishing domain from popping up three minutes later from the | same attackers. | | I can see both sides of this one. Namecheap is doing the | right thing by protecting customer privacy, and Facebook | reasonably wants to stop what is probably a well-organized | and persistent phishing campaign aimed at their own | customers. | PeterisP wrote: | "Agreement, court action and arbitration" - all three of | those require knowing the identity or at least directly | communicating with the other party to start the process. | ensignavenger wrote: | Not necessarily- they explicitly mention filing an in-rem | action- which does not require knowing the identity of the | domain registrant. | ensignavenger wrote: | If that is all Facebook is seeking in their suit, then I am | fine with their lawsuit- and I am glad that Namecheap is | holding out for a final, legal court order in a court of | competent jurisdiction. Facebooks PR piece trying to paint | Namecheap in a bad light is something I am not okay with. | Namecheap is right not to give up this information without | legal due process. | mattkrause wrote: | Lawyers, | | Would the registrar normally be sued here? I would have | thought it'd be against a fictitious defendant, with a Doe | subpoena used to find out their actual identity. | codazoda wrote: | Seems like a lawsuit is the exact legal method that should be | used to uncover the names that Facebook is seeking. As a | Namecheap user who also sometimes uses whoisguard, I would | expect Namecheap NOT to turn over any information until | required to do so buy a subpoena signed by a judge. There is | probably no other way to get one than to file a suit and ask a | judge for it. | ensignavenger wrote: | I am fine with Facebook petitioning a court of competent | jurisdiction and following legal due process to stop phishing | activity. I am glad that Namecheap is not giving up this | information without a proper court order. I am not happy with | Facebook making this PR release trying to paint Namecheap in | a bad light because they are standing up for privacy. This PR | release is completely unnecessary if Facebooks intentions | were simply to stop the phishing attacks. | cosmodisk wrote: | While I'm happy that Namecheap won't reveal the names,I'm | not happy that these kind of website names can not just be | registered but also kept running for years. | gist wrote: | Effective strategy on the part of facebook. Namecheap can | either decide to spend untold sums and fight this (and let's | see the amount and how that goes) or they can turn over the | info and move on. No legitimate customer of namecheap that | isn't fishing is going to take this as anything important to | them and importantly even if they even know it's happening. | | I don't get all of this rah rah. | | My question for you (the OP) is how many domains do you have | with namecheap? And how many customers like you do you think | make up their business? | | Nobody is filing a lawsuit to uncover whois privacy info | trivially unless the reason makes sense (on the end of the | person wanting the info). | dpcan wrote: | I totally agree. Namecheap probably had to tell Facebook, "get | a warrant". If they DIDN'T do this, they would then be | responsible for policing EVERY site they provide WhoisGuard | for, and that would be ridiculous. | | Facebook is trying to use this as a way to show they are | concerned about privacy and security, but they're coming across | as bullies that didn't get what they wanted and now they have | to use the necessary legal methods to do so. | markdown wrote: | > If they DIDN'T do this, they would then be responsible for | policing EVERY site they provide WhoisGuard for, and that | would be ridiculous. | | Why would that be ridiculous? If they can't make sure that | their clients are legit, they shouldn't be in the business at | all. Domain name ownership shouldn't be private in the same | way that land ownership shouldn't be (and isn't) private. | FpUser wrote: | "If they can't make sure that their clients are legit, they | shouldn't be in the business at all" | | Really? Then why do we have courts, prosecutors, police and | a whole shebang of associated entities. It is their job and | they're being paid for it. | zymhan wrote: | Facebook cannot "get a warrant", only law enforcement | officials can do that. | teh_klev wrote: | Please don't be obtuse, I think we all know fine what this | means. | travisjungroth wrote: | "File a suit, leading to discovery and a warrant ordered by | a judge" doesn't quite roll off the tongue. | SAI_Peregrinus wrote: | Warrants are for criminal searches. Subpoenas are the | process used to compel discoveryin civil cases and for | some parts of criminal cases. | tptacek wrote: | You're glad Namecheap is protecting the registrant of | "whatsappdownload.site"? | blackearl wrote: | First they came for faceb0ok.com and I did not speak out | footweebole wrote: | underated | notRobot wrote: | They're glad that Facebook isn't being handed information | just because they're a big company. Want private registrant | info? Get a subpoena. It should be very easy if you have a | legit reason. | tedivm wrote: | That's literally what they're doing? | Phil987 wrote: | Yeah and that's why they're happy. | rndgermandude wrote: | Yes. Do you know what content was on there? Scam/malware? | Critical reporting on facebook's business processes? A parody | site making fun of whatsapp? A redirect to Signal? | | At least two of the 4 examples I gave are perfectly legal | even under trademark and/or copyright law. And 3 are non- | malicious | amerine wrote: | It's about there already being a process for this, and not | being cool with Facebook using lawyers to do it. | ipsum2 wrote: | > there already being a process for this | | It's not clear at all what the process is. Can you | elaborate? | ensignavenger wrote: | https://www.icann.org/resources/pages/help/dndr/udrp-en | [deleted] | tempestn wrote: | For what it's worth, the problem with that process is that | it creates an uneven burden. Any scammer with 10 bucks can | create a misleading domain. This happened to us when some | scammers created "autostempest.com" to mimic our car search | site, autotempest.com. They put fake listings up and | scammed many people out of tens of thousands of dollars. | Our only legal recourse was a UDRP claim (short of suing | namecheap, which would have been even more expensive), but | that would have cost about $5000 because you need to go | through a registered provider--and these are private | companies, which take advantage of this regulatory | oligopoly. | | Now, $5000 would be worth it to shut down a scammer like | that, except nothing stops them from simply ignoring the | UDRP claim and once their domain is shut down, they can | register autotempests.com or something for another 10 | bucks. (They actually did and up registering | autostempestgroup.com and several others.) | | On the other hand, if you could simply go to the registrar, | show clear evidence of the very obvious infringement, and | have them shut down the domain, perhaps it would actually | be feasible to put a dent in that kind of scam. | | I do understand the concern of having a private company | like Namecheap be the judge in these matters, but I'm not | sure it's as black and white as that. I could see a system | working where they do take unilateral action on obvious | cases (autostempest, whatsappdownload.com, faceb00k, etc.), | but require the formal process for less clear cases. | ensignavenger wrote: | I understand this complaint. But Facebook attacking | Namecheap in a public post for doing the right thing is | the wrong way to go about changing the system. They | should instead petition ICANN and/or their political | rulers to change the process. | ensignavenger wrote: | Well, part of the appropriate process may involve lawyers- | but they do not appear to be following the process | properly, and this PR stunt is absurd. | lacker wrote: | Yes. I want Namecheap to protect my privacy. When they show | they're even willing to protect the privacy of a low- | reputation actor, it proves to me that they are likely to | protect my privacy as well. | | It's the same reason I'm glad that HTTPS and SSL protect the | registrant of whatsappdownload.site. | Fnoord wrote: | Yup, more so with GDPR. It is nobodies business who's behind | a domain. Authorities can of course figure it out (with | subpoena, as it should be) should the need arise. | ensignavenger wrote: | Yes. I don't want Namecheap stepping in to judge how I use my | domains- I want a court of competent jurisdiction to make | those determinations. There is an appropriate process for | these issues. | PeterisP wrote: | It seems that the appropriate process for this issue would | be suing the registered owner of these domains | (Whoisguard), which is what they're doing now - and a court | of competent jurisdiction will be ruling on it. | ensignavenger wrote: | Facebook doesn't say exactly what they are seeking, but | that is one possibility. However, this PR piece seems to | be accusing Namecheap of doing wrong- and it appears that | Namecheap is entirely in the right. If all Facebook was | doing was seeking control of the domain name, and they | didn't make this accusatory post, I would agree that they | were following the proper process. | allenskd wrote: | Yes. I'm fine with Namecheap taking the domain down. Handing | information like that just because they ask for it? That's a | huge no. Let them proceed through the legal channels to get | that information. | jethro_tell wrote: | Yeah, we have a process for this. I realize that FB thinks | laws don't apply to them, but they do, or maybe will at | some point? | zymhan wrote: | A lawsuit is exactly that process. | Techies4Trump wrote: | Me too, I'm also a Namecheap customer and have nothing but good | thinks to say about them. This makes me like them even more. | | If only FB were as professional with their customer's data as | Namecheap... | Trias11 wrote: | "If only FB were as professional with their customer's data | as Namecheap..." | | +100 | cosmodisk wrote: | Facebook customers are companies that pay for advertising. | Billions of sheep,who signed up for the chance to see | endless streams of cat pictures, are the product. | notRobot wrote: | Isn't the obligation only to provide registrant info to | governments or when the info has been subpoenad? Or should | namecheap hand over info to any private entity that thinks their | trademark is being infringed upon or that the domain is | malicious? | | Inb4 FB wants the info of the person begins "facebookisevil.com". | dillonmckay wrote: | So, this is simply a civil issue in Facebook's eyes? | logfromblammo wrote: | This is without merit. | | Facebook is free to register as many domains as may please it, | paying the fee for each. Those registrations are for exact | strings. They do not include any strings visually or phonetically | or typographically similar to the registered string. Registering | facebook.com does not automatically confer the rights to | facebook-cdn.com, or facebook-images.com, or any other nearby | string. The remedy for potential phishing domain names is to | either register all those text-adjacent names first (unlikely), | or to install measures on the registered domains that make it | harder for phishers to fool the users, and limit the possible | damage when those ruses succeed. | | You can't break the whole DNS system to protect one company. Do | your own danged phishing defense instead of trying to turf it off | onto others as an externality. | gruez wrote: | >Facebook is free to register as many domains as may please it, | paying the fee for each. Those registrations are for exact | strings. They do not include any strings visually or | phonetically or typographically similar to the registered | string. | | You seem to be conflating domain name registrations with | trademarks. Having the "facebook" trademark does indeed give | you rights over similar names (eg. facebook-ads.com), if | they're determined by a judge to cause consumer confusion. | bt3 wrote: | As much as I despise Facebook, it's great to have this kind of | pressure put on NameCheap. When I first setup my own website many | years back, I made the mistake of listing my email in plain text | right on the main page. Fast forward years later and I think I've | been added to every spam list possible. If it wasn't for | exceptionally-aggressive email filters, I'd get 500+ spam emails | a day. | | In various times throughout the years, I'll run a WHOIS lookup on | the last 1000 emails to have (attempted) to send me spam email. | In 99% of cases, they resolve to a proxied NameCheap domain. I | have submitted somewhere in the ballpark of ~800 domains | throughout the years to NameCheap's abuse department. While they | are timely in their "investigation", only about half of them are | shuttered, and it's not clear to me if NameCheap is actually | attempting to solve the problem as I strongly suspect there's a | limited number of individuals behind the mass of nonsense domains | used to spam me and likely countless others. | onetimemanytime wrote: | OK, but FB isn't suing NameCheap because domains registered | through them spammed you. | bt3 wrote: | My point was moreso that NameCheap appears willfully ignorant | to abuses on their platform. As I am a nobody, I don't have | the leverage to get them to solve these problems. Whereas | Facebook suing them might introduce pressure on NameCheap to | address abuse of their domains. | allenskd wrote: | > We don't want people to be deceived by these web addresses, so | we've taken legal action. | | I wonder if they reported the issue first unless it's all for | show. I've reported phishing domains before and Namecheap is | usually quick on taking them down if the domain belongs to that | registrar. I think the last report within 24 hours they plugged | it out. So makes me wonder what Facebook is on about with this. | | Edit: ok, I missed the "despite their obligation to provide | information about these infringing domain names, they declined to | cooperate." seems Facebook wanted to go on a witch hunt. ___________________________________________________________________ (page generated 2020-03-05 23:00 UTC)