[HN Gopher] Facebook sues Namecheap for registrants of phishing ...
___________________________________________________________________
Facebook sues Namecheap for registrants of phishing domains
Author : whoisjuan
Score : 142 points
Date : 2020-03-05 19:49 UTC (3 hours ago)
(HTM) web link (about.fb.com)
(TXT) w3m dump (about.fb.com)
| Mistri wrote:
| Is Facebook targeting Whoisguard directly? I am incredibly
| thankful for Whoisguard -- back when I purchased my first domain,
| I didn't know about it, and to this day, I get 5-10 spam emails
| per day regarding my domain. It's so bad that I've had to change
| my primary email to something else.
|
| There definitely should be a mechanism by which large companies
| like Facebook can approach Whoisguard and ask for a site to be
| taken down, though.
| Thorentis wrote:
| Why does Facebook want to know who these people are? That itself
| seems a bit creepy. Sure, get the domains taken down, get
| Whoisguard to block them from registering more domains in future.
| But what does Facebook want, names and addresses? Weird.
| jpeg_hero wrote:
| > But what does Facebook want, names and addresses?
|
| Uhhhh, to help in the investigation and arrest of the ring of
| people that are scamming and fishing Facebook customers?
| Thorentis wrote:
| Shouldn't law enforcement have that information rather than
| Facebook? Or does Facebook see itself as the internet police
| now?
| forgotmypw16 wrote:
| Seems like a good opportunity to say, I've been a Namecheap
| customer for more than 10 years and I am very happy with them. :)
| andy_ppp wrote:
| Haha, imagine a company suing another for the way people use
| their platform, as if it's _their_ responsibility to police the
| people using it for harmful purposes! Ridiculous!
| gruez wrote:
| Tangential question: what are the chances that, if namecheap
| disclosed the identities of registrants, facebook would be able
| to do anything with it? You'd expect that if the domains were
| registered with the intention to do Bad Things, that they would
| be registered with fake information. You can use a throwaway
| email addresses, fake mailing address (doubt they would validate
| it), and pay with cryptocurrency.
| edmundsauto wrote:
| If the registration information is falsified, + trademark
| dispute, FB has the inside track on getting ownership of these
| domains transferred to them. After all, the registered owners
| don't exist -- doesn't that make them up for grabs?
| duxup wrote:
| Depends on where they are located I suspect, and what
| information is provided.
|
| It is possible knowing the information behind them is in fact
| fake would facilitate taking the sites down too.
| stevenjohns wrote:
| For what it's worth, I reported dozens of domains used in
| phishing scams to Namecheap and their support could not possibly
| give less of a crap. I reported about 26 domains used in SMS
| scams in Australia and Namecheap refused to action more than one
| domain. As far as I'm aware, the remaining 25 or so are still
| active.
|
| Their chat support is unable to take spam complaints and instead
| directs you to their "Legal & Abuse Department" based in Eastern
| Europe. And what you get is basically what you'd expect from an
| underpaid, disgruntled level one IT support.
| scsh wrote:
| Not attempting to excuse their lack of action, but there are
| cases where it's somewhat understandable why a registrar may
| not take action. For instance, if the only service they're
| actually providing is registration, the domain belongs to a
| long time customer, and they aren't hosting the site or dns,
| they're only left with one very blunt action they can take.
| It's frustrating for sure, but registrars are very hesitant to
| take such harsh action on long-standing customers.
|
| In that example the domain is likely compromised though, so you
| need to be reporting to all the hosting providers involved as
| well and not just the registrar.
| nomel wrote:
| You should report illegal activities to the authorities, not
| companies.
|
| I wouldn't expect Namecheap, a low cost registrar with "cheap"
| in its name, to have the legal resources to investigate or make
| a conclusion for each accusation that comes their way for one
| of their 10 million domain names.
|
| As with everything internet related, I think there's a vast
| misunderstanding of scale, and difficulty in automation
| (domains sniping!), for what they're facing.
|
| I also wouldn't expect them to hand out information to anyone
| that asks for it, especially a large company known for misusing
| any information they can get their hands on, without a
| subpoena.
|
| I think the real solution would have to come from a third party
| group(s) that could collect, monitor, and produce high quality
| reports, with a high level of accuracy, that all of these
| registrars could use. Who would fund these groups? Probably
| whomever gains/loses less from the phishing scams being
| terminated.
| p0sixlang wrote:
| This probably comes down to narrowing the number of people who
| can take action on these requests, as per the potential abuse
| that could come from taking action on invalid requests.
| Nextgrid wrote:
| It's ironic how Facebook uses all kinds of lies and dark patterns
| to steal data from their users but gets pissed off when someone
| else does it (or provides services for it as it is in this case).
| magduf wrote:
| 2 wrongs don't make a right. And sure, FB uses "dark patterns",
| but that's a lot more subtle than registering obvious phishing
| domains. There's simply no defense for that at all; it's
| obviously aiding and abetting criminal activity.
| AlexandrB wrote:
| > it's obviously aiding and abetting criminal activity.
|
| Criminal activity like election interference? Has Facebook
| been fined for that yet?
| chopraaa wrote:
| Yes, that's because phishing is an actual crime.
| ep103 wrote:
| so is wiretapping, but in our household we have a running
| joke that if we're too lazy to google something, or say "ok
| google", we can just say "ok facebook bed frame bed frame bed
| frame" in the direction of our phones, and fb/instagram will
| start showing us ads for bed frames in a few hours. It works
| a surprisingly large amount of the time.
| magduf wrote:
| Wiretapping is only illegal if you don't give permission
| for it. By having a device that's always recording audio,
| you're implicitly giving permission for what you describe.
| bcyn wrote:
| I can't speak for other platforms, but if you've ever
| developed apps for iPhone, you'd know this is pretty much
| impossible for FB to do.
| onlyrealcuzzo wrote:
| Pot calling the kettle blue...
| ArchReaper wrote:
| One is illegal, the other is not. Apples and oranges.
|
| Edit: what's with the downvotes? I'm not defending the
| practice, just stating facts.
| wolco wrote:
| Everyone worries about google. Google will become part of the
| public infrastructure after some external challenge forces it
| to. At what point does facebook turn hostile and start exposing
| personal secrets to the public unless you pay or at least come
| back and visit to change settings? You can feel it coming...
| NamecheapCEO wrote:
| Is it not enough that Facebook and Zuck tread all over their
| customers privacy on their own platform? Now they want other
| companies to do it for them with their own customers as well.
|
| This is just another attack on privacy and due process in order
| to strong arm companies that have services like WhoisGuard which
| is intended to protect millions of customer's privacy.
| preommr wrote:
| ^ Namecheap CEO
|
| Can you explain the legal details of what's happening here?
| Who's responsibility is it to deal with domains that are
| potentially dangerous, what exactly is facebook suing you for?
| What rule are they talking about when they say you're supposed
| to provide the WhoisGuard information (someone else mentioned
| that's only for government requests)?
|
| I've also seen some complaints by other people here that there
| are some namecheap domains that are sometimes scammy and
| namecheap sometimes deals with them and other times they don't
| (based on user comments here). Can you clarify if namecheap
| does indeed take action and if so, why they haven't here?
|
| Also in the future, you might want to sign off at the end of
| the comment since it's really easy to ignore the username as
| it's grayed out. And FWIW, great job with namecheap, I've had a
| really good experience with it.
| a13n wrote:
| I mean, FB is trying to stop phishing here, and it doesn't seem
| like your company is cooperating with FB's investigation. A
| lawsuit seems like what they had to do to get you to take
| action here.
|
| Why do you want to take money from criminals, in exchange for
| helping them to do criminal activity? From a risk management
| perspective, you should very much not want these customers.
| caffeinewriter wrote:
| I feel like the title "Facebook sues Namecheap for registering
| phishing domains" is somewhat misleading.
|
| > We found that Namecheap's proxy service, Whoisguard, registered
| or used 45 domain names that impersonated Facebook and our
| services, such as instagrambusinesshelp.com, facebo0k-login.com
| and whatsappdownload.site. We sent notices to Whoisguard between
| October 2018 and February 2020, and despite their obligation to
| provide information about these infringing domain names, they
| declined to cooperate.
|
| Specifically, they're suing Namecheap _and their proxy service_
| for not providing information about the true registrants of the
| allegedly infringing domains.
| EE84M3i wrote:
| Well, their whois proxy services. Namecheap has other proxy
| services (email for sure, I think also some configurations like
| parking and redirection use an HTTP proxy), so not specifying
| whois proxy is pretty confusing.
| dang wrote:
| We've edited the title in an attempt to thread that needle. If
| someone can suggest a better--more accurate and neutral--title,
| we can change it again.
| bagacrap wrote:
| "This week we filed a lawsuit in Arizona against Namecheap
| [...] for registering domain names that aim to deceive people
| by pretending to be affiliated with Facebook apps."
|
| The press release says "for registering domain names" so I
| think the original title was accurate.
|
| Previous similar court case where Verizon won a judgment
| against OnLineNic on the basis of trademark infringement: htt
| ps://dockets.justia.com/docket/california/candce/3:2008cv...
|
| So it doesn't seem like this suit is just about discovering
| the identities of the registrants.
| CydeWeys wrote:
| And to be clear, all Namecheap had to do to prevent this
| lawsuit was identify the owners of or delete the obviously-
| phishing and obviously-TM-infringing domain names. They didn't,
| so now Facebook is taking them to court over it.
| ensignavenger wrote:
| According to ICANN they cannot simply delete the domains-
| https://www.icann.org/resources/pages/help/dndr/udrp-en
|
| "Under the policy, most types of trademark-based domain-name
| disputes must be resolved by agreement, court action, or
| arbitration before a registrar will cancel, suspend, or
| transfer a domain name."
| caffeinewriter wrote:
| Honestly, I'm glad they didn't. There's not much use in a
| whois privacy service if they'll give up the info just
| because a company says "this is infringing".
| xorcist wrote:
| Namecheap is responsible for administrating domain ownership.
| They are not free to unilaterally change or remove ownership
| at will.
|
| That doesn't mean it's impossible to deregister infringing
| domains. It means that there is a process to follow, which is
| probably what we're seeing right now.
| JoshTriplett wrote:
| Or, alternatively, remove the domain names, since they're
| blatantly phishing domains.
|
| I think anonymous domain registration is an _important_
| property to preserve. Many people need such services for
| their safety. However, if you 're going to serve as an
| anonymity shield for another party, you're taking on some of
| that party's liability, and in particular you need to take
| down malicious domains.
| StreamBright wrote:
| This pretty much depends on the details.
| throwaway3157 wrote:
| I know some attorneys are on HN, so question: does
| Namecheap/Whoisguard have a legal obligation to reveal that
| requested info?
| mmanfrin wrote:
| Facebook listed 3 of the 45, including one that I'd argue
| does not at all violate TM or phish. In a post like this,
| they'd likely pick the most egregious examples, so your
| statement about how obvious this is is entirely baseless.
| Furthermore, I'm absolutely okay with Namecheap not honoring
| a demand for information without a subpoena. Those
| whoisguards protect _me_ from spammers, scammers, and anyone
| who would want my information from a whois.
| notRobot wrote:
| Agreed 100%. I'm a huge fan of removing all PII from whois
| info. Get a subpoena if you want that data. Otherwise next
| thing you know they'll be demanding registrant info for
| "facebookisevil.com" because it "infringes on our
| trademarks!!!"
| rstupek wrote:
| Actually all PII information is already removed from
| whois info. I think it was a consequence of gdpr
| notRobot wrote:
| Nah namecheap made whoisguard free for all long before
| GDPR if memory serves correctly
| rstupek wrote:
| They may have but regardless of them doing so, gdpr
| resulted in the making of whois data not generally
| available to anyone.
| [deleted]
| jfengel wrote:
| Isn't "getting a subpoena" basically what they're doing?
| tptacek wrote:
| Why do I care about the other examples if the egregious
| examples include obvious phishing sites?
| sieabahlpark wrote:
| Well what's the point of protecting the domain owner if
| anyone who comes by and asks can get that info?
| blackearl wrote:
| It sounds like Facebook asked, not a court. Just because
| you're a big company doesn't mean others need to bend to
| your will.
| disiplus wrote:
| what value is there in whoisguard if anybody can strong arm
| you in giving the data away.
| AlexandrB wrote:
| How is "instagrambusinesshelp.com" impersonating Facebook
| services? Is the argument here that using "Instagram" in a
| domain name inherently not allowed?
|
| Edit: Would "instagramsucks.com" or "facebooksucks.com" also be
| infringing?
| tinus_hn wrote:
| One name implies it's related to the company, another does
| not. That's why there are judges instead of robots in court.
| gentleman11 wrote:
| Almost every windows website in existence is liable under
| this description. It is confusing, but protecting domain
| names via trademark law seems undesirable to me in most
| cases
| swiley wrote:
| The name only loosely suggests it might be related, it
| doesn't (at least to me) directly imply it.
| cooljacob204 wrote:
| But you have to consider your everyday user who has no
| real understanding of how companies use domains outside
| of being a name. That domain suggests it's business
| support for Instagram.
| gibolt wrote:
| Instagram has a business portal. When your site could easily
| be mistaken as an official company channel, that should not
| be allowed.
| AlexandrB wrote:
| But the language on Facebook's press release implies that
| the names themselves are misleading. They don't mention the
| content.
|
| I'm not disputing that the sites themselves are
| scammy/phishing, but what Facebook is saying here sounds
| like an overreach that amounts to "using Facebook
| trademarked names in a domain name is misleading and
| inherently untrustworthy".
| bavell wrote:
| This seems like a bad knee-jerk reaction, not a real
| solution.
|
| My company also has a business portal. Can I take down
| domains that are similar to it as well? Or is this power
| just reserved for MegaCorp Inc. who can afford large legal
| teams? At what point does a company become large enough to
| warrant "protection" of domains similar to their own? Who
| makes that decision and is there any dispute process? Etc,
| etc...
|
| So many questions and potential pitfalls surrounding this
| approach. I don't know if there's any better realistic
| "solution" than to let users ultimately be responsible for
| the domains they visit. Not much of a solution but I don't
| see any better options that are both realistic and helpful.
| Kalium wrote:
| There's an ICANN process that allows you to file exactly
| this sort of domain-specific takedown notice.
| https://www.icann.org/resources/pages/help/dndr/udrp-en
|
| The big drawback of the process it that it doesn't work
| well for phishing attacks, where taking down one domain
| is of limited value. It's designed more for things like
| nissan.com
| shaneprrlt wrote:
| So if you started a small consulting company helping people
| advertise or build a brand on Instagram, and your website
| was instagrambusinesshelp.com, Facebook has the right to
| say "not allowed"?
|
| Do I also have the right to impose rules on other
| businesses naming conventions [1], or no because I'm not a
| $500B company?
|
| [1] In a fair use context, not blatant copyright/trademark
| infringement or posing as the company in a phishing
| context.
| derision wrote:
| There is no fair context for that under the law. The name
| is trademarked so unless you have approval from Facebook
| to use their trademark then using it is not legal. It's
| not that complicated.
| jbob2000 wrote:
| My assumption is that "instagrambusinesshelp.com" was
| impersonating Instagram to scam people. Instagramsucks.com
| probably isn't trying to impersonate them, just complaining
| about them.
| rstupek wrote:
| And likely wouldn't be infringing Instagram tm.
| koolba wrote:
| They don't even like you use "book".
| ck2 wrote:
| The really interesting thing about namecheap is they are not a
| registrar for most TLDs, they are simply a very large enom
| reseller (last I checked a year or two ago)
| markdown wrote:
| Uh, the utter hypocrisy makes me sick.
|
| Facebook takes money from people spreading fake news to influence
| the elections in my country and they refuse to reveal the names
| of the people funding this fake news.
| onetimemanytime wrote:
| so people should sue FB if someone uses FB to say bad things
| about them???
|
| File a UDRP, it works with proxy services as well. NameCheap
| can't manually check or approve every name.
| keanzu wrote:
| It's 45 domain names.
|
| Facebook sent them a list.
|
| No-one said anything about manually checking every name until
| you did.
| onetimemanytime wrote:
| they sent "notices" so unless you know something more.... One
| cannot just ask for them divulge the names, that's the point
| of privacy. File a suit or whatever. It's cost of doing
| business
| PeterisP wrote:
| Filing a lawsuit is the whole point - facebook has grounds
| to sue the domain owners, so either Namecheap can disclose
| who they are so they can be sued, or Namecheap can be sued
| (i.e. what's happening now) to be forced to disclose who
| they are so they can be sued.
|
| One _can_ just ask for them to divulge the names (FB did
| that); one can refuse to divulge the names (Namecheap did
| that); and then a judge can force that privacy to be
| revoked.
| onetimemanytime wrote:
| Yes, but you sue John Doe 1-45 under https://en.wikipedia
| .org/wiki/Anticybersquatting_Consumer_Pr... . NameCheap
| is then forced by the court to notify them. You shouldn't
| directly sue the service provider, NameCheap in this
| case. They were right to refuse to unmask the owners
| without a court order.
| PeterisP wrote:
| It seems to me that as far as domain registration is
| concerned, Namecheap's subsidiary Whoisguard is
| technically the domain owner in this case. Of course,
| they're doing this with the intent to be a proxy, but
| technically they are the owner and so it seems that it
| would be appropriate to sue them for the misuse of that
| domain.
|
| I.e. "We found that Namecheap's proxy service,
| Whoisguard, registered or used 45 domain names" - it's
| not that 45 John Does have registered these domains and
| we want their identities, we know who is the official
| owner of these domains is - it's Whoisguard; and it's up
| to Whoisguard to either accept full responsibility for
| the [mis]use of these domains or provide some arguments
| why someone else should be held responsible instead.
|
| If "internet standard process" is that they should do
| something else other then sue Namecheap - well, that
| works as far as that other thing works
| faster/better/cheaper than suing Namecheap directly. If
| it does not, then the legal process is that they _can_
| sue Namecheap if it feels more effective.
|
| In essence what seems to be happening here is testing in
| a court whether the current practice of domain "privacy
| proxies" can be done without the proxy accepting any
| liability for the domains they're shielding. Such
| services were implemented in the notion that they don't
| intend to accept any liability, but as far as I know it
| has not yet been tested in courts whether they can get
| away with it.
|
| It's worth noting that in many other similar aspects
| (e.g. copyright issues for user generated content, etc)
| the default position was that proxies _can_ be held
| liable as accomplices, and that changed only when
| specific laws were passed saying that such proxies are
| immune from liability if certain conditions are met (e.g.
| common carrier, dmca, etc, etc). So, depending on how the
| courts rule, it 's plausible that we might get precedent
| that domain privacy proxies _do_ have to bear some
| liability if they happend to protect the anonymity of
| criminals, which would de facto mean that those proxies
| won 't exist, that all such services would shut down.
| onetimemanytime wrote:
| You miss the point entirely: FB cannot do anything
| without suing, even if they had their names and
| addresses. These things are solved either via ICANN
| procedures or through federal courts. In both cases,
| NameCheap would be forced to notify owners or divulge
| their info.
| mmanfrin wrote:
| Facebook sues Namecheap for _allowing people to to register_
| phishing domains
| Volundr wrote:
| Facebook sues NameCheap for allowing people to register
| phishing domains, _and failing to meet their obligation to
| provide information about those domains when notified_. But it
| 's not near as good a headline.
| mmanfrin wrote:
| Namecheap has no obligation to give out customer data at
| _all_ unless directed so by a court.
| ceejayoz wrote:
| Is it possible there's something in the ICANN registrar
| policies that requires them to do so?
|
| If not, isn't this sort of suit _how_ you 'd get a court to
| issue such an order?
| Volundr wrote:
| It appears there is:
|
| https://www.icann.org/resources/pages/approved-with-
| specs-20...
|
| See section 3.7.7.3
| lsaferite wrote:
| Which specific obligation are you referring to?
| Volundr wrote:
| The article doesn't reference, but I'd assume:
|
| https://www.icann.org/resources/pages/approved-with-
| specs-20...
|
| 3.7.7.3 Any Registered Name Holder that intends to license
| use of a domain name to a third party is nonetheless the
| Registered Name Holder of record and is responsible for
| providing its own full contact information and for
| providing and updating accurate technical and
| administrative contact information adequate to facilitate
| timely resolution of any problems that arise in connection
| with the Registered Name. A Registered Name Holder
| licensing use of a Registered Name according to this
| provision shall accept liability for harm caused by
| wrongful use of the Registered Name, unless it discloses
| the current contact information provided by the licensee
| and the identity of the licensee within seven (7) days to a
| party providing the Registered Name Holder reasonable
| evidence of actionable harm.
| crobertsbmw wrote:
| They aren't even sueing for _allowing_. You can't expect
| namecheap to know every possible domain that could be used to
| impersonate Facebook. They are sueong because namecheap isn't
| cooperating in their investigation..
| [deleted]
| [deleted]
| sdan wrote:
| Thank you Namecheap.
|
| Been using Namecheap since 2017 and was thinking of switching
| over, but this decision (although malicious, protects users
| privacy).
| ArchReaper wrote:
| Title is misleading, from the article:
|
| > We sent notices to Whoisguard between October 2018 and February
| 2020, and despite their obligation to provide information about
| these infringing domain names, they declined to cooperate.
|
| Title should be closer to "Facebook sues Namecheap/Whoisguard for
| not providing information on phishing domain registrants"
| yuters wrote:
| The phishing sites should be taken down no questions, but
| what's the obligation for WhoisGuard to provide information to
| an Internet company? Shouldn't they provide information only to
| legal authorities?
| bagacrap wrote:
| opening paragraph: "This week we filed a lawsuit in Arizona
| against Namecheap, a domain name registrar, as well as its
| proxy service, Whoisguard, ___for registering domain names_
| __that aim to deceive people by pretending to be affiliated
| with Facebook apps "
| [deleted]
| zadokshi wrote:
| Yes, the title should be fixed.
| dbg31415 wrote:
| Slippery slope, and I hate Facebook more for doing this. It
| shouldn't be on Namecheap to police for Facebook. Tomorrow,
| Facebook could open something like cnn.facebook.com -- would
| CNN.com be off limits then? It'd be impossible to predict, track,
| and respond -- also it's fundamentally not Namecheap's
| responsibility to protect Facebook. Facebook could, and certainly
| has the money to, register anything they want -- anything that
| resembles a domain in their apps.
| preommr wrote:
| > Our goal is to create consequences for those who seek to do
| harm
|
| Rich coming from FB.
|
| On the one hand, scam sites should be stopped, on the other, I am
| not sure we should let companies wantonly decide which domains
| other people register are bad.
|
| I can't even tell what the legality of this is. What does
| facebook even sue for, trademark infringement? Or is it fraud
| related which I would assume they'd go to the courts for. If
| namecheap is breaking the law, then the justice system should be
| involved, otherwise it's namecheap rolling over anytime facebook
| decides to sue them for anything they want.
| driverdan wrote:
| Is Namecheap obligated to respond as FB claims? Isn't this the
| proper way it should happen, through the courts? I don't want
| Namecheap giving my personal info out just because a business
| claims a domain infringes their trademarks.
| derision wrote:
| I'd say it's a little different if you're running a blatant
| phishing site, it's more than just trademark infringement
| driverdan wrote:
| Is it? Doesn't that responsibility fall to law enforcement,
| not a company?
| ensignavenger wrote:
| As a Namecheap customer, I am glad that they aren't giving up
| their customers privacy. Facebook claims they have an obligation
| to do so- but they don't provide any citation for such an
| obligation.
|
| ICANN has an established process for handling these types of
| disputes, and Facebook should avail themsleves of that process.
| https://www.icann.org/resources/pages/help/dndr/udrp-en
|
| (It isn't clear if Facebook is seeking a financial judgement or
| just a court order to delete or transfer the domains to
| Facebook?)
| NamecheapCEO wrote:
| Is it not enough that Facebook and Zuck tread all over their
| customers privacy on their own platform? Now they want other
| companies to do it for them with their own customers as well.
| This is just another attack on privacy and due process in order
| to strong arm companies that have services like WhoisGuard
| which is intended to protect millions of customer's privacy.
| gruez wrote:
| >ICANN has an established process for handling these types of
| disputes, and Facebook should avail themsleves of that process.
| https://www.icann.org/resources/pages/help/dndr/udrp-en
|
| Facebook wants information on the registrants. A quick skim of
| the link you provided suggests that the process only results in
| the domain being taken down, not information revealed.
|
| >Under the policy, most types of trademark-based domain-name
| disputes must be resolved by agreement, court action, or
| arbitration before a registrar will cancel, suspend, or
| transfer a domain name.
| Kalium wrote:
| ICANN's process for taking down domains works, if sometimes
| slowly. It's not always great for preventing the next
| phishing domain from popping up three minutes later from the
| same attackers.
|
| I can see both sides of this one. Namecheap is doing the
| right thing by protecting customer privacy, and Facebook
| reasonably wants to stop what is probably a well-organized
| and persistent phishing campaign aimed at their own
| customers.
| PeterisP wrote:
| "Agreement, court action and arbitration" - all three of
| those require knowing the identity or at least directly
| communicating with the other party to start the process.
| ensignavenger wrote:
| Not necessarily- they explicitly mention filing an in-rem
| action- which does not require knowing the identity of the
| domain registrant.
| ensignavenger wrote:
| If that is all Facebook is seeking in their suit, then I am
| fine with their lawsuit- and I am glad that Namecheap is
| holding out for a final, legal court order in a court of
| competent jurisdiction. Facebooks PR piece trying to paint
| Namecheap in a bad light is something I am not okay with.
| Namecheap is right not to give up this information without
| legal due process.
| mattkrause wrote:
| Lawyers,
|
| Would the registrar normally be sued here? I would have
| thought it'd be against a fictitious defendant, with a Doe
| subpoena used to find out their actual identity.
| codazoda wrote:
| Seems like a lawsuit is the exact legal method that should be
| used to uncover the names that Facebook is seeking. As a
| Namecheap user who also sometimes uses whoisguard, I would
| expect Namecheap NOT to turn over any information until
| required to do so buy a subpoena signed by a judge. There is
| probably no other way to get one than to file a suit and ask a
| judge for it.
| ensignavenger wrote:
| I am fine with Facebook petitioning a court of competent
| jurisdiction and following legal due process to stop phishing
| activity. I am glad that Namecheap is not giving up this
| information without a proper court order. I am not happy with
| Facebook making this PR release trying to paint Namecheap in
| a bad light because they are standing up for privacy. This PR
| release is completely unnecessary if Facebooks intentions
| were simply to stop the phishing attacks.
| cosmodisk wrote:
| While I'm happy that Namecheap won't reveal the names,I'm
| not happy that these kind of website names can not just be
| registered but also kept running for years.
| gist wrote:
| Effective strategy on the part of facebook. Namecheap can
| either decide to spend untold sums and fight this (and let's
| see the amount and how that goes) or they can turn over the
| info and move on. No legitimate customer of namecheap that
| isn't fishing is going to take this as anything important to
| them and importantly even if they even know it's happening.
|
| I don't get all of this rah rah.
|
| My question for you (the OP) is how many domains do you have
| with namecheap? And how many customers like you do you think
| make up their business?
|
| Nobody is filing a lawsuit to uncover whois privacy info
| trivially unless the reason makes sense (on the end of the
| person wanting the info).
| dpcan wrote:
| I totally agree. Namecheap probably had to tell Facebook, "get
| a warrant". If they DIDN'T do this, they would then be
| responsible for policing EVERY site they provide WhoisGuard
| for, and that would be ridiculous.
|
| Facebook is trying to use this as a way to show they are
| concerned about privacy and security, but they're coming across
| as bullies that didn't get what they wanted and now they have
| to use the necessary legal methods to do so.
| markdown wrote:
| > If they DIDN'T do this, they would then be responsible for
| policing EVERY site they provide WhoisGuard for, and that
| would be ridiculous.
|
| Why would that be ridiculous? If they can't make sure that
| their clients are legit, they shouldn't be in the business at
| all. Domain name ownership shouldn't be private in the same
| way that land ownership shouldn't be (and isn't) private.
| FpUser wrote:
| "If they can't make sure that their clients are legit, they
| shouldn't be in the business at all"
|
| Really? Then why do we have courts, prosecutors, police and
| a whole shebang of associated entities. It is their job and
| they're being paid for it.
| zymhan wrote:
| Facebook cannot "get a warrant", only law enforcement
| officials can do that.
| teh_klev wrote:
| Please don't be obtuse, I think we all know fine what this
| means.
| travisjungroth wrote:
| "File a suit, leading to discovery and a warrant ordered by
| a judge" doesn't quite roll off the tongue.
| SAI_Peregrinus wrote:
| Warrants are for criminal searches. Subpoenas are the
| process used to compel discoveryin civil cases and for
| some parts of criminal cases.
| tptacek wrote:
| You're glad Namecheap is protecting the registrant of
| "whatsappdownload.site"?
| blackearl wrote:
| First they came for faceb0ok.com and I did not speak out
| footweebole wrote:
| underated
| notRobot wrote:
| They're glad that Facebook isn't being handed information
| just because they're a big company. Want private registrant
| info? Get a subpoena. It should be very easy if you have a
| legit reason.
| tedivm wrote:
| That's literally what they're doing?
| Phil987 wrote:
| Yeah and that's why they're happy.
| rndgermandude wrote:
| Yes. Do you know what content was on there? Scam/malware?
| Critical reporting on facebook's business processes? A parody
| site making fun of whatsapp? A redirect to Signal?
|
| At least two of the 4 examples I gave are perfectly legal
| even under trademark and/or copyright law. And 3 are non-
| malicious
| amerine wrote:
| It's about there already being a process for this, and not
| being cool with Facebook using lawyers to do it.
| ipsum2 wrote:
| > there already being a process for this
|
| It's not clear at all what the process is. Can you
| elaborate?
| ensignavenger wrote:
| https://www.icann.org/resources/pages/help/dndr/udrp-en
| [deleted]
| tempestn wrote:
| For what it's worth, the problem with that process is that
| it creates an uneven burden. Any scammer with 10 bucks can
| create a misleading domain. This happened to us when some
| scammers created "autostempest.com" to mimic our car search
| site, autotempest.com. They put fake listings up and
| scammed many people out of tens of thousands of dollars.
| Our only legal recourse was a UDRP claim (short of suing
| namecheap, which would have been even more expensive), but
| that would have cost about $5000 because you need to go
| through a registered provider--and these are private
| companies, which take advantage of this regulatory
| oligopoly.
|
| Now, $5000 would be worth it to shut down a scammer like
| that, except nothing stops them from simply ignoring the
| UDRP claim and once their domain is shut down, they can
| register autotempests.com or something for another 10
| bucks. (They actually did and up registering
| autostempestgroup.com and several others.)
|
| On the other hand, if you could simply go to the registrar,
| show clear evidence of the very obvious infringement, and
| have them shut down the domain, perhaps it would actually
| be feasible to put a dent in that kind of scam.
|
| I do understand the concern of having a private company
| like Namecheap be the judge in these matters, but I'm not
| sure it's as black and white as that. I could see a system
| working where they do take unilateral action on obvious
| cases (autostempest, whatsappdownload.com, faceb00k, etc.),
| but require the formal process for less clear cases.
| ensignavenger wrote:
| I understand this complaint. But Facebook attacking
| Namecheap in a public post for doing the right thing is
| the wrong way to go about changing the system. They
| should instead petition ICANN and/or their political
| rulers to change the process.
| ensignavenger wrote:
| Well, part of the appropriate process may involve lawyers-
| but they do not appear to be following the process
| properly, and this PR stunt is absurd.
| lacker wrote:
| Yes. I want Namecheap to protect my privacy. When they show
| they're even willing to protect the privacy of a low-
| reputation actor, it proves to me that they are likely to
| protect my privacy as well.
|
| It's the same reason I'm glad that HTTPS and SSL protect the
| registrant of whatsappdownload.site.
| Fnoord wrote:
| Yup, more so with GDPR. It is nobodies business who's behind
| a domain. Authorities can of course figure it out (with
| subpoena, as it should be) should the need arise.
| ensignavenger wrote:
| Yes. I don't want Namecheap stepping in to judge how I use my
| domains- I want a court of competent jurisdiction to make
| those determinations. There is an appropriate process for
| these issues.
| PeterisP wrote:
| It seems that the appropriate process for this issue would
| be suing the registered owner of these domains
| (Whoisguard), which is what they're doing now - and a court
| of competent jurisdiction will be ruling on it.
| ensignavenger wrote:
| Facebook doesn't say exactly what they are seeking, but
| that is one possibility. However, this PR piece seems to
| be accusing Namecheap of doing wrong- and it appears that
| Namecheap is entirely in the right. If all Facebook was
| doing was seeking control of the domain name, and they
| didn't make this accusatory post, I would agree that they
| were following the proper process.
| allenskd wrote:
| Yes. I'm fine with Namecheap taking the domain down. Handing
| information like that just because they ask for it? That's a
| huge no. Let them proceed through the legal channels to get
| that information.
| jethro_tell wrote:
| Yeah, we have a process for this. I realize that FB thinks
| laws don't apply to them, but they do, or maybe will at
| some point?
| zymhan wrote:
| A lawsuit is exactly that process.
| Techies4Trump wrote:
| Me too, I'm also a Namecheap customer and have nothing but good
| thinks to say about them. This makes me like them even more.
|
| If only FB were as professional with their customer's data as
| Namecheap...
| Trias11 wrote:
| "If only FB were as professional with their customer's data
| as Namecheap..."
|
| +100
| cosmodisk wrote:
| Facebook customers are companies that pay for advertising.
| Billions of sheep,who signed up for the chance to see
| endless streams of cat pictures, are the product.
| notRobot wrote:
| Isn't the obligation only to provide registrant info to
| governments or when the info has been subpoenad? Or should
| namecheap hand over info to any private entity that thinks their
| trademark is being infringed upon or that the domain is
| malicious?
|
| Inb4 FB wants the info of the person begins "facebookisevil.com".
| dillonmckay wrote:
| So, this is simply a civil issue in Facebook's eyes?
| logfromblammo wrote:
| This is without merit.
|
| Facebook is free to register as many domains as may please it,
| paying the fee for each. Those registrations are for exact
| strings. They do not include any strings visually or phonetically
| or typographically similar to the registered string. Registering
| facebook.com does not automatically confer the rights to
| facebook-cdn.com, or facebook-images.com, or any other nearby
| string. The remedy for potential phishing domain names is to
| either register all those text-adjacent names first (unlikely),
| or to install measures on the registered domains that make it
| harder for phishers to fool the users, and limit the possible
| damage when those ruses succeed.
|
| You can't break the whole DNS system to protect one company. Do
| your own danged phishing defense instead of trying to turf it off
| onto others as an externality.
| gruez wrote:
| >Facebook is free to register as many domains as may please it,
| paying the fee for each. Those registrations are for exact
| strings. They do not include any strings visually or
| phonetically or typographically similar to the registered
| string.
|
| You seem to be conflating domain name registrations with
| trademarks. Having the "facebook" trademark does indeed give
| you rights over similar names (eg. facebook-ads.com), if
| they're determined by a judge to cause consumer confusion.
| bt3 wrote:
| As much as I despise Facebook, it's great to have this kind of
| pressure put on NameCheap. When I first setup my own website many
| years back, I made the mistake of listing my email in plain text
| right on the main page. Fast forward years later and I think I've
| been added to every spam list possible. If it wasn't for
| exceptionally-aggressive email filters, I'd get 500+ spam emails
| a day.
|
| In various times throughout the years, I'll run a WHOIS lookup on
| the last 1000 emails to have (attempted) to send me spam email.
| In 99% of cases, they resolve to a proxied NameCheap domain. I
| have submitted somewhere in the ballpark of ~800 domains
| throughout the years to NameCheap's abuse department. While they
| are timely in their "investigation", only about half of them are
| shuttered, and it's not clear to me if NameCheap is actually
| attempting to solve the problem as I strongly suspect there's a
| limited number of individuals behind the mass of nonsense domains
| used to spam me and likely countless others.
| onetimemanytime wrote:
| OK, but FB isn't suing NameCheap because domains registered
| through them spammed you.
| bt3 wrote:
| My point was moreso that NameCheap appears willfully ignorant
| to abuses on their platform. As I am a nobody, I don't have
| the leverage to get them to solve these problems. Whereas
| Facebook suing them might introduce pressure on NameCheap to
| address abuse of their domains.
| allenskd wrote:
| > We don't want people to be deceived by these web addresses, so
| we've taken legal action.
|
| I wonder if they reported the issue first unless it's all for
| show. I've reported phishing domains before and Namecheap is
| usually quick on taking them down if the domain belongs to that
| registrar. I think the last report within 24 hours they plugged
| it out. So makes me wonder what Facebook is on about with this.
|
| Edit: ok, I missed the "despite their obligation to provide
| information about these infringing domain names, they declined to
| cooperate." seems Facebook wanted to go on a witch hunt.
___________________________________________________________________
(page generated 2020-03-05 23:00 UTC)