
Facebook sues Namecheap - whoisjuan
https://about.fb.com/news/2020/03/domain-name-lawsuit/
======
ensignavenger
As a Namecheap customer, I am glad that they aren't giving up their customers
privacy. Facebook claims they have an obligation to do so- but they don't
provide any citation for such an obligation.

ICANN has an established process for handling these types of disputes, and
Facebook should avail themsleves of that process.
[https://www.icann.org/resources/pages/help/dndr/udrp-
en](https://www.icann.org/resources/pages/help/dndr/udrp-en)

(It isn't clear if Facebook is seeking a financial judgement or just a court
order to delete or transfer the domains to Facebook?)

~~~
tptacek
You're glad Namecheap is protecting the registrant of "whatsappdownload.site"?

~~~
amerine
It’s about there already being a process for this, and not being cool with
Facebook using lawyers to do it.

~~~
tempestn
For what it's worth, the problem with that process is that it creates an
uneven burden. Any scammer with 10 bucks can create a misleading domain. This
happened to us when some scammers created "autostempest.com" to mimic our car
search site, autotempest.com. They put fake listings up and scammed many
people out of tens of thousands of dollars. Our only legal recourse was a UDRP
claim (short of suing namecheap, which would have been even more expensive),
but that would have cost about $2000 because you need to go through a
registered provider—and these are private companies, which take advantage of
this regulatory oligopoly.

Now, $2000 would be worth it to shut down a scammer like that, except nothing
stops them from simply ignoring the UDRP claim and once their domain is shut
down, they can register autotempests.com or something for another 10 bucks.
(They actually did end up registering autostempestgroup.com and several
others.)

On the other hand, if you could simply go to the registrar, show clear
evidence of the very obvious infringement, and have them shut down the domain,
perhaps it would actually be feasible to put a dent in that kind of scam.

I do understand the concern of having a private company like Namecheap be the
judge in these matters, but I'm not sure it's as black and white as that. I
could see a system working where they do take unilateral action on obvious
cases (autostempest, whatsappdownload.com, faceb00k, etc.), but require the
formal process for less clear cases.

~~~
AnthonyMouse
So here's the trouble with "it's obvious":

[http://www.slutsofinstagram.com/](http://www.slutsofinstagram.com/)

"Slütsof In Stagram", naturally, what did you expect? See also "Whöresof In
Stagrâm" at similar URL.

Yes, someone tried to register SlutsOfInstagram.com and WhoresOfInstagram.com
and when Facebook/Instagram objected, they turned the sites into something
else entirely.

The point being that you can't really tell anything from the name.

But then you can't really tell anything from the content either, because if
there is phishing content the first thing the registrant will claim is that
they've been hacked. Which is hardly uncommon in that context. So then you
need someone to make a judgement call. Which is what courts are for.

~~~
tempestn
If there's a combination, it's very obvious. To use my personal example again,
the domain was autostempest.com, and they had copied our logo directly, and
created a car listings site. It would be trivial to see that we were using the
name and logo first.

Going to court just wasn't an option. For one thing, we couldn't even identify
the people behind these sites without first going to court against namecheap.
And after all that effort and expense, it's entirely possible they'd
registered the domain with fake info and the effort would have been wasted.
Even the UDRP option was not cost effective, because nothing would stop the
scammers from opening a new fake domain. What we eventually did that worked
was found a "CSIRT" company that would use its private connections to hosting
providers to, for a fee, get offending content taken down. So, that's the kind
of thing the status quo is incentivizing. Hardly better than if there was a
takedown process available through namecheap it seems.

That said, you'd certainly want to avoid the situation with Youtube, where the
power is swung all the way in the other direction, so creators have almost no
recourse when purported rights holders issue a claim.

~~~
logfromblammo
I used to work for a company that offered brand-protection services. The
customer would grant my old employer power of attorney to send C&D letters and
file takedown lawsuits on their behalf, and we would do all the monitoring and
brand-defense work, then send a report to the customer justifying the
exorbitant fees.

Maintaining a trademark costs time and money. You can save money by doing the
work yourself, or by using backchannels, as you mentioned. You can save time
by hiring someone to do the tedious work for you. Even a single-partner
specialist law firm should have boilerplate templates on hand for taking down
an infringing website fast, using regular channels. I imagine that most of the
cases result in no answer from the main defendant and default judgment that
orders the registrar to transfer the domain to the plaintiff, who can then
blackhole it or redirect to the genuine site.

A higher-service firm will also proactively scour the Internet for threats to
your brand--at a higher price, of course.

I would not recommend my former employer for this, as they got bought out, and
the new owner arbitrarily fired the entire development team.

------
preommr
> Our goal is to create consequences for those who seek to do harm

Rich coming from FB.

On the one hand, scam sites should be stopped, on the other, I am not sure we
should let companies wantonly decide which domains other people register are
bad.

I can't even tell what the legality of this is. What does facebook even sue
for, trademark infringement? Or is it fraud related which I would assume
they'd go to the courts for. If namecheap is breaking the law, then the
justice system should be involved, otherwise it's namecheap rolling over
anytime facebook decides to sue them for anything they want.

~~~
ngokevin
In the meantime, Facebook claims it is unable verify political ads for truth.

~~~
afiori
that is indeed partly impossible to do, one thing they should improve is
checking that the one buying ads is actually affiliated with the
politician/party in the ad.

------
codazoda
Seems like a lawsuit is the exact legal method that should be used to uncover
the names that Facebook is seeking. As a Namecheap user who also sometimes
uses whoisguard, I would expect Namecheap NOT to turn over any information
until required to do so buy a subpoena signed by a judge. There is probably no
other way to get one than to file a suit and ask a judge for it.

~~~
ensignavenger
I am fine with Facebook petitioning a court of competent jurisdiction and
following legal due process to stop phishing activity. I am glad that
Namecheap is not giving up this information without a proper court order. I am
not happy with Facebook making this PR release trying to paint Namecheap in a
bad light because they are standing up for privacy. This PR release is
completely unnecessary if Facebooks intentions were simply to stop the
phishing attacks.

~~~
cosmodisk
While I'm happy that Namecheap won't reveal the names,I'm not happy that these
kind of website names can not just be registered but also kept running for
years.

~~~
dylan604
Again, that's how it's supposed work though. If I pay for 10 years for my
domain name, I don't want it to stop working because evilCorp makes a request
to take it over (for whatever reason). If I am ruining the internet with a
nefarious use of my domain, then it should be easy enough to prove to a valid
court, and then there should be a legit way to take over control. It shouldn't
be impossible, but it shouldn't be a cake walk either.

~~~
cortesoft
A court from what country?

~~~
Avamander
Indeed, it's a difficult question. But we should rather be asking, why isn't
there better cooperation to catch cyber-criminals across borders?

~~~
dylan604
Maybe because some governments are directly involved in the cyber crime?

~~~
notRobot
_Some?_ More like basically all.

------
stevenjohns
For what it’s worth, I reported dozens of domains used in phishing scams to
Namecheap and their support could not possibly give less of a crap. I reported
about 26 domains used in SMS scams in Australia and Namecheap refused to
action more than one domain. As far as I’m aware, the remaining 25 or so are
still active.

Their chat support is unable to take spam complaints and instead directs you
to their “Legal & Abuse Department” based in Eastern Europe. And what you get
is basically what you’d expect from an underpaid, disgruntled level one IT
support.

~~~
nomel
You should report illegal activities to the authorities, not companies.

I wouldn't expect Namecheap, a low cost registrar with "cheap" in its name, to
have the legal resources to investigate or make a conclusion for each
accusation that comes their way for one of their 10 million domain names.

As with everything internet related, I think there's a vast misunderstanding
of scale, and difficulty in automation (domains sniping!), for what they're
facing.

I also wouldn't expect them to hand out information to anyone that asks for
it, especially a large company known for misusing any information they can get
their hands on, without a subpoena.

I think the real solution would have to come from a third party group(s) that
could collect, monitor, and produce high quality reports, with a high level of
accuracy, that all of these registrars could use. Who would fund these groups?
Probably whomever gains/loses less from the phishing scams being terminated.

~~~
asdkhadsj
> I wouldn't expect Namecheap, a low cost registrar with "cheap" in its name,
> to have the legal resources to investigate or make a conclusion for each
> accusation that comes their way for one of their 10 million domain names.

Exactly. And if they _did_ I'd be just as concerned that they're now allowing
a vector to take domains down.

Balancing the two is difficult..

~~~
sbmm
Actually, if it violates their tos they should normally appreciate the report
and take action on it.

~~~
asdkhadsj
Of course, but how would they know? The vector I refer to is my ability to
create "evidence" and report you to their customer service.

Eg, i'd wager the GGP comment who reported 26 domains did so in a manner that
would be fairly easy to fake. So what is the requirement of reports? Too loose
and it's easy to fake, too strict and it becomes to difficult to report _(or
too costly to verify)_.

~~~
stevenjohns
Every domain had the same content, was styled in the same format (something
like a28d92.com, then b28d92.com...) and all were acting as redirection
platforms for phishing sites and all were registered on the same day.

It wasn't hard to verify or easy to fake, or loose. Namecheap's legal/abuse
department are just completely incompetent/don't care about their own TOS.

------
NamecheapCEO
Is it not enough that Facebook and Zuck tread all over their customers privacy
on their own platform? Now they want other companies to do it for them with
their own customers as well.

This is just another attack on privacy and due process in order to strong arm
companies that have services like WhoisGuard which is intended to protect
millions of customer’s privacy.

~~~
preommr
^ Namecheap CEO

Can you explain the legal details of what's happening here? Who's
responsibility is it to deal with domains that are potentially dangerous, what
exactly is facebook suing you for? What rule are they talking about when they
say you're supposed to provide the WhoisGuard information (someone else
mentioned that's only for government requests)?

I've also seen some complaints by other people here that there are some
namecheap domains that are sometimes scammy and namecheap sometimes deals with
them and other times they don't (based on user comments here). Can you clarify
if namecheap does indeed take action and if so, why they haven't here?

Also in the future, you might want to sign off at the end of the comment since
it's really easy to ignore the username as it's grayed out. And FWIW, great
job with namecheap, I've had a really good experience with it.

~~~
saagarjha
FWIW, a username like "NamecheapCEO" does not inspire confidence in its
authenticity.

------
wyqydsyq
Does this mean I can sue Facebook because, despite my (unreasonable) demands
they stop showing me fake news and ads for crypto-mining mobile games that
pretend to be affiliated with legitimate news sources or the games they're
knocking off, they haven't stopped?

I think that's a pretty comparable analogy because in both cases, a party is
being unreasonably expected to police third-party content provided through
their platform/business, or else be sued for failing to do something
completely infeasible.

~~~
forgingahead
You can (almost) do whatever you want, when you have enough money for it.

~~~
antpls
Couldn't fb's users start a kind of grouped judicial procedure ? A "class
action" ? (I'm not a lawyer and not American)

~~~
tehbeard
There's most likely an arbitration clause to try and stop that in the EULA.
Depending on your jurisdiction that might not apply though.

Still got the billion dollar lawyer army to get through.

------
NicolasGorden
I'm so happy to be a Namecheap customer right now.

Contrast their behavior with Go Daddy who will turn over data of people who
dare complain: [https://skepchick.org/2014/04/godaddy-released-my-
personal-i...](https://skepchick.org/2014/04/godaddy-released-my-personal-
information-to-a-spammer-troll/)

------
eyegor
So Facebook is suing to dispute the business model of whoisguard, because they
believe they are "obligated" to work with fb? I'm scratching my head at the
implications here, I can guarantee fb doesn't want to be responsible for kyc
on their users or ad providers (both can deliver intentionally misleading
content on their platform). So what is their goal? My best guess is they think
they can scare namecheap into working with them, but this feels like a case of
chicken.

------
Nextgrid
It’s ironic how Facebook uses all kinds of lies and dark patterns to steal
data from their users but gets pissed off when someone else does it (or
provides services for it as it is in this case).

~~~
chopraaa
Yes, that's because phishing is an actual crime.

~~~
ep103
so is wiretapping, but in our household we have a running joke that if we're
too lazy to google something, or say "ok google", we can just say "ok facebook
bed frame bed frame bed frame" in the direction of our phones, and
fb/instagram will start showing us ads for bed frames in a few hours. It works
a surprisingly large amount of the time.

~~~
bcyn
I can't speak for other platforms, but if you've ever developed apps for
iPhone, you'd know this is pretty much impossible for FB to do.

~~~
saagarjha
Doing this specific thing is quite easy, using public APIs, just by
correlating data between signed in users.

~~~
bcyn
I should be more clear: I'm referring to secretly recording audio.

------
caffeinewriter
I feel like the title "Facebook sues Namecheap for registering phishing
domains" is somewhat misleading.

> We found that Namecheap’s proxy service, Whoisguard, registered or used 45
> domain names that impersonated Facebook and our services, such as
> instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. We
> sent notices to Whoisguard between October 2018 and February 2020, and
> despite their obligation to provide information about these infringing
> domain names, they declined to cooperate.

Specifically, they're suing Namecheap _and their proxy service_ for not
providing information about the true registrants of the allegedly infringing
domains.

~~~
CydeWeys
And to be clear, all Namecheap had to do to prevent this lawsuit was identify
the owners of or delete the obviously-phishing and obviously-TM-infringing
domain names. They didn't, so now Facebook is taking them to court over it.

~~~
mmanfrin
Facebook listed 3 of the 45, including one that I'd argue does not at all
violate TM or phish. In a post like this, they'd likely pick the most
egregious examples, so your statement about how obvious this is is entirely
baseless. Furthermore, I'm absolutely okay with Namecheap not honoring a
demand for information without a subpoena. Those whoisguards protect _me_ from
spammers, scammers, and anyone who would want my information from a whois.

~~~
notRobot
Agreed 100%. I'm a huge fan of removing all PII from whois info. Get a
subpoena if you want that data. Otherwise next thing you know they'll be
demanding registrant info for "facebookisevil.com" because it "infringes on
our trademarks!!!"

~~~
rstupek
Actually all PII information is already removed from whois info. I think it
was a consequence of gdpr

~~~
notRobot
Nah namecheap made whoisguard free for all long before GDPR if memory serves
correctly

~~~
rstupek
They may have but regardless of them doing so, gdpr resulted in the making of
whois data not generally available to anyone.

------
driverdan
Is Namecheap obligated to respond as FB claims? Isn't this the proper way it
should happen, through the courts? I don't want Namecheap giving my personal
info out just because a business claims a domain infringes their trademarks.

~~~
derision
I'd say it's a little different if you're running a blatant phishing site,
it's more than just trademark infringement

~~~
driverdan
Is it? Doesn't that responsibility fall to law enforcement, not a company?

------
ArchReaper
Title is misleading, from the article:

> We sent notices to Whoisguard between October 2018 and February 2020, and
> despite their obligation to provide information about these infringing
> domain names, they declined to cooperate.

Title should be closer to "Facebook sues Namecheap/Whoisguard for not
providing information on phishing domain registrants"

~~~
bagacrap
opening paragraph: "This week we filed a lawsuit in Arizona against Namecheap,
a domain name registrar, as well as its proxy service, Whoisguard, ___for
registering domain names_ __that aim to deceive people by pretending to be
affiliated with Facebook apps "

~~~
Terretta
Who is the registrant who registered the name? Who is the registration service
that recorded the registration? Who requested the name be proxied by a
registered name holder?

Which of these actors had 'intent' for the letters in the name?

------
cadence-
Facebook is very heavy handed when it comes to these things. I’m talking from
my own experience with them. I own a free dynamic dns service, and yes scammer
sometimes use it to plant familiar sounding subdomains to cheat users. One
such subdomain was related to Facebook. So Facebook didn’t even contact me
about it. Instead, they banned my whole domain on FB. If now I try to give
people my email address with my domain on Messenger or any FB post, it will
get blocked with the message that my domain has malicious content.

That’s what you get when dealing with big companies. I guess they cannot just
block namecheap like this, since they are much bigger than my small hobby
dynamic dns server. So they are suing in this case. But I’m sure there are
plenty of cases like mine where they just block the whole domain or IP range
without even contacting the owner. Because they can, and we cannot do anything
about it.

------
moneromoney
Very proud about Namecheap!! Great company that doesn't give your infos to
anyone without your permission. and the whole story is another reason to stop
using anything facebook-related.

------
Thelma_H
Facebook's hypocrisy, as noted, is rich. But phishing impacts innocent users,
not Zuckerberg and his cabal of blood-sucking c-suite plutocrats. Namecheap
isn't an innocent. See [https://krebsonsecurity.com/2018/06/bad-men-at-work-
please-d...](https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-
click/). They court this demographic through a business model which is
entirely their own choice.

------
Mistri
Is Facebook targeting Whoisguard directly? I am incredibly thankful for
Whoisguard — back when I purchased my first domain, I didn't know about it,
and to this day, I get 5-10 spam emails per day regarding my domain. It's so
bad that I've had to change my primary email to something else.

There definitely should be a mechanism by which large companies like Facebook
can approach Whoisguard and ask for a site to be taken down, though.

------
apdinin
A company or individual putting “Facebook” or “Instagram” in their domain name
without Facebook’s authorization would constitute trademark infringement.

Pretty sure this lawsuit is just Facebook doing what they’re supposed to do to
“protect” their trademarks.

When you have a trademark, you’re obligated — by law — to attempt to protect
it in cases of seeming infringement. If you don’t, you lose the power of the
trademark.

~~~
leggomylibro
>A company or individual putting “Facebook” or “Instagram” in their domain
name without Facebook’s authorization would constitute trademark infringement.

That is not true in the US.

A trademark consists of both a name _and_ the goods/services which a company
provides under that name. If you use the trademarked name in a completely
different industry or context from the entity which registered the mark, you
aren't infringing on it.

So if you had a business selling...I dunno, physical books made out of faces,
then you might be able to use "Facebook" without infringing.

In practice, Facebook could spend enough money to convince the legal system
that they are right, but merely having some letters in a domain name does not
imply infringement.

------
Thorentis
Why does Facebook want to know who these people are? That itself seems a bit
creepy. Sure, get the domains taken down, get Whoisguard to block them from
registering more domains in future. But what does Facebook want, names and
addresses? Weird.

~~~
jpeg_hero
> But what does Facebook want, names and addresses?

Uhhhh, to help in the investigation and arrest of the ring of people that are
scamming and fishing Facebook customers?

~~~
Thorentis
Shouldn't law enforcement have that information rather than Facebook? Or does
Facebook see itself as the internet police now?

------
notRobot
Isn't the obligation only to provide registrant info to governments or when
the info has been subpoenad? Or should namecheap hand over info to any private
entity that thinks their trademark is being infringed upon or that the domain
is malicious?

Inb4 FB wants the info of the person begins "facebookisevil.com".

------
mmanfrin
Facebook sues Namecheap for _allowing people to to register_ phishing domains

~~~
Volundr
Facebook sues NameCheap for allowing people to register phishing domains, _and
failing to meet their obligation to provide information about those domains
when notified_. But it's not near as good a headline.

~~~
mmanfrin
Namecheap has no obligation to give out customer data at _all_ unless directed
so by a court.

~~~
ceejayoz
Is it possible there's something in the ICANN registrar policies that requires
them to do so?

If not, isn't this sort of suit _how_ you'd get a court to issue such an
order?

~~~
Volundr
It appears there is:

[https://www.icann.org/resources/pages/approved-with-
specs-20...](https://www.icann.org/resources/pages/approved-with-
specs-2013-09-17-en#raa)

See section 3.7.7.3

~~~
phendrenad2
I'll bet that clause was intended to apply to law enforcement, but as worded
(IANAL) it appears to say that literally anyone could send a registrar proof
of "reasonable evidence of harm", and they're liable unless they turn it over.
Very odd.

------
cambalache
Can I sue Facebook for all the Facebook pages impersonating other
business/doing shady stuff?

~~~
toxicFork
Yes. Let us know how that goes please.

------
danschumann
Is facebook responsible for what its users do? Is namecheap responsible for
what its users do?

Isn't this exactly the argument facebook makes when it doesn't want to be
regulated as a platform or whatever?

~~~
sleepyhead
Side note: Actually with upcoming EU regulations Facebook will be responsible
for what users do. For example by not filtering copyrighted images.

------
markdown
Uh, the hypocrisy makes me sick.

Facebook takes money from people spreading fake news to influence the
elections in my country and they refuse to reveal the names of the people
funding this fake news.

------
andy_ppp
Haha, imagine a company suing another for the way people use their platform,
as if it’s _their_ responsibility to police the people using it for harmful
purposes! Ridiculous!

~~~
shaan7
I see what you did there ;)

~~~
andy_ppp
I actually think hypocrisy should be a defence in court...

------
sdan
Thank you Namecheap.

Been using Namecheap since 2017 and was thinking of switching over, but this
decision (although malicious, protects users privacy).

~~~
stebann
Why malicious? Facebook claims are bullshit, they deserve it and they're not
exactly the people who has the best ethics shots.

------
unexaminedlife
I kind of feel like this could be a perfect opportunity to bring to light some
of the weaknesses in the current SSL Cert infrastructure.

It sounds like what we need is for the browser to be capable of displaying a
list of "favicons" (or something like this, perhaps a favicon encrypted by the
domain's private key) from every domain in a domain's certificate chains. And
for certificate authorities to allow domain owners to insert their other
verified certs in these certificate chains that end up being used.

So, for example, let the owner of "DOMAIN1.COM" set up a certificate chain
where DOMAIN1.COM is its own certificate authority who signs certs owned by
DOMAIN1.COM. This way, when the browser sees the certificate chain it will
proceed to verify the chain.

So now end users could easily see that DOMAIN2.COM is owned and "vouched for"
by DOMAIN1.COM.

I don't think FB's claim SHOULD be valid, but given the current state of the
art I think it IS valid.

------
chuniverse
Going after the registrar is unnecessary to stop this sort of behavior,
nothing would stop a scammer from creating www.facebook.route34.com/login

People are getting accustomed to complex URL parameters they don’t understand.
I doubt most people are paying attention. In a few years we might start seeing
web browsers without the URL bar.

------
npip99
This seems like a waste of time. It's not illegal to register a domain name,
no matter how similar it is to your domain name. If you want those domain
names, then buy them. My family runs a business and we bought the domain names
that we thought were similar. We respect the fact that if someone buys our
domain but with ".io" at the end instead, then that's their right. I would be
very scared of a world where people can sue over names being "too similar to
this large company with lots of money and power". These domain name companies
serve one purpose: selling available domain names. It's not complicated. Let's
not make it complicated.

------
allenskd
> We don’t want people to be deceived by these web addresses, so we’ve taken
> legal action.

I wonder if they reported the issue first unless it's all for show. I've
reported phishing domains before and Namecheap is usually quick on taking them
down if the domain belongs to that registrar. I think the last report within
24 hours they plugged it out. So makes me wonder what Facebook is on about
with this.

Edit: ok, I missed the "despite their obligation to provide information about
these infringing domain names, they declined to cooperate." seems Facebook
wanted to go on a witch hunt.

------
ronalbarbaren
[https://techcrunch.com/2019/10/31/facebook-sues-onlinenic-
fo...](https://techcrunch.com/2019/10/31/facebook-sues-onlinenic-for-domain-
name-fraud-associated-with-malicious-activity/)

[https://domainnamewire.com/2011/05/09/namecheap-sued-over-
wh...](https://domainnamewire.com/2011/05/09/namecheap-sued-over-whoisguard/)

------
dbg31415
Slippery slope, and I hate Facebook more for doing this. It shouldn't be on
Namecheap to police for Facebook. Tomorrow, Facebook could open something like
cnn.facebook.com -- would CNN.com be off limits then? It'd be impossible to
predict, track, and respond -- also it's fundamentally not Namecheap's
responsibility to protect Facebook. Facebook could, and certainly has the
money to, register anything they want -- anything that resembles a domain in
their apps.

------
strooper
"This week we filed a lawsuit in Arizona against Namecheap, a domain name
registrar, as well as its proxy service, Whoisguard, for registering domain
names that aim to deceive people by pretending to be affiliated with Facebook
apps."

Wasn't Facebook supposed to request for information through the legal system
instead of suing the registrar itself? Isn't Facebook publicly and
unreasonably flexing muscle? So long justice...

------
gruez
Tangential question: what are the chances that, if namecheap disclosed the
identities of registrants, facebook would be able to do anything with it?
You'd expect that if the domains were registered with the intention to do Bad
Things, that they would be registered with fake information. You can use a
throwaway email addresses, fake mailing address (doubt they would validate
it), and pay with cryptocurrency.

~~~
edmundsauto
If the registration information is falsified, + trademark dispute, FB has the
inside track on getting ownership of these domains transferred to them. After
all, the registered owners don't exist -- doesn't that make them up for grabs?

------
romaniitedomum
First time I find myself cheering for FB. Namecheap are notorious for
criminal-friendly hosting. Just the other day I contacted Namecheap support
about a site that was spamming Usenet groups and which was hosted with
Namecheap. The site was offering to sell marijuana. Namecheap gave my contact
details to their customer and told me they would do nothing.

Namecheap are happy to profit from criminality and no-one who values their
reputation should have anything to do with them.

~~~
freehunter
This is the same argument that could be leveraged against any privacy focused
company. In fact it has been, against Apple and the various privacy focused
email companies and WhatsApp and VPN companies, the list goes on.

What did you expect Namecheap to do? Take your word for it and ban one of
their customers, just because you said so?

~~~
romaniitedomum
> What did you expect Namecheap to do? Take your word for it and ban one of
> their customers, just because you said so?

What did I expect them to do? Look at the reported site they're hosting. Is it
violating their TOS? If so, remove it.

~~~
ksec
What if selling marijuana is legal? And doesn't violate their TOS?

~~~
romaniitedomum
Legal where? It may be legal to sell it where it's hosted, but will they check
that it's legal to deliver it to the destination? And the site in question has
text on it promising to pack the goods in dog-proof bags and they also promise
to refund customers whose orders are seized, indicating they know perfectly
well they're breaking the law and are happy to help others do it too.

------
forgotmypw16
Seems like a good opportunity to say, I've been a Namecheap customer for more
than 10 years and I am very happy with them. :)

------
ethanwillis
Namecheap released my information inadvertently a while back by responding to
a subpoena for someone else. And in the process just dumped all of my
information that was not covered by the subpoena request at all.

Hopefully they go through with defending themselves from this lawsuit
otherwise I don't think I could ever use or recommend them again.

------
puggo
Finally, Facebook has found a legitimate way to get rich, classic American
style. By suing people.

This is actually an ethical step forward.

------
bilekas
> despite their obligation to provide information about these infringing
> domain names, they declined to cooperate.

Facebook just can't get their head around not sharing information.. On their
customers. Nevermind just their users.

Also 45 Domain names ? out of how many ? Insane. This would be a parody if it
was written.

------
dustinmoris
Maybe Facebook didn’t get the memo, but Namecheap is not responsible for what
their customers do.

Namecheap is just a platform.

#irony #sarcasm

------
bt3
As much as I despise Facebook, it's great to have this kind of pressure put on
NameCheap. When I first setup my own website many years back, I made the
mistake of listing my email in plain text right on the main page. Fast forward
years later and I think I've been added to every spam list possible. If it
wasn't for exceptionally-aggressive email filters, I'd get 500+ spam emails a
day.

In various times throughout the years, I'll run a WHOIS lookup on the last
1000 emails to have (attempted) to send me spam email. In 99% of cases, they
resolve to a proxied NameCheap domain. I have submitted somewhere in the
ballpark of ~800 domains throughout the years to NameCheap's abuse department.
While they are timely in their "investigation", only about half of them are
shuttered, and it's not clear to me if NameCheap is actually attempting to
solve the problem as I strongly suspect there's a limited number of
individuals behind the mass of nonsense domains used to spam me and likely
countless others.

~~~
onetimemanytime
OK, but FB isn't suing NameCheap because domains registered through them
spammed you.

~~~
bt3
My point was moreso that NameCheap appears willfully ignorant to abuses on
their platform. As I am a nobody, I don't have the leverage to get them to
solve these problems. Whereas Facebook suing them might introduce pressure on
NameCheap to address abuse of their domains.

------
torvolt
> We regularly scan for domain names and apps that infringe our trademarks to
> protect people from abuse.

Does FB "own" all the domain names that they're scanning? I don't know
trademark laws so if some domains are illegal for me to own then how do I
know?

~~~
wbkang
If a phishing website is using the Facebook logo to phish credentials, sure
the website is infringing on the trademark.

------
thefounder
>> We regularly scan for domain names and apps that infringe our trademarks to
protect people from abuse.

Yeah, and namecheap is supposed to suspend them until the owners win in court
the right to use their $9 domain name, right? Facebooks really has no shame.

------
timwaagh
I'm not sure how this would work. 'facebook' is after all a generic word which
had meaning before Facebook existed and is not only used in the context of the
social network named after it. So the judge could reject it.

------
bgdkbtv
Fuck off Facebook

------
alok-g
This is a genuine problem indeed. Someone is in violation of copyrights and is
sitting hidden behind a domain name. What practical means do I have to even
reach out to the violators, as an individual?

------
Priem19
For some reason I still couldn't register
[https://www.quitfacebook.org](https://www.quitfacebook.org) on Namecheap, but
could on GoDaddy.

------
lgats
Shouldn't facebook really be pursuing the hosting company affiliated with
these domains, not the registrar itself?

There's nothing illegal or infringing about owning a domain name.

------
ck2
The really interesting thing about namecheap is they are not a registrar for
most TLDs, they are simply a very large enom reseller (last I checked a year
or two ago)

~~~
smitop
They used to be a reseller, but in early 2018 they completely moved off of
Enom and registered domains directly:
[http://domainincite.com/22467-namecheap-to-bring-millions-
of...](http://domainincite.com/22467-namecheap-to-bring-millions-of-domains-
in-house-next-week)

------
shrimpx
Would domain names like deletefacebook.com and facebookruinsyourlife.com count
as being in this class of infringements? Where do you draw the line?

------
dillonmckay
So, this is simply a civil issue in Facebook’s eyes?

------
nutmeg21
"We found that Namecheap’s proxy service, Whoisguard, registered or used 45
domain names that impersonated Facebook and our services, such as
instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site."

Layperson 2018: "No wonder WhatsApp is bad mouthing Facebook, their
competitor!"

Layperson 2019: "I have just absolutely HAD it with Facebook. I am going to
delete Facebook and move to INSTAGRAM!"

Layperson 2020: "Oh wait! So WhatsApp and Instagram are actually owned by
Facebook?"

------
XCSme
I am using Namecheap and was afraid this is about something bad they did, but
it's them just respecting the privacy laws.

------
patzal
reminds me of the story when openbook "had to" change their name to okuna:
[https://medium.com/okuna/about-the-word-book-in-openbook-
ed3...](https://medium.com/okuna/about-the-word-book-in-openbook-ed33b1514e71)

------
hidiegomariani
thing is we lack a framework for tagging those scam sites as scam and automate
the takedown. In this particular case is legitimate for fb to ask for removal,
although it may not be up to anyone to ask for removal of any domain without a
proper legislative framework in place

------
RancheroBeans
According to the facebook post: > We don’t want people to be deceived by these
web addresses, so we’ve taken legal action.

This particularly hypocritical and infuriating given facebook stance on
horribly misleading and deceptive political advertisements on their platform.
I hope this hypocrisy results in facebook eventually being sued.

------
sailfast
Just me, or is the domain “instagram business help” legit and shouldn’t be
something that Facebook can take down? If the entity helps people put
businesses on Instagram and the site says they are not affiliated what is the
harm?

Further, why would names of the parties be required here? I guess they’re
seeking damages?

------
znpy
I wonder why the lawsuit was filled in arizona and not in, say, california.

~~~
hrombach
Because Namecheap Inc's legal address is in Arizona

------
adtac
Now I'm even more glad I went with Namecheap. Thanks, Facebook!

------
danfitch
I just want to post the Michael Jackson popcorn gif right now.

------
coder1001
This is going to be great PR for Namecheap! :)

------
kalium_xyz
Protecting against harm by doing harm huh?

------
acosmism
was it not namecheap where fb registered its initial domain? thats fck d

------
nubela
Dear Namecheap,

How can I donate money?

------
artur_makly
might makes right?

------
villgax
sure

------
xtat
another day another facebook swindle

------
footweebole
underated

------
onetimemanytime
so people should sue FB if someone uses FB to say bad things about them???

File a UDRP, it works with proxy services as well. NameCheap can't manually
check or approve every name.

~~~
keanzu
It's 45 domain names.

Facebook sent them a list.

No-one said anything about manually checking every name until you did.

~~~
onetimemanytime
they sent "notices" so unless you know something more.... One cannot just ask
for them divulge the names, that's the point of privacy. File a suit or
whatever. It's cost of doing business

~~~
PeterisP
Filing a lawsuit is the whole point - facebook has grounds to sue the domain
owners, so either Namecheap can disclose who they are so they can be sued, or
Namecheap can be sued (i.e. what's happening now) to be forced to disclose who
they are so they can be sued.

One _can_ just ask for them to divulge the names (FB did that); one can refuse
to divulge the names (Namecheap did that); and then a judge can force that
privacy to be revoked.

~~~
onetimemanytime
Yes, but you sue John Doe 1-45 under
[https://en.wikipedia.org/wiki/Anticybersquatting_Consumer_Pr...](https://en.wikipedia.org/wiki/Anticybersquatting_Consumer_Protection_Act)
. NameCheap is then forced by the court to notify them. You shouldn't directly
sue the service provider, NameCheap in this case. They were right to refuse to
unmask the owners without a court order.

~~~
PeterisP
It seems to me that as far as domain registration is concerned, Namecheap's
subsidiary Whoisguard is technically the domain owner in this case. Of course,
they're doing this with the intent to be a proxy, but technically they are the
owner and so it seems that it would be appropriate to sue them for the misuse
of that domain.

I.e. "We found that Namecheap’s proxy service, Whoisguard, registered or used
45 domain names" \- it's not that 45 John Does have registered these domains
and we want their identities, we know who is the official owner of these
domains is - it's Whoisguard; and it's up to Whoisguard to either accept full
responsibility for the [mis]use of these domains or provide some arguments why
someone else should be held responsible instead.

If "internet standard process" is that they should do something else other
then sue Namecheap - well, that works as far as that other thing works
faster/better/cheaper than suing Namecheap directly. If it does not, then the
legal process is that they _can_ sue Namecheap if it feels more effective.

In essence what seems to be happening here is testing in a court whether the
current practice of domain "privacy proxies" can be done without the proxy
accepting any liability for the domains they're shielding. Such services were
implemented in the notion that they don't intend to accept any liability, but
as far as I know it has not yet been tested in courts whether they can get
away with it.

It's worth noting that in many other similar aspects (e.g. copyright issues
for user generated content, etc) the default position was that proxies _can_
be held liable as accomplices, and that changed only when specific laws were
passed saying that such proxies are immune from liability if certain
conditions are met (e.g. common carrier, dmca, etc, etc). So, depending on how
the courts rule, it's plausible that we might get precedent that domain
privacy proxies _do_ have to bear some liability if they happend to protect
the anonymity of criminals, which would de facto mean that those proxies won't
exist, that all such services would shut down.

~~~
onetimemanytime
You miss the point entirely: FB cannot do anything without suing, even if they
had their names and addresses. These things are solved either via ICANN
procedures or through federal courts. In both cases, NameCheap would be forced
to notify owners or divulge their info.

------
ogn3rd
"Our goal is to create consequences for those who seek to do harm."

Isn't it ironic, don't ya think?

------
logfromblammo
This is without merit.

Facebook is free to register as many domains as may please it, paying the fee
for each. Those registrations are for exact strings. They do not include any
strings visually or phonetically or typographically similar to the registered
string. Registering facebook.com does not automatically confer the rights to
facebook-cdn.com, or facebook-images.com, or any other nearby string. The
remedy for potential phishing domain names is to either register all those
text-adjacent names first (unlikely), or to install measures on the registered
domains that make it harder for phishers to fool the users, and limit the
possible damage when those ruses succeed.

You can't break the whole DNS system to protect one company. Do your own
danged phishing defense instead of trying to turf it off onto others as an
externality.

~~~
gruez
>Facebook is free to register as many domains as may please it, paying the fee
for each. Those registrations are for exact strings. They do not include any
strings visually or phonetically or typographically similar to the registered
string.

You seem to be conflating domain name registrations with trademarks. Having
the "facebook" trademark does indeed give you rights over similar names (eg.
facebook-ads.com), if they're determined by a judge to cause consumer
confusion.

~~~
logfromblammo
Trademarks are restricted to a specific type of business. Any of those sites
could operate as anything other than software or computer services, which are
the likely trademark classes for Facebook. (I didn't look up their mark.)

 _If_ one of those similar names puts up a website mimicking Facebook's sites,
Facebook can then sue the operators as an unnamed party, and ask the court to
order the registrar to reveal the unnamed party's identity, by convincing the
judge that it's the only way to reasonably serve the defendants with the
complaint.

They cannot preemptively unmask the domain owner with trademark--not until
_after_ the trademark infringement occurs.

Facebook is skipping steps, and somehow requiring registrars to determine or
presume the intent for the use of a domain while registering the name. That's
not how DNS works. It associates names with numbers, so that the Internet can
be made out of words. Making the registrar the defendant is abusing the
system, and if the court allows it, we all might as well sue Facebook for
anything and everything that any of its users do to us on its platform,
arguing that they should have known what evils those people would do back when
they created their accounts.

Also, "conflating" is not the correct word for the intent I presumed for your
sentence. I am _dissociating_ DNS registration from trademarks. This is valid,
as DNS is run by ICANN, not the USPTO, or by any other international trademark
registration agency. If ICANN chose, it could create top-level domains that
correspond to international trademark categories, and automatically tie
registered trademarks to those TLDs. It has not. So for now, there is no
implicit connection between DNS and trademark. If I register something like
coke.etc, and then put up an informational website about carbon fuel, Coca-
Cola can't do anything to that domain on the basis of trademark. I have to
infringe first.

