
GoDaddy Released My Personal Information to a Spammer Troll - kmfrk
http://skepchick.org/2014/04/godaddy-released-my-personal-information-to-a-spammer-troll/
======
jxf
While GoDaddy has a point about the opt-in component being important for
deciding whether spamming took place, they certainly didn't need to release
her personal information to the spammer. That's a terrible, serious breach of
privacy.

A naive approach that might work without either party needing to divulge
emails:

GoDaddy: "We have received complaints that you've been spamming. Give us a
list of SHA-1 hashes of addresses of the people that opted in and show us how
they opted in."

Customer: "Here's the list."

GoDaddy: "At least one complaint email we received does not match the SHA-1s
on this list."

~~~
mcphilip
I read this as GoDaddy releasing her email address only. In theory, isn't an
email address only personally identifiable if the address owner has done some
action linking it to a real world identity? I assume that's the argument
GoDaddy would make.

However, it should have been made abundantly clear to someone reporting spam
that their email address may be disclosed to the accused party.

~~~
jxf
An email _is_ personally identifiable information, in and of itself. NIST
includes it right in their definitions. [0]

[0]:
[http://en.wikipedia.org/wiki/Personally_identifiable_informa...](http://en.wikipedia.org/wiki/Personally_identifiable_information#Examples)

~~~
mcphilip
Thanks for this. I am not up to date on what is considered privacy
information, apparently.

------
filmgirlcw
I'm loathe to defend GoDaddy, but I don't know if they can be "blamed" in this
case, if only because what happened here was not the typical spam scenario.

If I'm understanding the situation correctly (and if I'm not, please let me
know), a crazy person with an agenda sent a mass-mailing to about hundreds
atheists/bloggers in an attempt to push his POV. Skepchick reports him to his
email host (in this case, GoDaddy), under their spam terms.

GoDaddy does their standard process, which includes asking for opt-in proof,
and revealing the email. Crazy guy goes crazy and makes a website dedicated to
trying to defame Skepchick, using info he found about her online.

The problem is, this wasn't typical spam. Meaning, this wasn't some bot
sending out Viagra sales pitches or the "great investment leads" people that
send me 30 messages a day. This was unsolicited mail, yes, but it was with an
agenda. Basically, I'd classify it more as harassment.

I'd imagine the situation would have been handled differently if it was
flagged/seen/filed as harassing messages, rather than spam. I don't know, but
I have to assume GoDaddy has an abuse team and that their methods of handling
this sort of thing would be different.

Please understand, I'm not putting the onus on Skepchick to correctly know how
to classify the message. It stands to reason she thought this was spam. But at
the same time, I don't know if this sort of edge case is common enough to
require a more complex method such as SHA-1 hashes.

Shitty situation all the way around, but I think the biggest problem was this
was treated as a normal case of spam, when really it was a case of
abuse/crazy.

------
masklinn
So GoDaddy is utterly terrible both when you're their client and when you're
not their client. Great. Could that company be burned to the ground already?

~~~
jobu
Sadly it seems good marketing can compensate for being terrible.

~~~
TeMPOraL
It's pretty much the law of businesses this days. If you pump enough money to
market your product/company, then your sales will be orthogonal to the product
itself. You can sell any crap, as long as your marketing team is good enough.

------
josefresco
To contrast this with a real world example, if your neighbor is having a party
and you call in a noise compliant to the police, I don't think they tell the
party host "we got a noise complaint from your neighbor at 123 My Street".

~~~
j_s
Depends on the locale; I've heard stories of officers showing up at the
complaintant's door 2nd.

------
tomp
TL;DR: User got spam from a website hosted by GoDaddy. User reports spam.
GoDaddy wants to be good guy and asks spammer if user opted in (by providing
spammer with the user's email). Spammer stops spamming, but harasses user by
posting her photo online, which s/he probably got using the email address
GoDaddy provided.

In retrospect, I'm sure there are better ways for GoDaddy to investigate such
complaints, but I think they didn't do something very evil - an email address
is hardly "personally identifiable information". On the other hand, if you
don't want your photo to be posted online, don't post your photo online.

~~~
samastur
So email address is not personally identifiable information even though it was
all the spammer needed to identify her? Right.

In some parts of the world (e.g. Slovenia) personal email is very much
considered a personal information and any operator divulging it in such manner
would pay a steep fine.

~~~
tomp
So if I forward your email, I'm committing a crime? There's too much law about
the internet...

> In some parts of the world (e.g. Slovenia)

Slovenia is rather crazy about everything computer-related. A while ago Google
was forbidden from collecting Street View data. I really hope that has been
reversed by now...

~~~
dingaling
> Slovenia is rather crazy about everything computer-related. A while ago
> Google was forbidden from collecting Street View data

 _whispers_

That was Austria.

~~~
tomp
Slovenia as well - full article (in Slovenian): [1]. In 2010, information
commissionaire first rejected Google's request for recording [2], but it was
finally approved in 2013 [3].

[1] [http://lendavainfo.com/google-street-view-za-slovenijo-je-
ko...](http://lendavainfo.com/google-street-view-za-slovenijo-je-koncno-
delujoc/)

[2] [https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-
od...](https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-odlocbah-in-
mnenjih/odlocbe-in-mnenja-varstvo-osebnih-
podatkov/?tx_jzvopdecisions_pi1%5bshowUid%5d=1943&cHash=40b3fc486d)

[3] [https://www.ip-rs.si/novice/detajl/snemanje-ulic-za-
storitev...](https://www.ip-rs.si/novice/detajl/snemanje-ulic-za-storitev-
google-street-view/?cHash=2113761ece703e0badf20352fa2faa35)

------
billyhoffman
Yet another reason to _not use GoDaddy!_.

I highly recommend Hover as a domain Registrar. Tried them with a few new
domains, and loved it so much I migrated everything there.

~~~
McGuffin
Sure, use whatever other registrar/host you want, but it quite evidently
doesn't exactly help people who aren't using godaddy but still have to deal
with abuse related to people who are.

~~~
billyhoffman
Indeed. I just look for opportunities to talk about how awesome hover is :-)

------
alandarev
Despite all my hate towards GoDaddy, I cannot see the happening being their
fault.

As tomp pointed out, disclosing email address is part of the process, probably
not clearly stated, but GoDaddy handled it well. They issued a fine to a
spammer, resolving the initial spamming case.

Worse would be if they have not carried out any actions at all.

Now, concerned the harrassment, how come GoDaddy is responsible for trolls
being trolls? As Company pointed out, report him to law enforcement. Sue him,
or anything, victim has got the spammer's domain, thus all the private
information needed to escalate the problem further.

~~~
wattengard
It shouldn't be godaddy handing the abuser the email for verification, it
should be the abuser handing godaddy it's opt-in-list for verification. This
way the reporters identity is never in danger... Of cource it's their fault.

~~~
alandarev
Imagine yourself being a highly respected business owner, where your main
product is sending personalized newsletters to privacy concerned customers
paying you much for their data to stay safe.

Will your argument still stay the same? Are you going to hand in millions of
your precious customers email addresses each time to your domain registrant
when one of them marks your email as a spam? How are you going to explain
later to your customer why he is receiving spam on email address
100mil_worth_customer+news_from_wattengard@gmail.com? That you had to send
everyone's address lists each time a spam was reported?

~~~
garrettgrimsley
The assumption would be that the registrant acts in a professional manner and
only uses the list to verify the complainant's claims.

------
DEinspanjer
I think all this just goes to reinforce the complete brokenness of e-mail to
date.

While the proposals for requesting proof of opt-in via SHA hashes and such
seem technically feasable, I think it pretty quickly breaks down when you
think about how much cost and overhead that would put on GoDaddy (or law
enforcement) to manage.

Think about the volume of spam out there. Then imagine a very tiny fraction of
that being reported. Each one of those would require validation. While you
could automate all the SHA sum comparison stuff, I don't think you could
easily automate the validation of whether the opt-in mechanism was
appropriate. If the sender indicates there was an opt-in, the validator must
still confirm with the complainant whether that is a true claim. Without that,
the system is useless because the spammer just keeps a SHA sum for each of the
addresses they've purchased and supplies them along with an "Yes they opted
in!" claim.

Manually validating the opt-in mechanism would require lots of manpower, and
more importantly, a common and universally agreed upon set of rules for how
opt-in should work. There are all sorts of nuance in the way there. Should it
be a double confirmation? Does existing business relationship count? If so,
what are all the rules regarding what constitutes such a relationship? What
about unsubscribing afterward?

Edit: Removing the pessimistic and un-useful concluding paragraph on the hunch
that was what warranted downvotes.

------
devicenull
Forwarding a complaint onto the end user is standard practice these days. It
seems that every few months there is a story like this where someone sends an
abuse complaint then is surprised when the hosting company sends it to the end
user. For any large enough company it's unlikely a person will even read your
complaint before it gets forwarded on. Most complaints are designed to be sent
to the end user so it's no surprise companies automate this process.

~~~
masklinn
Forwarding the complaint itself is normal, forwarding the identity of the
complainer?

~~~
microcolonel
Anonymous complaints are an ethical issue. If you have no recourse then
complaints become pernicious.

Also, they forwarded some pretty basic details, an email and a name. They
weren't sent her SSN, mailing address, or anything like that, so it's no more
identity than she associates already with her email address, as far as I can
tell.

You need to be able to contact a complainant, otherwise there is no
resolution, only a complaint.

~~~
masklinn
> Anonymous complaints are an ethical issue. If you have no recourse then
> complaints become pernicious.

The complaint itself is not anonymous, there is an intercessor which knows the
identities of both parties, and who _is the recourse_.

> Also, they forwarded some pretty basic details, an email and a name. They
> weren't sent her SSN, mailing address, or anything like that, so it's no
> more identity than she associates already with her email address, as far as
> I can tell.

Oh great, they didn't send enough for a complete identity takeover so I guess
everything's… wait what?

They sent personal information to somebody who might — if the complaint was
well founded (which it clearly was) — take retributive action. That does not
strike me as an ethical or sensible move.

> You need to be able to contact a complainant, otherwise there is no
> resolution, only a complaint.

No, not necessarily and definitely not if the complaint is simply a well-
founded one where the resolution is to fix your shit. And if it turns out you
do actually genuinely need to directly contact the complainant, contact
information can be asked of the intercessor.

------
lettergram
I would report GoDaddy and the spammer to the police. If the spammer went
through all that trouble he's probably nuts.

~~~
tragomaskhalos
The religious references are a bigger red flag of the spammer's mental health
I'd say.

~~~
masklinn
Well at least he doesn't seem to be mabus-nuts:
[http://rationalwiki.org/wiki/Dennis_Markuze](http://rationalwiki.org/wiki/Dennis_Markuze)

So there's that...

------
ooobo
There is a similar, perhaps more significant problem with Twitter's abuse
reporting tool[0]. To submit the form, users are required to tick the box that
notes they accept the following:

 _" I understand that Twitter may provide third parties, for example the
reported user, with details of this report, such as the reported Tweet. Your
contact information, like your email address, will not be disclosed."_

I think it highly likely that would encourage further abuse. This has
prevented me using the tool in the past, and makes me think Twitter doesn't
quite understand the issue.

[0]:
[https://support.twitter.com/forms/abusiveuser](https://support.twitter.com/forms/abusiveuser)

~~~
crashandburn4
What's wrong with this? they say "Your contact information, like your email
address, will not be disclosed". They just tell the person who's twitter
account it is something like, "By the way, it's this tweet that was reported
as abusive and they said it was abusive in this way" am I misunderstanding
this?

~~~
masklinn
That's also my reading. They warn that they may share the report itself, such
as the reported tweet and the comments (e.g. the "further description of the
problem" field) to the reported, but will not share contact/identifying
reporter information. That seems fine to me, one needs to know _what_ he's
being accused of to mount a defense.

------
MCarusi
Welcome to GoDaddy's customer service. I don't even let them have my domain
names. Use NameCheap (and no, I'm not being paid to endorse them).

~~~
vsbuffalo
Agree, I switched all my domains. Turned out to be much easier than I thought.
I'm not endorsed by them either, just a very happy customer.

------
higherpurpose
Please tell me nobody here is actually using GoDaddy anymore. How many lessons
does one need to learn before they realize GoDaddy is an awful company?

------
maccard
Well, I struggled to get through the first half of that article. Enough banner
ads?

~~~
chatman
She's making money selling her story.

~~~
kavrick
You mean just like news outlets do when they sell stories?

------
mathattack
Was their response really just "Go call the cops"?

------
bmoresbest55
I am not hating on Go Daddy but I will say that articles like these do not
come out of left field. There was the incident about two months ago with the
@N twitter name that involved them and I have heard other grumblings about
them. Then when you have other registrars that offer competitive services and
do not have those grumblings, you switch. I did. (namecheap.com) Just
sayin'...

------
chris123
Not surprising. GoDaddy does not have a good reputation among anyone I know,
and I've been involved with domain names since the mid 1990s. I recommend you
research other registrars and consider taking your business to them. I know
Namecheap has good prices, 2FA, low prices, and discount codes for people
leaving GoDaddy. Best wishes.

------
vannevar
There's no reason to expect professionalism from a company that proudly
portrays itself as a gang of leering adolescents.

------
devicenull
Released the same personal information that is widely available via WHOIS, it
seems..

------
xroche
I'm still puzzled that people are still using companies like Godaddy, Network
Solutions etc.. which collect more horror stories than any other ones. Are
customers really that stupid ?

~~~
logfromblammo
Clearly, the answer is yes. In a commodity business, where your customer does
not necessarily know much about your product, brand name recognition, price
competition, and other-people's-money buyers are your bread and butter.

GoDaddy advertises heavily. NetSol relies on the fact that they were the first
and no one ever gets fired for recommending them.

The people who are still their customers obviously do not realize they can get
better value--though not necessarily a lower price--from other companies.

And, apparently, there are also the buttmunches out there that are customers
_because_ the customer service (and self-policing in particular) is awful.

------
LazerBear
So which registrar does HN recommend?

I've used Namecheap before and they were decent, though the dashboard looks
like it was built in the 90's.

I checked out Hover but they seem to charge a lot for email.

~~~
tbomb
Namecheap recently redesigned. It looks much more modern now but it still
looks like the same template everyone else uses.

~~~
LazerBear
Their front page looks nice, but the dashboard and everything else looks the
same.

------
mirsimiki
I've lost several domains that simply got deleted from my account. Every time
I tried contacting them about the subject they refused to answer.

------
chloratine
Time to switch to proxy email id's, which do not give out the first name or
the last name.

From now on, I'll be known as wHzqbUWp at gmail.com

------
Ihmahr
They are also elephant killing [1] sopa / pipa supporters [2].

[1] [http://gawker.com/5787676/meet-godaddys-ridiculous-
elephant-...](http://gawker.com/5787676/meet-godaddys-ridiculous-elephant-
killing-ceo)

[2] [http://godaddyboycott.org/](http://godaddyboycott.org/)

------
D9u
The spammer appears to be a religious hypocrite, so why not spam the spammer
with religious hypocrisy right from their own playbook?

I would begin with Isaiah 45:7 "I form the light, and create darkness: I make
peace, _and create evil:_ I the LORD do all these things."

------
rajbala
"I noticed that the email address it came from as well as the link went to a
GoDaddy registered domain."

Who does a whois lookup on domains from spam emails?

~~~
maxerickson
If I think the spammer is legitimate enough that a complaint will make it
harder for them to spam, I do.

~~~
logfromblammo
If I just want to pretend to be a volunteer junior deputy for the Sheriff of
the Internet for two minutes, I'll do it.

Spammers would not have their accounts suspended as often or as quickly if no
one ever reported them to abuse@some.service.provider.com . There's always the
possibility that my iota of caring generated the lead that sparked the
investigation that allowed the actual network security guard to take down the
spammer kingpin or a portion of his botnet.

Mostly, it's when I just want to kick the spammer squar in the danglies, for
annoying me when I'm bored.

------
leccine
This is the 3rd article on HN about GoDaddy being an absolute shit-show. I am
curious how long they gonna keep up.

------
microcolonel
With Skepchick involved, this seems sketchy.

I'm not going to spend today defending GoDaddy, as they've been a fair fly in
the ointment to me. However I would not suggest burning them at the stake
because of somebody on this particular blog posted an inconclusive statement
about a breach which was, as far as we can tell, dealt with already.

As a customer of theirs, I'll probably be contacting them about this to make
sure I don't have any similar issues, and suggesting a remedy (probably
something like the cryptographic hash based verification method suggested
elsewhere on this page) for the future.

~~~
robotic
Seems sketchy? She has evidence to back up her claims including an email from
godaddy.

~~~
microcolonel
I don't trust the source though. /she/ included "an email" "from godaddy". But
Skepchick has been host to such golden, contributing members of society as
Rebecca Watson, so excuse me if I don't feel compelled to believe
incriminating claims from people who ruin blood cancer research donation
drives with inappropriate and divisive humour, then criticize others for being
confused or offended rather than apologizing.

From reading the article alone, sure, I wouldn't be quite as skeptical, but
I'm going to hold out until GoDaddy has a say in this case, because I don't
really trust either of them.

~~~
comrh
So this seem sketchy because it is on the same blog that also includes someone
completely unrelated that made a joke you find offensive? Whatever floats your
boat I guess...

------
chatman
Who on earth reports spam to originating server administrators? It might seem
contrary to general sentiments here, but really, why not handle your own
problem (and adjust your spam filters) instead of troubling GoDaddy?

~~~
masklinn
> It might seem contrary to general sentiments here, but really, why not
> handle your own problem

Same reason why you should report spam to SpamCop: help clean up the internet,
and clamp down on spammers so others don't have to deal with them?

Especially when the originating server specifically has a policy of not
allowing outbound spam.

~~~
chatman
Then, instead of whining around on the internet writing blogposts and making
money off those banner ads, the poster should have contacted local law
enforcement authorities.

I don't see why she should defame GoDaddy. If I had a server there, and I was
accused of sending spam, I would have the right to know which address
considered my email as spam (and determine for myself whether the user
subscribed to my services or not).

~~~
kazagistar
No. You could send them the sha1 checksums of those who had opted in, and
godaddy could confirm if it matched or not. You have no right to their
personal information, but you do have a right to be heard.

GoDaddy deserved every last ounce of negative coverage for this they can get.

~~~
devicenull
So, every time someone receives an abuse complaint, they should have to send
checksums of every email on their list? What if it's a massive mailing list by
a large company? What if it's a fraudulent abuse complaint, just designed to
get the company to waste resources?

~~~
6d0debc071
What if the company just lies that someone's not on their lists - they'll have
to turn the information over one way or the other if it's to be checked, and
it may as well be in a checksum as anything else.

~~~
devicenull
I've never heard of any provider making someone turn over their mailing lists.
Do you have any further information about when this has occurred?

Generally, when someone gets too many spam complaints, or doesn't handle them
well, they get terminated from the hosting provider.

~~~
6d0debc071
> I've never heard of any provider making someone turn over their mailing
> lists. Do you have any further information about when this has occurred?

\---

I didn't mean to imply that was what happened. I said that they'd have to if
it's to be checked.

My thoughts were that you're either going to have to trust the accused spammer
- in which case you can turn over the SHA of the complaining email address,
and the provider can compare it to the SHA hashes of their own. Or... they're
going to have to turn the list (again, preferably with the entries hashed)
over to you - and then, I suppose, you'll have to trust that they're giving
you a truthful list.

But, either way, I don't see how the mere act of hashing the list is going to
significantly alter the problems of nuisance complaints or of dealing with
large lists. Hashing is a very cheap thing to do after all.

~~~
devicenull
There's not really anything you can do about an individual spam complaint,
aside from telling the end user and having them remove the email from their
list (aside from things that are quite obviously spam).

The problem is the 'Report Spam' button is also the 'I no longer wish to
receive this email' button to non-technical users. Just because you've
received a spam complaint, doesn't mean that it wasn't an opt-in email.

Providers never attempt to verify your email list. If you generate too many
spam complaints, you get terminated. It's not feasible for a third party to
get a copy of your mailing list, then somehow evaluate how legitimate it is.

