
Takedowns run amok? The strange Secret Service/GoDaddy assault on JotForm - evo_9
http://arstechnica.com/tech-policy/news/2012/02/secret-service-asks-for-shutdown-of-legit-website-over-user-content-godaddy-complies.ars
======
cfield
"[W]e are ready to cooperate fully [and are] ready to shutdown any form they
request and provide any information we have about the user."

Does anyone else see the irony in Jotform making this statement to the Secret
Service? Isn't this exactly what GoDaddy did to Jotform that is prompting the
outrage?

Due process has its place in a commercial context, and it seems that both Go
Daddy and Jotform might be well served to think about how to handle alleged
misbehavior by their users when they receive a request from a government
official.

~~~
bittermang
I see it, but I also see one man's answer to that ages old philosophy
question, "Would you kill one child to save the majority?"

In his eyes, his entire business was marooned with little hope of recovery due
to the limited amount of information he was working with. He was fully in
bargaining mode at that point, and if they could just identify to him what the
problem was, he would resolve it -- by any means necessary -- for the sake of
the rest of his users and revenue.

I'm not saying that makes it different, or if it's wrong or right. I am saying
I understand.

------
rdl
I think any PCI or other auditor who doesn't flag "domains registered with
GoDaddy" during an audit is doing clients a disservice, given all the bad
stuff that's happened. I'm not sure how exactly you could flag it for a
client, though.

~~~
ecaron
True, but what other registrar has publicly stated that they won't do what
GoDaddy is currently doing? Because until I can find the registrar that makes
that promise (all the alternatives I've found are just customers making that
claim on behalf of the company), this seems more like a demonstration of the
problem of all .com registrars and GoDaddy is just the biggest so they get all
the spotlight.

~~~
mbreese
You could go with a foreign registrar. I used to like gandi.net because it was
based in France, so it had to observe EU privacy laws (you'd still be subject
to the US with respect to .com domains though). However, Gandi.net now also
hosts in the US, so I don't know what that would mean. Plus, hosting in a
different country could expose you to their local laws.

~~~
dangrossman
It also subjects you to Gandi's personal code of ethics, which they require
you to agree to and may take your domain if you violate. It's a little strange
and I wouldn't register a domain for an adult site there, at least.

------
chernevik
Not sure how a site-takedown, without a court order, doesn't represent breach
of contract. If you're providing services under contract, you can't stop just
because you're afraid to ask a government official for appropriate
documentation of the authority for their request.

Nor is it clear to me how such a request doesn't represent an undue taking.
How can an official take property in such a manner without professional or /
and personal consequences?

------
tlb
_We have 2 millions user generated forms. It is not possible for us to
manually review all forms_

It's certainly possible. You could get reliable Mechanical Turk reviews of
forms for $0.03 each, so $60k total. Or you could hire people to look at 500
forms / hour (phishing forms are instantly obvious) at $15 /hr, also $60k
total.

Compared to the cost of a site seizure, it might be a good investment.

~~~
jrwoodruff
Why is it everyone keeps making excuses for the secret service and godaddy? It
DOESN'T MATTER whether it was possible or even financially viable for JotForm
to review each and every form. The government shut down a legitimate business
with no warning, court order or apparent process whatsoever. This is very,
very wrong. Period.

~~~
benatkin
It matters if your goal is simply to correct a statement that was stated as if
it were a hard fact. That's all tlb seems to be doing in my reading of the
comment.

If your goal is only to figure out who's in the right I agree it doesn't
matter.

------
motoford
I'd be interested in seeing some of those graphs like we saw in December to
see if there is any spike in domains transferred away from GoDaddy.

How many times are we gonna have to hear these horror stories before we all
get moved away from GoDaddy?

~~~
drivebyacct2
Apparently a tremendous number of times... even though HN both likes to upvote
"GoDaddy ate my dog" posts and downvote "Yeah, and you're still surprised? How
many times do you have to hear it" comments.

I'm always curious, are people who downvote this in denial? Somehow downvoting
me will keep the bad things from coming true to your domains? Funny, most of
these stories also start out "I'd always heard bad things about GoDaddy,
_but_..."

------
codezero
65,000 phishing accounts shut down in the past year, and they have a total of
700,000 accounts.

Nearly 10% (and that just assumes that all the accounts were made in the last
year) of their users were using the site for phishing. That seems like a lot,
and even if they were shut down, I wonder if they weren't doing enough to
tackle misuse of their own site.

~~~
dhbanes
It seems much more likely that users creating accounts for phishing purposes
created multiple accounts. In that case, nearly 10% of accounts ≠ nearly 10%
of users.

~~~
codezero
good point. The bad guys are tenacious.

------
there
_JotForm today moved its domains away from GoDaddy to registrars NameCheap and
Hover._

I'm glad JotForm is back up, but I'm curious how they transferred the domains
so quickly. I would have expected GoDaddy to lock the domains and prevent them
from being transferred away, either due to their own policies or because the
Secret Service ordered them to. In my experience, it's always taken at least a
few days to transfer registrars, even with an EPP code in hand and instantly
responding to confirmation emails. Was NameCheap able to pull some strings to
transfer the domains outside of the normal process?

~~~
dangrossman
> In my experience, it's always taken at least a few days to transfer
> registrars, even with an EPP code in hand and instantly responding to
> confirmation emails

It should take no more than an hour, usually less. If it's taking more than
that something's gone wrong or your registrar is manually processing what
everyone else does automatically.

I moved a couple dozen domains from GoDaddy in December... all were at their
new registrar less than an hour after I confirmed the transfers.

~~~
larrys
Exactly.

One thing for people to check when choosing a new registrar is whether they
have a way to "ack" a request to _transfer out_ (in case you want to leave at
some later date). Some registrars don't and that can mean either trying to get
customer service to do this or waiting the default period.

Note that there can also be a delay with the new registrar that you choose
putting the domain into whois as well.

------
shock3naw
I believe a key take-away from this is not to use GoDaddy as a registrar :)

------
a_a_r_o_n
I have to believe by now that the IP industry has offices in FBI and Secret
Service buildings, as "liaison."

------
ricky_rozay
I wouldnt have called whoever it was the guy in the article was quoted as
callin multiple times until she sounded irritated. Yeah the government appears
to be at fault but regardless this is not the time to be irritating in such a
way. Having a lawyer who is golf buddies with that lady's boss would probably
make a bigger impression, not that the jotform guy would have known that at
the time, but nonetheless. Reminds me of the old maxim "keep your friends
close and your enemies closer." anywayz this whole debacle is frustrating but
hopefully it will illuminate some of the gov't's tactics to those of us who
were still in the dark

------
Mordor
It's ironic that the blame will ultimately be laid at the US government, when
it's GoDaddy who caused the outage.

------
shingen
It strikes me that one fallout from the US Government becoming aggressive in
taking down legitimate sites (in one way or another), is that it's going to
massively drive up the cost of what services charge.

One way to deter phishing forms, for example, is to charge enough for your
service that it makes it very unlikely someone would use you for that. Jot
mentions having taken down 65,000 phishing forms in the past year; charge $10
or $20 (or whatever, enough to wipe out the issue) upfront for each of those
and that problem disappears instantly.

It's the difference between MegaUpload and DropBox fundamentally in how they
deter piracy (or don't); applied to every web service.

Most of the time, when the government gets involved, the cost of a service or
product skyrockets. They generate inflated costs either through monetization
(eg education costs), or through regulation & compliance nightmares.

The government might just force a transition from the so called free web, to a
nearly all paid services web. It would form a 'cost wall' that keeps a lot of
the abuse users out.

~~~
loopdoend
If JotForms charged $10 to $20 no one would use them. A competitor with more
thoughtful plans for discouraging phishing would wipe them out. I imagine most
of these forms could be automatically detected.

~~~
Haplo
We are talking about phishing here. Don't you think they have access to a lot
of recently-phished credit cards they could use to buy the forms? They would
probably choose for a free competitor most likely since that is easier to
automate and you don't need the hassle to try out the credit cards. I'm pretty
sure web hosting companies already get a lot of phishers paying for an account
with a phished credit card, though.

By the way, the scammers on dating sites use a lot of paid accounts (and pay
for them themselves most likely) considering they get a lot more money out of
it and a paid account seems more legitimate. Just to say that making something
paid does not necessarily remove all the abuse.

