
Facebook accused of trying to decloak domain owners' personal Whois info - DyslexicAtheist
https://www.theregister.com/2020/06/23/facebook_gdpr_workaround/
======
sfgweilr4f
From TFA, Facebook "... continues to claim that being a registered trademark
holder is sufficient to be granted full access to the Whois database, and that
all other routes are unduly burdensome."

So any fraudster just needs a registered trademark and they would, according
to Facebook's request, be granted full access to the database.

And no oversight, as "all other routes are unduly burdensome." That means they
DON'T want subpeonas or any kind of restriction in between like a judge who
could evaluate the request based on some kind of merit. No limits. Just a
giant straw they can use to get all that juicy data.

Facebook's request doesn't sound very good to me. Sounds great for criminals
though.

~~~
DisjointedHunt
This is a wonderful admission by Facebook. So any one of the millions of
companies who have had their copyrights or trademarks infringed by fraudulent
Chinese advertisers on Instagram and Facebook should now be given FULL access
to all advertisers personal details on Facebook including the complete
historic library of ads that have ever run on Facebook since, by their own
argument, “You don’t know who to sue until you’ve got the Whois information,”

~~~
hedora
No. They’re arguing anyone with a registered trademark should have full access
to everything, with no infringement required.

They’re also arguing a restriction to advertisers would be an undue burden.

------
notRobot
> Progress has been slow going, in large part because commercial entities
> desperately want access to the full registration data of domains – which
> includes people’s home addresses, telephone numbers and email addresses –
> and have been trying to find ways around the privacy protections.

Ouch. This is going to make it very hard for people to host content on the web
anonymously, forcing them to link their entire identity to their website. This
sucks.

~~~
hnarn
Are you really forced to enter correct personal information for all domains,
regardless of TLD and registrar?

~~~
gear54rus
I imagine your bank card payments may be somehow traced to your own identity
but don't quote me on that.

I guess some crypto options might help that.

~~~
hnarn
Surely Whois information does not include detailed information about past
payments?

~~~
koheripbal
No, but as long as a payment to a CC is going through, then the registrar
assumes you are "identified".

------
Aeolun
> That’s not the answer that’s going to work for us.

Well boo hoo hoo. You know what’s not going to work for me?

You having unrestricted access to whois details!

The gall of these companies is amazing.

~~~
texasbigdata
Like why do they even need it.

~~~
maltelandwehr
Assuming best intentions, Facebook could use this data to better identify
spammers, fake news networks, etc.

~~~
eli
That’s not what they’re saying. They claim it’s to fight phishing.

~~~
not2b
And as a side benefit, if they can decloak critical sites like
facebooksucks.whatever, they can harass enemies with expensive, frivolous
lawsuits more easily.

~~~
hedora
I wish “abuse of trademark” was more commonly applied. The way the law is
intended to work:

\- I register facebooksucks.com, and explain why.

\- Facebook sues me for trademark infringement, arguing there is a real risk
my (non-existent) customers will think I am Facebook, and buy my services
instead.

\- The judge rules that this is a frivolous lawsuit whose only purpose is to
silence free speech (not to avoid brand confusion).

\- The judge invalidates the “Facebook” trademark.

------
balladeer
I had deleted my Facebook a/c 5 years ago. I recently needed to look for
apartment for rent and that is, unfortunately, done best on Facebook where I
live unless you want to involve brokers who charge insane brokerage and show
places you'd hate instantly, so you'd end up just wasting your time.

I choose my name as "first name + initial of my last name" (iirc that was my
name in my previous/deleted a/c as well) and email and my date of birth and a
real photo of mine (very clear -- basically a mug shot). Sent friend requests
to 10-12 friends of mine and most of them accepted immediately.

Next day when I logged in I got a prompt that my account was disabled
(flagged?) and I can request a review (or it said I can reactivate) only after
adding a mobile number and I did that.

Few days later I try to login again:

"Your account has been disabled"

"You can't use Facebook because your account, or activity on it, didn't follow
our Community Standards. We have already reviewed this decision and it can't
be reversed. To learn more about the reasons why we disable accounts visit the
Community Standards."

Maybe I will try to open with another email but they may again force me to use
my mobile number and I can't keep getting new mobile numbers. While I do need
to look at those "on rent" posts.

This company really has too much power!

~~~
Red_Leaves_Flyy
Power without accountability or responsibility * _

~~~
ClumsyPilot
Well, the other day there was a thread on hackernews full of people declaring
how they dont trust democracy to deal with freedom of speech, and would rather
trust a corporation with policing it.

~~~
Red_Leaves_Flyy
Sometimes people of different opinions comment here. Some threads get bombed
with opinions from one side or the other to the exclusion of another. I
wouldn't read to much into it..

------
fortran77
I own a domain that's <some other word>book.com

It's registered via one of those "privacy" services. There's no website on it,
but I use the dns for some internet connected devices.

I keep getting requests, which I ignore, for information relayed by the
privacy service. Lately, they've morphed into offers to "buy" the domain. I
wonder if it's simply Facebook's attorneys who want to find some way to
contact me to send a "notice of trademark infringement" to me?

------
asveikau
> All they say is, ‘Go get a subpoena,’ or, ‘File a UDRP.’ That’s not the
> answer that’s going to work for us.”

If you can't find an answer that is going to work for you, many would take
that as a hint to stop it and not ask that question.

------
Havoc
That's pretty damn shady. The half-arsed attempt to dress it up as a security
matter "harvest people's login details" makes it even worse.

~~~
Shared404
Won't somebody think of the -c-h-i-l-d-r-e-n- Security(tm).

------
gruez
Are they seeking to get the customer details that the registrar has on file,
or just the whois data? If it's the latter, aren't you protected if you use a
whois privacy service? In that case it's just going to be a shell company in
panama or something.

~~~
searchableguy
They are not just going after phishing sites but sites criticizing and
protesting Facebook and it's other social media apps. There's a good chance
it's a normal person behind those sites.

See: [https://www.theverge.com/2020/6/15/21291666/ebay-
employees-a...](https://www.theverge.com/2020/6/15/21291666/ebay-employees-
arrested-journalist-harassment)

Why does anyone think this won't happen to normal site owners?

~~~
Qub3d
I mean, normal site owners often get this service through their registrar for
free nowadays. I run one of my project sites,
[https://dotbun.com](https://dotbun.com), through google domains, and they
just obfuscate your details as part of the purchase unless you opt out.

Take a look at my domain's whois info:
[https://www.whois.com/whois/dotbun.com](https://www.whois.com/whois/dotbun.com)

You will see that the name and org. aren't just redacted; they are in care of
a company called "Contact Privacy Inc."

There's nothing for ICANN to unmask for FB in this case. They'd have to go to
the company, and given that said company's entire business model is privacy, I
would expect it to be a much more difficult argument.

Now, let me be clear that I don't like Facebook's actions here one bit. I just
suspect it may be less of an issue that some people think.

------
afrcnc
wow....Namecheap, a company that makes a ton of money by selling services to
crooks and fraudsters, sure likes to spin a tall tale

no... facebook is not requesting that.... facebook sued namecheap last month
in an attempt to unmask domains used by both fraudsters and nso group, yet
namecheap is protecting those details cause it knows once it folds, all its
(not-so-legal) customers will move shop, so it's now inveted this bs about
facebook trying to break gdpr

~~~
slenk
Why should Namecheap give up the name of its customers?

~~~
afrcnc
if their customers are breaking the law, then WHY NOT!

you're aiding and abetting at that point

------
creativecupcak3
Why are people surprised when facebook is caught doing sketchy stuff? Like I’m
glad the media is covering it, but whatever.

~~~
annadane
I am getting very tired of "why are people surprised"

 _I_ am certainly surprised when FB does something evil because their CEO
continually preaches the importance of privacy, so shame on me I guess for
taking him at his word

------
kgwxd
Off topic, I was given the option to "allow" "premium adverts", supposedly,
non-tracking. But they come from a different site (ithinkthereforeiam.net) and
therefore, it's a 3rd-party tracker. I'm fine with self hosted ads, but this
is no different than the usual junk.

Is there something about ithinkthereforeiam.net that's keeping them off ad
blocker lists, and is there some reason The Register felt the need to ask me
before showing what they clearly could have shown without the prompt?

------
holidayacct
This has never been difficult to achieve, why is this a big deal? Privacy
never existed in the first place. People have been able to eavesdrop on homes
by targeting pretty much anything containing metal coils (including
appliances) with advanced HAM radio equipment since the early 1970s. We need
to stop pretending there is such a thing as privacy and start actually looking
at where scientific progress is at right now. If you actually get a basic
grasp of physics, radio theory and electrical engineering you're going to find
out exactly how little privacy we have.

~~~
cjslep
We can skip the formalities then!

Please state your full legal name, date of birth, current address of
residence, bank account numbers, credit card numbers, email addresses,
passwords, your favorite type of pornography, and your mother's maiden name.

Thanks in advance!

~~~
holidayacct
Just because there is no privacy does not mean we should give away our privacy
easily.

~~~
Qub3d
If you have no privacy, what is there to give away? You can't have both!

------
RNCTX
Well, well. It's harder and harder every day to argue with the legal opinion
offered by former SCOTUS justice Kennedy, which seemed hilariously corrupt at
the time, that corporations are effectively people.

A defining trait of an awful lot of people is that they accuse what they're
guilty of.

In this case, Facebook accusing other websites of trademark violations is the
very definition of hypocrisy. Facebook in particular, but Twitter as well, are
absolutely littered with t-shirt vendors selling other people's logos and
brand names, logarithmically generated with ad data.

If you fill out your movies, music, and books "likes" as they tell you to do,
within 2 days tops you'll be able to buy a Pink Floyd t-shirt from virtually
anyone on the planet... except Roger Waters or David Gilmour.

The fact that Facebook refuses all search indexes makes policing Facebook's
infringement on the copyrights of others impossible. At least with Napster any
musician could log in and see how many users were giving their content away
for free. Not so on Facebook, you can't ever know how many pirated logos of
yours that Facebook sold.

~~~
CSMastermind
> Well, well. It's harder and harder every day to argue with the legal opinion
> offered by former SCOTUS justice Kennedy, which seemed hilariously corrupt
> at the time, that corporations are effectively people.

I hate this meme. That's not what the decision said.

First "corporate personhood" means that corporations are allowed to sue and be
sued like they were individuals. Along with being taxed and regulated.

Citizens United, the decision you are referencing did not involve this
concept.

Rather it said that the rights of individuals to free speech is not diminished
if they act collectively as opposed to individually.

If I'm allowed to say, "RNCTX doesn't understand the issue" and so is my
friend, then us saying it together doesn't make it illegal because we acted in
coordination.

Likewise if I'm allowed to purchase a billboard that says it and so is my
friend then there should be no issue with us pooling our money to purchase one
together.

And that's what Citizens United said. Corporations are one such mechanism
through which we could pool our money to purchase that advertisement but
others such as unions, non-profits, and all other forms of collective groups
are covered.

It's actually a very common sense extension of the first amendment.

~~~
fennecfoxen
Corporations are "people" because their owners are people and people get to
work together and corporations are how they work together.

Corporations are allowed free speech because their owners are allowed free
speech as a group; the corporation is the tool for organizing it. Corporations
are not allowed to vote, because people are not allowed to vote as a group.

This is not new. This is not Kennedy's fault. This has been the case since the
beginning of the United States, and it has been Supreme Court precedent since
1819, when the New Hampshire Legislature said they could take over a private
university because it was a corporation, and therefore had no rights, and they
could take its property and change its rules at will, ant the court said No.
(Dartmouth College v. Woodward)

If corporations were not treated as people and not afforded civil rights, it
would be legal for the government to censor newspapers at will because they
have no First Amendment rights (News Corp, NY Times, etc are corporations). It
would be legal for the President to order a warrantless search of the DNC
headquarters, for the DNC is a corporation, and the Fourth Amendment would not
apply. It would be legal to impose a trillion dollar fine on Planned
Parenthood, a corporation, for any minor paperwork infraction, for the Eighth
Amendment prohibition on excessive fines would not apply. It would be legal
for the government to sue them for this infraction without a jury, for the
Seventh Amendment would not apply.

~~~
phone8675309
> because people are not allowed to vote as a group

I see you've never been an observer for a New York City or Chicago election.

------
cynusx
I actually agree with Facebook on this one, domain owners should have legal
personalities.

That said, it shouldn't necessarily include their email, phone and address.
Just the legal owner name (company or person) would be sufficient.

~~~
fxtentacle
If the article is correct in that Facebook is requesting this data for domains
that look alike to Facebook and/or do Phishing, then I very much believe they
should receive the data necessary to go to court.

Just because Facebook is highly unsympathetic, doesn't mean that all their
initiatives are evil.

And shady websides hiding behind third party privacy providers to avoid legal
responsibility for their illegal content is sadly something that I've had to
deal with myself in the past.

~~~
amaccuish
Then facebook can do that through the official means by submitting requests.
They want to skip that process. I'd prefer their requests to be vetted before
personal information is divulged. That way there is oversight.

We've already seen with the DMCA what happens when you give free-reign to
companies in this area.

~~~
jsnell
What process would that be? Genuine question, since the only process that the
article mentioned apparently was only meant for law enforcement and
registrars.

In particular, in the linked to lawsuit there's example sites that Facebook
requested details for from Namecheap, and Namecheap chose not to give out the
information. Many of them were 100% obvious phishing sites [0]. Clearly no
option where the registrar gets to decide when to reveal information about the
owner would work.

[0] E.g. facebo0k-login.com, facebokloginpage.site, faceboookmail.online

~~~
waon
If you're genuinely confused, you really should get yourself informed on the
concept of an independent court operating under the rule of law, and how it's
implemented in our current systems. There are well-established legal
procedures for requesting information on other parties that doesn't involve
megacorps deciding to do whatever they please.

~~~
jsnell
The phrasing that amaccuish used was "submitting requests". At least I've
never heard filing a lawsuit be called "submitting a request", so the
implication seemed to be that there was in fact some other process that was
supposed to be followed.

