Hacker News new | past | comments | ask | show | jobs | submit login
EasyDNS threatened with criminal complaint if client data not disclosed (easydns.com)
273 points by StuntPope 9 months ago | hide | past | web | favorite | 184 comments



I've been harrassed by law firms in connection with photograph copyright claims.

In my case it was a law firm in France who also had a presence in the US.

It was a minor claim (they demanded $500). We took the image down immediately, but they continued to demand their cash "settlement" with multiple letters over a year (1 letter every 1-2 months, each one with increasingly aggressive wording).

I eventually got on the phone with the person sending the letters, and turns out they weren't licensed to practice law (in any jurisdiction). I pointed out that it's illegal to misrepresent yourself as an attorney. They hung up and I never received another letter after that.

Good on EasyDNS for refusing to turn over customer data. If they did, I assume their customer would be harassed in a similar manner.


I received a legal "threat" via ... LinkedIn.

I had a situation where some competing company didn't like that my employer had one page where we compared competitor's products and used their logo (and others) on a simple comparison page. The usage was well within US law.

LinkedIn was a strange route as the company has been at the same mailing address forever, there are obvious email contact addresses available to find and so forth.

The message was vague enough to sound like it was from a lawyer, and even in a round about way seemed to try to create the misunderstanding that I personally would be in trouble of some sort if I didn't take down the image and any mention of their company... but without actually saying that.

I suspect by directly contacting a webdev they hoped I'd take it down without thinking and just move on.

I didn't respond, just forwarded it to the folks in charge who engaged a lawyer who responded with a letter telling them to go away. Never heard back from them.

I looked up the person who contacted me later, they were some PR drone, no legal background... just vague statements that sounded like legal threats.


LinkedIn is commonly used by debt collectors and "private investigators" to track down and harass people. The default privacy settings and even the most vigilant privacy settings allow for paid accounts to track people down.


I do photography as a hobby. When I reach the point where I wish to complain about unauthorized use of copyright images I do not want "credit", or images to be removed, I want damages. For some reason people think credit is sufficient to excuse bad behaviour, and removing images after they've profited from them with no additional recourse is fine.

It rarely comes to the point of making a claim, just when people blatently copy images and pretend to have authored them, or when companies are printing them and selling them on media, t-shirts, etc.

But generally the process is pretty smooth from a "complaining" side. Certainly by the point a first letter has been issued without any reaction the next step is to give up, or start complaining "upstream", or via other media/mediums.


That is a fair point. Do you know what the law says if the assets were supplied by a third party, or were purchased from one of those stock image sites?


It doesn't matter, the person or company publishing the work is ultimately liable for any infringement. If the company lost a lawsuit for infringement they may be able to pursue whoever they licensed the images from


Basic company idea.

0) Purchase office in East Texas.

1) Hire a few young lawyers (having difficulty finding work),

2) scan for companies that have 1 round of series A funding,

3) scan their website for any off domain image,

4) scan their website for any SMS sending,

5) if anything is found - send scary overnight letters demanding 4-5k

The worst thing that you can do to THIS business idea is to take the letter and throw it into the trash. Make them show up in court in East Texas.


Oh this has been a thing for quite a while now

https://www.theinquirer.net/inquirer/news/3073117/man-pleads...

Though probably not to the level of detail that you've suggested


Can you elaborate on the SMS sending?


It is a TCPA violation to SMS message people without first getting their permission. Fines are approximately $1500 per text.


Company doesn't show up...good luck collecting.


6) End up on the receiving end of RICO charges.


EasyDNS's Plain English Terms of Service make them seem like a really unprofessional company:

>We are NOT a DDoS Mitigation Service. [...] If you come on this system knowingly bringing a DDoS on your heels we shut down service (we may also wildcard your DNS to localhost and set the TTL on your zone out to a year. You’ve been warned).

or

>Guilt-by-Association: not only do we terminate any domains or websites which violate our policies, we ferret out every other domain you have on the system under different names, accounts, etc and we terminate those too (don’t worry, we can tell). There is no appeal.

I'm not looking for a DNS provider, because I'm perfectly happy with my current one, but sheesh.


It's unprofessional to let prospective customers know that EasyDNS is not a company that specializes in handling DDOS, so just keep looking for a company that can help you out? Seems refreshingly honest to me. And as a customer of theirs, I appreciate that they're looking to protect the infrastructure that I rely upon.

Regarding that second part; if you do any kind of online service provision like EasyDNS, you'll quickly realize that the scammers are legion. EasyDNS is giving fair warning to anyone who thinks that they can just burn domain after domain on spamming or other disreputable ventures. EasyDNS won't allow its infrastructure to participate in scams.

These guys are extraordinarily ethical and professional.


> we may also wildcard your DNS to localhost and set the TTL on your zone out to a year. You’ve been warned

No, this is simply indefensible. There's simply no way you could ever excuse this.

Suspending a customer domain is OK, this is not.


I read it as tongue in cheek (to emphasize DO NOT DROP YOUR ACTIVE DDOS ON OUR SERVERS) and not something they actually would execute. Has anyone ever seen them do anything like this?


You are much braver than me. I do not dare read a contract (or the explanation of one) as tongue in cheek.


If it's a joke, or sarcastic, why is it in a document labeled "Plain English Terms of Service?" For that matter, why follow it up with "You've been warned?"

>Has anyone ever seen them do anything like this?

No, I've never seen them do this. But at the same time, I'm not going to give them the opportunity.


a threat is only as good as your willingness to execute it. If they don't actually intend to, the threat is meaningless.


Agree - they can't roll back something like this if they get it wrong...


It sounds like they are doing society a favor.


Deciding who they do and don't want to do business with is fine. It's not their job to protect vulnerable domains. Actively sabotaging someone so they can't take their business elsewhere is not OK -- especially when their offense boils down to, "we didn't tell you that someone else was attacking us." That's not doing anyone any favors except attackers.

Bear in mind, the context here is not domains doing something awful or spamming people or mounting your own attacks. It's "somebody's attacking you, and we think that you suspected they would".


By going after DDoS victims? Care to explain further?


I think it depends on what you did. If you did something crazy like run a DDoS C&C layer off your subdomains then it would make perfect sense for them to respond like this.

As others said every service reserves the right to do things like this, they just typically phrase differently. To quote GoDaddy:

> You acknowledge and agree that GoDaddy and registry reserve the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on lock, hold or similar status, as either deems necessary, in the unlimited and sole discretion of either GoDaddy or the registry: .. snip .. (ii) to protect the integrity and stability of, and correct mistakes made by, any domain name registry or registrar,

Emphasis mine and a bit snipped out since this is already long. This says if it affects their stability they can transfer your registration as they see fit. It doesn't include any protections on when you can change the domain or what they can change it to meaning blackholing you into localhost for a year is fine.


Come on. They made this threat in a very specific context, it has nothing to do with abusive activity like running a DDoS C&C.

>As others said every service reserves the right to do things like this, they just typically phrase differently. To quote GoDaddy:

Suspending a domain is standard practice, sabotaging one by setting long EOLs is not. It is dishonest to suggest that these are similar.


>These guys are extraordinarily [...] professional.

I think part of OP's complaint is they are not coming across as professional. It is entirely reasonable to take those stances but their tact is way off and definitely portrays their company in an unprofessional manner.

They might be good at what they do, I wouldn't know personally, but they come off as edgy/abrasive/unprofessional and those two quotes alone would have me second guessing if I wanted to work with people who communicate in that manner.


The only difference between them and others is that they're plain in their language rather than obfuscating it behind lawyer speak. All providers have similar provisions hidden in their TOS, it's just buried behind layers of legalese and addendums. Personally although it might not look "professional" I wish more companies would use plain language that states what they actually mean plainly without forcing you to higher a lawyer to go through the TOS with a fine tooth comb.


There's plenty of room for technical writing between the colloquialism-riddled, informal mess that that is and legalese.


If you use that sort of rude plain language, and make a mistake, good luck.


People have such a strange idea of "professionalism". It's about your principles and what you do, not the semantics and aesthetics.


"What you do?" You mean like breaking a customer's domain name for the next year if EasyDNS thinks they brought a DoS attack "on their heels?"


I take professionalism to mean you know your craft. Like for example setting the TTL on a DNS server to a year won't cause downstream services to cache the record for a year but instead something on the order of a few hours to a few days in practice.

To quote RFC 2181: "Implementations are always free to place an upper bound on any TTL received, and treat any larger values as if they were that upper bound. The TTL specifies a maximum time to live, not a mandatory time to live."


Professionalism, at least to me, implies both competence and tact. Its nice knowing that they're capable of offering services but its also nice knowing that if/when things go wrong whether by my own mistake or not, I will be treated respectfully. What those quotes of their ToS tell me is that they're willing to belittle clients on their perceived take on events.

The short explanation is that if shit goes wrong I don't want to deal with people who figure communication among clients should be handled that way.


There's nothing professional about the general tone of that document, and especially the threat others have mentioned.

This reads like the TOS for making an account on someone's phpBB forum, not a real service that should be handling anything important.


I'm more opposed to the term "Guilty by association" than by what they actually mean and intent to do.


Let me just further highlight this specific part:

>we may also wildcard your DNS to localhost and set the TTL on your zone out to a year. You’ve been warned

Maliciously tampering with customer DNS configs to DoS them for extended periods? Fucking incredible.


And I'd be surprised if it couldn't lead to a successful legal claim against them for damages.


Wait, you want to expose your shady spam operation so you can claim damages? Tell me how that works out for you.


Where exactly does the quoted text mention shady spam operations? It's about DDoS victims, not cybercriminals.

>We are NOT a DDoS Mitigation Service. Yes, we have a lot of DDoS mitigation in place. No, this isn’t here so that you can get cheap DDoS mitigation. You cannot use any services here if you are, have been or think you may be the direct target of a DDoS attack. Contact us instead for a referral to a real DDoS mitigation company. If you come on this system knowingly bringing a DDoS on your heels we shut down service (we may also wildcard your DNS to localhost and set the TTL on your zone out to a year. You’ve been warned).


> If you come on this system knowingly bringing a DDoS on your heels


So hosting a minecraft server? Or a game server of any kind? An IRC server? An internet forum? An email provider?

All things notorious for attracting DDoS attacks.


What motivates a DDoS attacker? Are they all just wannabe vigilantes seeking to right some perceived wrong (such as being banned from a club, opposing political views, etc)? Is there ever a clear economic motive?


Yes, most are wannabe vigilantes.

Sometimes ransom but CloudFlare has kind of killed that line of business.


Correct me if I am wrong, but a TTL is specific to nameservers. So if you switch from easyDNS to say cloudflare your TTLs get completely reset and the caching does as well.


In theory, maybe? But if the TTL is 1 year, why would my caching resolver try to find the new nameservers?

Also, there's a long tail of totally garbage behavior in the DNS space. At my last job, as part of moving our domains off of Dyn/Oracle, we delegated the domains to our self hosting via the domain registry, and changed the NS records at Dyn to point only at our self hosting, but we were still seeing a steady trickle of traffic to Dyn after 30 days.


Firstly, in practice this would be very unlikely to affect a domain for an extended period of time, none of the big providers really treat TTLs like that. It's the mere spirit of the thing that counts.

However, I don't see why changing your nameservers would help if your resolver was always hitting a cache entry with a 1yr TTL.


It would change the Authoritative server's TTL but it wouldn't necessarily propagate to caching DNS servers.


agree it's an overkill solution -

but, devils advocate, maybe it's just there to scare off potential spammers/scammers?

Having worked at an ISP in security/spam/abuse, these people are a huge drain on resources.


Speaking as a consumer, I'm kind of tired of companies giving themselves enormous amounts of power and then saying, "don't worry, we won't use it."

That's not a professional relationship to me. And I would hazard a guess that if I tried to contract with EasyDNS and added clauses that gave myself similar amounts of power over them, they wouldn't be as trusting of me.

The point of a legal document is to set explicit boundaries, not to set a "tone" to the relationship or scare off scammers. Setting tone is what your FAQ is for.


>but, devils advocate, maybe it's just there to scare off potential spammers/scammers?

Why are you engaging in these bizarre mental gymnastics to defend this? The threat is made in a context strictly unrelated to spammers/scammers.


It doesn't matter because it also scares off everyone else also wanting to do business with them.


I think if every company wrote a "plain english terms of service" in the same vein of brutal honesty as this one, most of them would come off as pretty unprofessional.

> "We will terminate your account for any reason at all. We'll terminate it if its associated with another account that's been terminated. Often, there won't be a reason; our systems just autonomously decided that your account had to go. None of that matters to us. We don't care, because this is just a side-project to us. We have no customer support. There are no humans you can call. There is no appeal process." - Google Play

Maybe Professionalism is a series of lies and obfuscations we tell one-another to hide our true intentions and actions. But, maybe, we should strive to be more open and honest; even if its harder to hear.


Having been in that business: Web hosting companies receive a TON of abuse.

Some of them specialize in dealing with large DDoS attacks, unpopular/illegal/shady content, but most don't and want to spend their time on their product instead.

Scammers typically open tons of similar accounts, register expensive phishing domains and host phishing pages on your network, and guilt-by-association is how you clean it up.

Most of the things in their ToS are very common with any professional hosting company who is fed up with scammers, they just don't tell you about it like that.

Their ToS, while I would never use them for my own company, made me laugh because I felt the pain.


>Most of the things in their ToS are very common with any professional hosting company who is fed up with scammers, they just don't tell you about it like that.

Yeah, maybe if you primarily deal with lowendtalk hosts operated by 12yo kids. Actual professional hosting companies would never even consider this stuff.


Screening domain registrations for abuse, removing sybil accounts (i.e. "guilt by association), cooperating with authorities, terminating the contract for DDoS attacks they can't handle and shutting down Nazi pages is something the vast majority of professional hosting companies will do.

Of course, if it's a purely B2B hosting company of the "Talk to our sales department and sign a contract" variety, it's less of issue, but even they have to deal with spammers and fake company registrations who really want those clean IP blocks and will have clauses in their ToS that allows them to terminate the contract immediately.

In fact, the only providers who do not do this are the cheap low-end hosts who don't care about their IP and ASN reputation.


>we may also wildcard your DNS to localhost and set the TTL on your zone out to a year. You’ve been warned

Go ahead, name some "professional" hosting companies with similar practices.


With how tongue-in-cheek the whole document is, this is clearly a joke to emphasize their point (which, I agree, has no place in a legal document, no matter how plain). My point is that everything else in the document is pretty much industry standard, except that others are less...direct about it.

https://easydns.com/terms-of-service


>My point is that everything else in the document is pretty much industry standard

Is it really surprising that a hosting industry company is similar to the other companies doing exactly the same thing? I feel like this is always going to be the case.

It's specifically the weird stuff in this document that makes them stand out from the crowd.


People complain about the incomprehensible legalese in terms of service all the time. Here you are complaining about a lack of legalese. Shows you why people just stick with the unreadable nonsense.


No, they're complaining about the abrasiveness of the terms of service.


Personally I'll take a blunt 'no, we won't tolerate this' over a load of hot air. Get to the point and let's move on. This gets my approval.


You approve of maliciously tampering with customer configs to punish them?

I get suspending someone, I don't get "we may also wildcard your DNS to localhost and set the TTL on your zone out to a year"


Many platforms (e.g. Amazon, Google) will block your account without warning and any new ones you create trying to get back into their platform, and defend their behaviour with generic 'violation of T&Cs' statements to kick you off their platforms permanently. I'm not condoning this behaviour, but at least EasyDNS spell this out plainly. And since DNS is their core product, the mechanism makes sense.


How could you possibly compare that to

> we may also wildcard your DNS to localhost and set the TTL on your zone out to a year

This is going way beyond suspending a customer, this is an active attack by EasyDNS.


It does indeed go beyond a suspension, it's a ban, and that's why I equate it to Amazon and Google blocking any new accounts - they are banning you from their platform, arguably for life. At least EasyDNS offer it to be 12 months.

I'm no DNS expert, but AFAIK, you can transfer the zone to another provider (one that you don't violate the T&Cs with) and from there you could conceivably regain control over the domain.


You completely misunderstand, this is strictly different from a ban. This is like DDoSing someone after you banned them.

The TTL tells DNS resolvers to cache the "localhost" result for 1 year, it's specifically an attempt to prevent you from regaining control over the domain at another provider.


Okay, fair point. I can only assume they would only do this for persistent and malicious violation of the rules; it's a pretty good incentive not to do anything nasty with them if they can lock you globally out of your zone for a year. In fairness, so could any other provider if they so chose. As a registrar, I can guess the amount of abuse they have to deal with (spam domains, illegal content etc.) is high enough that they're pretty tired of dealing with it, so they take the Roosevelt approach:

Speak softly, and carry a big stick.

Again, I don't agree with this approach personally if it affected me, but I do understand it from a business POV. Letting the customer know in advance that they do have this power will weed out the ones who are most likely to fall into it.


> I can only assume they would only do this for persistent and malicious violation of the rules

No, they specifically state this in a context which does not leave room for such an interpretation.

>We are NOT a DDoS Mitigation Service. Yes, we have a lot of DDoS mitigation in place. No, this isn’t here so that you can get cheap DDoS mitigation. You cannot use any services here if you are, have been or think you may be the direct target of a DDoS attack. Contact us instead for a referral to a real DDoS mitigation company. If you come on this system knowingly bringing a DDoS on your heels we shut down service (we may also wildcard your DNS to localhost and set the TTL on your zone out to a year. You’ve been warned).

>it's a pretty good incentive not to do anything nasty with them if they can lock you globally out of your zone for a year.

Sure, like violence is a good incentive too. Both of these are likely to be illegal.

>In fairness, so could any other provider if they so chose.

So fucking what, the whole point is that nobody else would do this.


I'm guessing they have had to deal with DDoS attacks a lot, and as a sysadmin I can sympathise with their frustrations - it doesn't just affect the person fleeing to them, it affects their entire hosting platform, their other customers, and ultimately them getting paid for hosting those other customers. They're probably sick of it, which explains the drastic action. I can understand why they would threaten this if they've had to ride through multiple attacks, especially if it appears someone under fire is using them for 'cheap DDoS mitigation' when it's specifically a service they don't offer.


> Here you are complaining about a lack of legalese.

Sounds like the parent was complaining about a lack of professionalism, not about a lack of legalese. Punishing clients with unusual things like changing the zone and adding a 365day TTL is just plain unprofessional. Wrapping it in lawyer talk wouldn't change that.


I quite like the NearlyFreeSpeech.NET terms of service: https://www.nearlyfreespeech.net/about/terms


> seem like a really unprofessional company

Ah, "unprofessional". An adjective that can be tackled on to anything in a business setting, meaning "something I don't like but can't quite articulate why, only that's different to what I'm used to".


I feel like "unethical" better describes the practices described in the document, "unprofessional" is really selling it short.


On the one hand, I agree. On the other, it's refreshing to see the terms actually spelled out. Often you have similar things described in a very dry almost inconspicuous way.


The letter mentions the client's name as Mr. Niemela, upon some Googling you can see that he sued Google and some other companies to remove his online presence and some news about him. So it looks like it's just usual practice for him & his law firm.

(This info wasn't redacted so I assume it's safe to mention it here)


easyDNS here.

I don't think that this is the same Niemela. The material covered in this issue is just a plain vanilla image, not of a person.


Streisand effect in full force with this one.


> (This info wasn't redacted so I assume it's safe to mention it here)

By redacted, I assume you're referring to the EU right to be forgotten? Surely that's not so broad as to forbid the mention of information suppressed by it? The BBC even publishes lists of articles removed from Google via that right: https://www.bbc.com/news/technology-29658085


I meant the letter published on the article link shows the client's name, without any redaction even thou some other info is redacted. That's why I assumed it's safe to mention client's name here.


Attorney here! (Not legal advice, consult a licensed attorney in your jurisdiction.)

Don't get me wrong, but easyDNS may be jumping hastily to conclusions. In many countries, soliciting business there makes you subject to its jurisdiction and laws, regardless of where your business is based.

I don't know German law, but I hope that easyDNS consulted their own attorneys on the subject before publishing this post, or they could potentially end up quite embarrassed.


So any DNS registrar that registers sites accessible in Saudi Arabia is subject to its blasphemy laws?

Without any presence in foreign countries, the most the foreign country can do is block the offending website or infrastructure provider. I guess they could also request extradition, but most countries only extradite citizens if what they did was also illegal in the home country.


"Make accessible"? That, alone, is probably insufficient. But if you advertise there or otherwise target its nationals, then it is much more likely.

Enforcement is, of course, a separate matter. The country may not be able to reach you without some sort of agreement with your home country; but if you ever visit a country with which it does have an agreement, you could find yourself taken away to answer to the law.


> So any DNS registrar that registers sites accessible in Saudi Arabia is subject to its blasphemy laws?

Well, yes, kinda. But the Saudis will not be successful in extraditing you, most likely. However they can still block your services, and Allah help you if you decide to travel there after you've been found guilty of violating their laws.

Then again, not as bad as the US is on and about... Just ask Mr Dotcom...


Ask Hew Raymond Griffiths too. Given to USA on a silver platter by Australia despite not making any profit.


Nope. The USA is extraditing Kim Dotcom from New Zealand because he (allegedly) broke US laws. Note that he did not break any NZ laws.

Assange and Wikileaks is similar - Assange is an Australian citizen in the UK, but is being extradited to the US for breaking US law via a website. He is not being charged with any offences (to do with this) in either the UK or Australia.

If your website blasphemes and can be reached from Saudi, then the relevant authorities there could push for you to be extradited to face charges in Saudi (if your country and Saudi have an extradition treaty). It doesn't happen, but that doesn't mean it couldn't happen.


Well no. There was one case where the USA couldn't reach a company in another country, so the next time an employee came on holiday to the USA, he was thrown in jail. Don't remember the details, unfortunately.



DeBeers (the diamond company), perhaps?


easyDNS here.

1) We do not advertise in Germany.

2) Our client is not German.


Do you have other clients who are in Germany?

It appears that you do act as a registrar for .DE domains. At least, entering "ascascdasdcascascascasdcasdc.de" on the search on the front page at https://easydns.com/ offers to register it for me. It's purely a guess on my part, but I'd expect that most people who purchase .DE domains are in Germany, so if you've actually sold a few .DE domains you probably have some German customers.

That might not be enough to open you up to having to worry about German law...but it is enough that I would not dismiss that possibility out of hand.

PS: your site seems partly broken. I first tried to check for .DE on this page: https://easydns.com/domains/register/

Entering "ascascdasdcascascascasdcasdc.de" on the search there does nothing for me in Firefox. I had uBlock Origin on, so turned it off. Still nothing. Then I switched to Chrome, using a profile with no relevant extensions, and still nothing.

So instead I just went to the list below that lists all the TLDs you handle, and went through to find DE. That has a "Special Requirements" link, which doesn't do anything for me in either Firefox or Chrome.

PPS: in Firefox's console, it shows these messages for that page that isn't working right:

'Loading failed for the <script> with source “https://matomo.int.easydns.net/piwik.js”." at register:1:1

'unreachable code after return statement' at signup.js:15:1


Thanks - going to have that looked at. Wrt whether we are subject to German law, we have written about this at length in the past. Our position is absent a treaty codifies reciprocity, it is impossible for an ISP to comply with various and sundry foreign jurisdiction laws.

We comply with the laws of the country in which we are domiciled, which is Canada.


In fact, to be able to offer .de domains as registrar, you have to join DENIC, and .de domains can only be owned by a legal German person, and always have to have an actual German person as representative.

To me this looks like German law definitely applies to them.


> In fact, to be able to offer .de domains as registrar, you have to join DENIC, and .de domains can only be owned by a legal German person, and always have to have an actual German person as representative.

Most companies offering .de domains do so as resellers, they don't need to be members of DENIC. Also, .de domains can be owned by people and entities outside of Germany, but require either the domain owner or the adminc to be in Germany. Most international registrars offer a service to provide a local adminc.


A German court might still find that in order to stop a copyright infringement, since they have no means to order you directly, they might order German ISPs instead to black out EasyDNS. Tho, in practice, they'd probably just order to black out the particular domain in question.


You offer .de domains. Customers buying .de domains have to be, necessarily, German, so you’re necessarily advertising to German customers.


> Customers buying .de domains have to be, necessarily, German

According to DENIC's TOS, the domain owner doesn't have to be German (as long as they appoint a Germany-based representative for receiving correspondence official and court correspondence, but that's not easyDNS' concern).


It’s hard to argue that you don’t cater to the german market if you market a product that explicitly requires a german representative.


The product sold by EasyDNS is not targeted at the german market, it's targeted at people who (often, not always¹) want to offer their products (or information, or something else) to Germans.

¹ some just want some domain hack that ends in "de". I have a .es domain, despite having no intention of targeting the Spanish market, just because the name of the site ended in "es".


There are 16'254'421 .de domains. Only 1'225'965 are owned by non-German people or institutions. That’s about 7%.

It’s quite hard to argue they’re not catering for the German market if they sell a product with 93% German customers, specific for the German market.


You might like to update your blog post with that info.

I came here with the same thought, assuming that your client was German. But it seems you are just a third party, and good luck to them.


Is there any indication that they solicited business in Germany? And how, in practice, could they enforce that if this canadian entity has not broken any canadian law and canada as such has no impetus to enforce german law?


> And how, in practice, could they enforce that if this canadian entity has not broken any canadian law and canada as such has no impetus to enforce german law?

Many countries have signed treaties that provide for enforcement process for judgments rendered in another signatory. It's in the spirit of reciprocity. If Canada wants to be able to reach a German national, Germany will insist on a reciprocal arrangement to reach a Canadian national. (I don't know whether they have such an agreement, but such agreements are common.)

Contrary to what a lot of HNers may believe, judicial and procedural boundaries aren't necessarily coextensive with national borders.


IANAL, however I have been led to believe that those reciprocity agreements usually include some statement along the lines that said infraction needs to be prosecutable locally. Countries usually don't extradite their citizens for things that aren't considered a crime in their jurisdiction..


There are multiple treaties at play here, at the very least, like the Berne Convention and subsequent treaties about copyrights, and the Mutual Legal Assistance Treaty between Canada and Germany: https://www.treaty-accord.gc.ca/text-texte.aspx?id=104860

There are criminal copyright infringement laws in both countries... But the lawyers here cannot actually force the German state prosecute anyway, and it seems they did not file a criminal complaint anyway, and even if they did the prosecutors' office would most likely deny prosecution against EasyDNS since they are only a service provider and not a direct party to the alleged infringement. The prosecutors' office would probably even deny a prosecution against the actual perpetrator because it's just about a single image and thus a minor infraction. So right now it's just a civil matter.


> Is there any indication that they solicited business in Germany?

My understanding is making the website available to a country can be soliciting business.

> And how, in practice, could they enforce that if this canadian entity has not broken any canadian law and canada as such has no impetus to enforce german law?

Don't they have deals for such thing? I remember reading that a British court judgement for damages could be enforced in the US.


> My understanding is making the website available to a country can be soliciting business.

Oh dear, that would make publishing any website extremely dangerous..


They could arrest their officers if they're ever in Germany (or maybe the EU).


Its a huge problem for businesses that operate on the internet. It can magically make you subject to all laws worldwide, at once. You cannot comply with them all.


The issue is to think that a single website and a single way of doing business is all you need on the web.

But in fact companies like Amazon have customised sites, T&Cs, and procedures for every country they operate in because they have to comply with many different legal systems.

But that does not mean that operating a business on the web in a single country makes you liable throughout the world. That being said, accepting a foreign customer might make you liable to the law of that customer's country.


At least in the U.S., it does not. There's actually a reasonably decent Wikipedia article discussing the case law on the subject: https://en.wikipedia.org/wiki/Personal_jurisdiction_in_Inter...


> In many countries, soliciting business there makes you subject to its jurisdiction and laws, regardless of where your business is based.

As a practical matter seems unlikely that this particular law firm is going to go to the mat in terms of any possible enforcement action (and that assumes it can even be done or attempted by teaming up with a firm in Canada (where easydns is from what I am reading).

Very generally also I don't think it's a good idea for a company (and in particular a small company) to air publicly something like this. It leaks details on how they act and what they will do that could be used against them by another company in the future. In otherwise the publicity could end up being counterproductive.


I'm sure I have something on a public httpd somewhere my company owns that is insulting to the Thai king. Better look out, I'm going to Thai prison for lese majeste!


Actually had a customer (or just angry netizen) complain about this at a hosting company. Was very satisfying to return our boilerplate about how we were in 'murica and this didn't apply.


That is why I am confused why so many websites put up warning banners about gdpr. If you don't do business in Europe it doesn't apply to you. A large chunk of the internet is USA based


> In many countries, soliciting business there makes you subject to its jurisdiction and laws, regardless of where your business is based.

That line of reasoning always sounded tautological to me. "Law X from country A says that by doing Y you are under jurisdiction of country A", but for "law X from country A" to apply to you, don't you have to already be under jurisdiction of country A in the first place?


Law is ultimately shared consensus. We build an abstraction layer on top of that but sometimes the underlying nature can't help but shine through.


> for "law X from country A" to apply to you, don't you have to already be under jurisdiction of country A in the first place?

No.


Judging by their ToS, I wouldn't be so sure that easyDNS has attorneys.


You seem to really dislike easyDNS.


Can't say I know them well enough to "dislike" them, but based on a brief look at their ToS they're certainly not a company I'd want to do business with.


I'm guessing easyDNS doesn't have "attorneys". The article does, however, mention "lawyers": "both easyDNS and our lawyers take a dim view".

(Random terminological observation deleted.)


An attorney is a lawyer, though a lawyer isn't necessarily an attorney.

Why are we picking nits over this?


It's not my intention to pick nits. I was just pointing out that easyDNS had consulted lawyers and making a random terminological observation in a parenthesis.

Perhaps random terminological observations annoy people? I'll delete that part.


I didn't see the observation you made, but I see that easyDNS is in Canada. For clarity, it is not the norm to refer to a lawyer as an attorney in Canada (except in a few specific circumstances).


This is a pretty serious issue if they were to get away with it, although I'm not sure about how legal precedents work in Germany, but regardless holding a domain registrar liable for what the domain itself distributes seems absurd. It's like suing a city for giving land legally to someone who started a drug smuggling operation under that land as if the city knew the intent.


Germany has some surprisingly regressive (IMO) laws about the internet, copyright, etc. See: https://teleread.org/2018/03/03/project-gutenberg-blocks-ger...


Is this a limited case? In general I've heard that Berlin is pretty happening place for privacy activists these days. Kinda makes me scratch my head to read this.


Germany is very privacy positive. Majority of the weird internet laws generally come around because of the countries privacy laws. That is why it's got a big privacy activist scene. And that case seems basic Copyright, where in Germany the work is still copyrighted so the copyright owner went to court to enforce it. This seems pretty standard and expected.


Isn't this more like requiring a city to provide the name and contact info for the owner of that piece of land?

I think in most places that is public info.


I suppose so, but then holding them liable for crimes in the land is a bit silly.


I don't think that's why they mentioned "criminal complaint." I suspect (correct me if I'm mistaken) that it's a necessary step to obtaining a subpoena or other process needed to unveil the domain registrant.


Yeah it reads to me (IANAL) as some "legal blackmail", hey give us this info or we sue you for the registrants crimes.


It's an arm twisting move to force give out the name. Once they comply the will move to the next link of the chain and try to twist that arm. It never ends.


Wonder what happens if the registrant has a fake name and address. I guess the domain gets removed?


I don't see the distinction.


They are saying they will hold them liable if they don't turn over the customer's contact info.


A better analogy of something that regularly happens would be demands for a mobile phone provider to hand over all info they have for a number used in drug trade.

Not sure how that works in Germany.


This is hardly analogous. A registrar files some paperwork. A phone provider operates and maintains equipment that provides the functionality of the phone.


Good point. MVNOs don't really do all of that, but I see what you mean.


This is a good reason to host your site in one country, use a registrar from another, and live in yet another.

The most trivial lawsuit will require an international lawyer creating a threshold most significant.


I'm not a lawyer, but doesn't this potentially open you up to a lawsuit from any of those countries?


Of course, so do your research before choosing countries.


> The most trivial lawsuit will require an international lawyer creating a threshold most significant.

Most people hosting websites can't afford international lawyers.


I think he refers to the person / entity suing.


Which means he doesn't understand how the legal process works.


What this means is if you host a website for someone to sue you in a court of law the process instantly requires an international lawyer.

They are not cheap. Pick your countries right and arguably you would be hard to sue.

IANL but you should consult one when implementing this strategy.


Nope, that's not how it works. They can simply sue you in the jurisdiction in which you live, getting a court order for you to reveal the information. Details of where it is hosted doesn't matter.

Unless you don't mind serving indefinite jail time for contempt of court.


> They can simply sue you in the jurisdiction in which you live, getting a court order for you to reveal the information.

> Unless you don't mind serving indefinite jail time for contempt of court.

Not how it works internationally, this looks more like a US-centric view of the world. I believe in most countries courts would not do that at all. If you want an example, look how nobody can sue Snowden in Russia.


...first they have to find the jurisdiction in which you live. I think the idea here is to make the processes of finding that out harder.


...and more expensive only to find out there isnt an extradition treaty


Well in this case they can't find out where he lives because the register won't give up his information.

So yes, it is how it works.


This reminds me the PirateBay letters requesting takedowns. Lawyers bullying people across national borders. Sheer stupidity.

I have a cousin, musician, when he finds his music on various pirating websites he emails politely asking them to please help him make a living by removing the link. No empty threats, no bullying. 99% they remove the links within 24h.


Why would EasyDNS even write about this?

I was under the impression that businesses not infrequently receive threatening letters from legal firms, and that a non-trivial portion of these can’t be acted upon as they don’t follow establish legal norms.

I was also under the impression that only the public prosecutor can charge someone with a criminal offence?


> I was also under the impression that only the public prosecutor can charge someone with a criminal offence?

Iirc: the way it works in Germany is that they'd file a criminal complaint, the public prosecutor tries to get the data from the companies / will get a court order to get the data, and the original lawyer will be able to view the information as a joint plaintiff. This was very popular when file sharing was a thing in Germany: the prosecutors would investigate for copyright infringement to get the customer data for a certain IP from the ISP. The lawyers would then initiate civil proceedings and claim large damages.


As a guess, so future people wanting to threaten them can see how it's likely to go.


I've used EasyDNS for many years now. They never spam me. They always provide knowledgeable responses to my inquiries. Their online tools have always been simple and worked well. I would recommend EasyDNS to anyone who is looking for no-nonsense DNS hosting.


I have been using them for my personal DNS for years - Been happy with them as well.


IANAL, but here's my assessment on this:

First and foremost, as far as I know, a registrar disclosing customer data without a warrant would violate the law in Germany as well. For `.de`-Domains the holder information used to be publicly available, at the dismay of privacy activists; in the same way the ICANN wanted the same. Then GDPR came and pretty much put a legally binding end to this.

And it comes down to this: Under GDPR such customer information enjoys strong protection. A lawyer has no more rights to that information than any other party who's not tasked with enforcing the law.

The intention of this letter is to gain information about the EasyDNS customer, so that this customer can be sent a cease and desist, which due to some lack in German C&D law can carry a hefty fee.

Inside Germany a whole range of law firms specialized on actively searching for unlawful behavior and sending out C&D en masse. A common practice among these firms is to scrape BitTorrent trackers for peer IPs + timestamps (or to actually manufacture them), bundling them all up in a criminal complaint so that ISPs must deliver to the state attorney the names of the customers these IP addresses were assigned to at the given time. However instead of pressing charges they will then drop the case, and instead send C&D letters to those people.

The lawyers who operate that way have become known as "Abmahnanwalt"

The lawyer who send this letter is Robert Fechner. And lo and behold: Robert Fechner is known to be such an Abmahnanwalt:

https://www.google.com/search?q=abmahnanwalt+fechner


Do German courts not have a concept of standing?


Do you have an approximate translation of Abmahnanwalt? Google translate punts on it


Internet seems to call it "cease and desist lawyer".

(In short an 'Abmahnanwalt' is a lawyer who admonishes you for breaking certain rules and who can charge you for the service... quite close to 'Abschaum' in German dictionaries, as the basic idea may not really that bad, but it is heavily misused by some)

Source: https://www.dpreview.com/forums/thread/4060159


@easyDNS: Is that an old ongoing case? Everywhere in the document they're using 2016.

It seems quite funny that they started that in 2016 and using a judgment from 2017 in 2019...


What is a criminal complaint ? This looks distinctly like a civil matter to me.


It's a complaint that is itself criminal.


> It’s almost as if Herr Fechner doesn’t understand that Canada is a completely different country than Germany

Or that Herr Fechner knows that a nastygram like this will please his customer who can be billed for writing, translating and sending it.


Hopefully Herr Fechner loses his license to practice law in Germany. From what I see here, he is an unethical and incompetent attorney and a disgrace to the profession.

RE: Herr Fechner of Fechner Law in Germany


Probably not. He didn't do anything wrong, by the letter of the law. He is allowed to make "overestimated" damage claims, demand money and demand money for his services, cite court decisions that are not final yet, and all the other shenanigans he did, sadly. He seems clever enough to walk the line where he is damn close but not yet lying, e.g. when he talks about the criminal complaint stuff.

Essentially the only ways he could lose his license is if he knowingly lied, especially to the court, behaved grossly negligent towards his client or violated client privilege.

kd3 9 months ago [flagged]

His letter almost made me want to sieg heil.


Please don't do this here.


Is this the lawyer that made the legal threat? https://www.fechner-legal.de/en/robert-fechner/

Looks like copyright harassment cases is one of their specialities. https://www.fechner-legal.de/en/copyright-law/


The response reminds me of some of the Pirate Bay's responses: https://beebulletin.com/hilarious-pirate-bay-legal-responses... The tone is pretty much inviting a judge to impose a hefty fine for noncompliance. I'm not saying they're wrong, just that it seems like a risky stance to take.


Non-compliance with what? Some random lawyer's demand? Wouldn't they have to get the court to make that demand in the first place?


Of course it was Germany. The country where a local judge successfully put de.wikipedia.org offline for a couple of days because of a single article.

https://en.wikipedia.org/wiki/Internet_censorship_in_Germany


This is why domains are one of the biggest issues when it comes to privacy. Personally I think users should be open to a small client that resolves domains locally using IPFS or whatever else is more difficult to censor, or find a DNS provider that adds TLDs without ICANN.


uf the linked judgement is not absolute, which means they threadened with something that might hold up. but does not need to. the judgement mostly validated the single case.

the letter/mail is just plain threatening. copyright law in germany is in a bad state so be aware.


> German law firm

> to transfer €1,481

Treading dangerous water there. I wonder what the transfer fees are.


> I appreciate your alleged concern for your users’ privacy.

Person who wrote this is a dick. They're assuming motives and they also didn't do any due diligence to realize the registrar isn't under the GDPR or located in the EU.

This irks me. It feels like if someone discloses a security problem in a city's bus/train ticketing system and the first response is to go to the sheriff's department and see if that person can be criminally prosecuted rather than work with the guy or gal who wants to help you fix your broken system.


The EU claims that even companies not located in the EU are still subject to the GDPR. I don't think the GDPR is applicable in this case tho. It seems likely to pertain to the EU 'right to be forgotten' law(s).


If you are not dealing with an EU entity or an entity in a country with an agreement with the EU you have no right to be forgotten.


Maybe you don't care about following EU law because you don't live there, but don't plan on breaking the GDPR and then vacationing in France or Italy ever in your life.


Because you will get a fine you can ignore?

Eu law is not and will not be applicable to most of the planet.


You're reading things into it that aren't there. It's not a personal letter.

Also, why do you mention GDPR? There's no GDPR issue here and the German lawyer didn't mention it.


Most small firms who take these kinds of cases have a poor command of language and are generally very unsympathetic.


I'm not offended by many things but the solipsistic thinking that results in someone trying to enforce their country's laws on people or entities in another country is one thing that makes my blood boil.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: