ICANN has an established process for handling these types of disputes, and Facebook should avail themsleves of that process. https://www.icann.org/resources/pages/help/dndr/udrp-en
(It isn't clear if Facebook is seeking a financial judgement or just a court order to delete or transfer the domains to Facebook?)
* Namecheap should say: "That's not our problem. It's up to the courts. Get a warrant."
* Facebook should say "okay."
* Namecheap should notify the domain holder, and let them fight it if they want.
* If they don't fight it, Facebook should have a short filing explaining the problem and asking for a release of information.
If it's reasonable, the judge should sign it, and Namecheap should give up the information. If it's unreasonable, the judge should not sign it.
It's how courts should work, and it's how due process should work.
If namecheap can make this case there isn't a judge in the country that would side with facebook. In my opinion judges tend to get pretty pissy when you try and cut them out of the process, I really hope this happens and it comes back to haunt facebook.
sadly at least in Australia we keep passing stupid new laws that erode the judicial oversight giving various authorities (and many more than just the "police") ability to do all sorts of things with no warrant or judge oversight and I don't like it.
Maybe typo on step four to "if choose to fight".
It would be good to have a legal overview from someone that is actually familiar with relevant law.
Facebook is trying to use this as a way to show they are concerned about privacy and security, but they're coming across as bullies that didn't get what they wanted and now they have to use the necessary legal methods to do so.
Judging by this thread, this faulty logic has been embraced wholeheartedly, and it leads to the strange position that is actually immoral, apparently, to make any judgement calls in the cause of your everyday life or business. When you are asked to work for a scammer, you are supposed to throw up your hands, say “who am I to judge”, and take their money.
Courts are, apparently, the only unfailing entities that can tell right from wrong. Even when something is universally agreed to be wrong, you are supposed to ignore it lest you feel tempted or required to then make decisions in more nuanced cases.
It’s a rather convoluted scheme to abdicate all moral responsibility.
We reported it to the police, of course, but I don't think it was ever really pursued. I wanted to dig in myself but whoever the company was said they wouldn't give up the records without a subpoena. Very frustrating as I am the person who was being impersonated.
It seems like there are times where you should have standing as an individual to get a subpoena for information directly related to you.
Under European law, "you can request access to the personal data a company or organisation has about you, and you have the right to get a copy of your data, free of charge, in an accessible format." 
I kinda get the point. If someone impersonates you, that information should not be protected because it's supposedly you.
I believe there has to be a reasonably high bar that a person has to clear before a company should be even allowed to assume they are who they're claiming to be, but once that bar is cleared no information regarding or directly linked to the person in question should be withheld from them.
I would expect my relatives to validate my identity before sending money to me via any new method.
There is, or there are. Western Union just doesn't care about it, because it costs money and their fee still gets paid if the scam works.
We felt more than a little paranoid (and the babysitters probably thought we were nuts) but anecdotes like yours reinforce the need to be careful when relying on easily-spoofed caller ID for identity protection.
Btw, in my language there is no distinction between warrant and subpoena, both are just court orders.
Why would that be ridiculous? If they can't make sure that their clients are legit, they shouldn't be in the business at all.
In fact domain name ownership shouldn't be private at all (in the same way that land ownership isn't private)
Banks are required to have Know Your Customer systems. Domain registrars, hardware stores, and grocery stores are not. Do you really want to extend this additional expense to all the businesses from which you buy?
Mind you someone always has to pay these expenses when fraud occurs, they don't vanish and I would like to see it allocated in such a way that it gives an incentive to prevent fraud, not protecting it.
The same thing in most other contexts is useless. There is no equivalent to "money in the account" to worry about losing so people will just use made up names or stolen identities with impunity, and the legal process for proving it's a stolen identity wouldn't reasonably be any easier than the existing legal process for having the domain seized whether or not you know who registered it.
Also, arbitrary foreign nationals can have domains. What do you even expect to do with the information that the domain was registered by Sergei from ScrewYouistan which has no extradition treaty?
Cool, how do you see it working on eBay?
Such requirements are not always enforced, especially by ICANN, and the punishment for failure is pretty rare. That could however change at any moment, and the consequences (beyond possible legal ones) would be that the registrar would loose accreditation.
No idea where you got hardware stores, grocery stores, and "all the business from which you buy" from. Read my comment again.
Domain name ownership should be public information, just like land ownership, and the ownership of media organisations.
EDIT (HN won't let me reply or post any more):
> Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.
Sure there are edge-cases where anonymity would be desirable, but they pale in comparison to the real harm done every day to regular people through anonymously registered domain names.
I can think of many legitimate reason that a site owner might want to be anonymous. Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.
I totally agree that in some cases anonymity is good, useful, etc.
But creating phishing sites for Facebook is not that. There is no good reason to register the domain "facebo0k-login.com"
I get that it's difficult to work out if the domain is going to be used for a legit purpose, but surely that's easier to do at the point of registration than it is to police afterwards?
It takes a human about 2s to work out that "fuck-facebook.com" is a legit protest domain, while "facebo0k-support.com" is a phishing domain. It's not even about trademarks or ownership of the word "facebook", it's about the intent of the domain.
I think insisting on ownership information for a domain that looks like it could be used for phishing, while allowing "furries-r-us.com" to be anonymous would be a better system than we have now.
How could it be easier? I could always start legitimate and then switch later. Now, if you think about the context of "faceb00k.com is probably not legitimate" you get in all sort of discussions about what is okay, what is not okay, what is an edge case.
All these proposals bring us further into a domain where private persons/companies are deputized to rule what is okay under the law, because court processes take so long and are so complicated. It ignores that there is a reason they are long and complicated. We've learned the hard way what happens if they are not.
 For the sake of this post let's assume legitimate means 'okay under the law' and split away the question of morality
The law is based on moral decisions, so I think "splitting that away" is probably circular - eventually a law will be made to deal with an immoral situation. We might as well consider the morality now and save some time.
I think we should get into all sorts of discussions about what's OK, what's not OK, and what is an edge case. People should be held responsible for what happens on their domain. There should be a discussion about whether the potential registration of "faceb00k.com" is legitimate or not.
What if there was a jury of 12 random people who had to approve every domain registration, and also decide whether that domain registrant should be anonymous or not? Would that lead to better results than we have now?
Q: What makes it "a phishing domain"?
A: It's when it's actually used for phishing, not when we glance at it and it just looks, well, "bad".
I would recommend actually analyzing the pros and cons. What are the benefits for the society, why they're real (not a snake oil/security theatre, where bad actors would be easily able to work around), and why they overweigh the harm from the negatives (e.g. the obvious privacy concerns).
The real issue is enforcement. Namecheap should not be there as an arm of the law. Instead, the people BUYING the domains should be held accountable for their fraud.
This gets messy quick. How does Namecheap verify the validity of an individual? What constitutes a valid individual? What evidence is required to prove this to a registrar? How does Namecheap verify the legitimacy of intent for that domain? How does Namecheap keep up with every possible brand that may be subject to abuse? At what point does a brand become protected in a way that restricts the selling of similar domains?
For KYC in the financial world, answers exist to ALL of these questions. There is some inherent level of identity tied to your personal finances. These systems are built around a real identity that can be validated, so it's easy to apply. The same is not true for any internet service.
This might offend us IT types, but I'm not sure there's always just one answer.
Anecdote #1: I can walk into the local branch of my bank - where all the staff know me - and withdraw money from my account without showing any form of ID, telling them my account number, or even stating my name. They know me, I just have to sign the form.
Is that in the KYC regulations, or even the bank's SOPs?
It sure is handy.
They shouldn't do that. I am not saying they don't but they shouldn't. And in this scenario, you've already established your real identity over time in order to open the account and regularly withdraw or deposit funds.
You didn't build this relationship in a day without any evidence of who you are. And then you are physically showing up, which is proof that you are the person they have been dealing with over the course of the relationship. You could have lied initially and established a lie over time, but that stuff happens in the KYC process as well. KYC isn't a perfect system and it's completely possible to 'lie'.
> Is that in the KYC regulations, or even the bank's SOPs?
I would bet that it is in the Bank SOPs to NOT do what you described. But, as a person that does a lot of compliance, it's inevitable that people will ignore SOPs or policy to some extent.
You can make land ownership private by holding it in certain entities. I personally don't think land ownership should be public anyway. Nor do I think home ownership should be public.
In most of the world, the ownership of "entities" is also public data. The privilege of being an entity is bestowed by the public through the state, and any status or license granted by the the collective (the state) is and ought to be public information.
Under that theory, bestowing the privilege of privacy doesn't seem any difference to bestowing the privilege of being an entity.
So why should we do one but not the other? What are the trade-offs?
What country are you from? I'd be interested to read up on any country that doesn't have corporate lobbyists or special interests involved in lawmaking.
Anyway for future reference, unless specified, most readers are going to assume you are referring the US.
Really? Then why do we have courts, prosecutors, police and a whole shebang of associated entities. It is their job and they're being paid for it.
Facebook wants information on the registrants. A quick skim of the link you provided suggests that the process only results in the domain being taken down, not information revealed.
>Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name.
Would the registrar normally be sued here? I would have thought it'd be against a fictitious defendant, with a Doe subpoena used to find out their actual identity.
I can see both sides of this one. Namecheap is doing the right thing by protecting customer privacy, and Facebook reasonably wants to stop what is probably a well-organized and persistent phishing campaign aimed at their own customers.
In the olden days one would make a 20 line Perl script w/a nasty regex that's forked off for every registration -- and bill on the value not time to code.
Is a more modern pattern to egregious? FB just send NC a filter table.
Other name sensitive watchers could be added too.
You can't bring someone to court over trademark infringement if you don't have their legal address.
You file what's colloquially known as a "John Doe lawsuit", then serve a subpoena to a third party (such as Namecheap) to obtain that information. You then have the information to amend the pleading and proceed against that party.
220.127.116.11 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.
It adds absolutely nothing to this discussion. Facebook has an interest in retaining users that is indistinguishable here from an interest to retain customers.
I struggle to come up with reasons that motivate the incessant regurgitation of memes such as this in online discussions. Sure, I chuckled the first time I saw it because it was novel and somewhat contrarian. But after the hundredth time it feels more like bad ML picking up on the wrong keywords.
I dont know about FB but there are companies who will sell the data of their paying customers as well.
If only FB were as professional with their customer's data as Namecheap...
Godaddy are thieves. I'll never use them again.
Now here's a registrar that's made aware that the domains are used for a crime.
While I agree that registrars should not be tasked to proactively check and police domain content, it's a bit different to receive proof that a customer is doing criminal activities and to say you need a court order to do anything?
The handing out of personal data is a bit more sensitive, but I would assume FB is already involving the police in the process. Not to hand data to FB seems fine, not to hand data to the involved police force seems like you might be actively helping them to hide/keep the crime going (again, assuming that the scam/crime is obvious).
I am glad that Namecheap is standing their ground protecting private whois data.
I don't get all of this rah rah.
My question for you (the OP) is how many domains do you have with namecheap? And how many customers like you do you think make up their business?
Nobody is filing a lawsuit to uncover whois privacy info trivially unless the reason makes sense (on the end of the person wanting the info).
I am fine with Facebook filing a suit in a court of competent jurisdiction to get this information. However, they don't state what they are seeking in their post. Further, they attack Namecheap as if Namecheap were doing something wrong.
I don't expect Namecheap to spend a fortune fighting this- but I would like to see due process followed. If a proper court of competent jurisdiction rules that Namecheap has to reveal the identity of the domain owners, and their are no bounds for appeal, and Namecheap does, that is an acceptable legal outcome.
The problem is Facebook trying to paint Namecheap as being in the wrong here, when it appears that they are doing the right thing.
I'm saying that namecheap is unethical. You are right, I'm not their customer and never will be. If it was easy to spam block every single domain ever sold by namecheap then I would do that.
Not even Facebook claims that Namecheap sells "mostly to scammers".
There isn't even a question over which of these two firms helps scammers more or harms society more. Facebook wins all of those contests. They're, like, Vladimir Putin's favorite! If any online service should have to follow the law and actually litigate each instance of such allegations of "cyber-squatting" in court, it is certainly Facebook.
So FB can't claim they ignore this stuff. They seem to be making a good-faith effort to prevent this kind of fraud.
Namecheap has been on the good side for most part, at least comparing to GoDaddy. I find it unfortunate that they had "Cheap" in their name that sort of give a slight negative impression in terms of quality.
>>As a Namecheap customer, I'm glad that they aren't giving up their customers privacy.
This is how we at the community of HN and engineers see it, but not how average non-technical person sees it.
I'm a hacker who worked in PR and advertising; I worked on media monitoring; I drafted many press releases like this and worked on PR campaigns for P&G, LG and Unilever and other global brands.
Here is what I learned: every time I read a stupid press release like this, I ask which audience is this company targeting? And why?
To read this differently, think of the target audience. Who is Facebook targeting with this press release?
Clearly, Facebook is not targeting the community of HN, or tech, evident by the number of people saying Facebook shouldn't sue Namecheap.
Facebook is targeting the average person.
Facebook is whitewashing/managing its PR crisis of privacy invasion by establishing itself as the FIRST tech leader who is fighting for people privacy.
Like it or not, Facebook is the only one in the tech industry who is doing it and is being loud..underscore being loud.
No other tech giant is fighting to be the leader in protecting users privacy and is being loud, I'm not talking about non-profit. I'm talking about Apple, Google, Amazon, Facebook.
Just read these poetic lines from the press release:
"We don't want people to be deceived by these web addresses, so we've taken legal action. We filed a similar lawsuit in October 2019 against OnlineNIC, another domain registrar, and its proxy service. Our goal is to create consequences for those who seek to do harm and we will continue to take legal action to protect people from domain name fraud and abuse."
Facebook is taking the initiative of fighting for users privacy, and it doesn't matter whether they are truthful or deceptive. What matters is that they are the first.
We only remember the first.
"The easy way to get into a person’s mind is to be first. If you can’t be first, then you must find a way to position yourself against the product, the politician, the person who did get there first
What’s the name of the first person to fly solo across the North Atlantic? Charles Lindbergh, right? Now, what’s the name of the second person to fly solo across the North Atlantic? Not so easy to answer, is it? What’s the name of the first person to walk on the moon? Neil Armstrong, of course. What’s the name of the second? What’s the name of the highest mountain in the world? Mount Everest in the Himalayas, right? What’s the name of the second highest mountain in the world? What’s the name of the first person you ever made love with? What’s the name of the second? The first person, the first mountain, the first company to occupy the position in the mind is going to be awfully hard to dislodge. Kodak in photography, Kleenex in tissue, Xerox in plainpaper copiers, Hertz in rent-a-cars, Coca in cola, General in electric. The first thing you need to “fix your message indelibly in the mind” is not a message at all.
Ries, Al. Positioning: The Battle for Your Mind
This is Facebook's argument essentially. But who decides that it is "clearly" doing harm? Should Facebook have the power to just tear domains away from their owners at their sole discretion? Should Namecheap be deciding if they break their privacy contract (the entire WHOISGUARD product that they offer) because a domain sounds too close to another company's product? Why should Facebook (or Namecheap) have the power to soley make decisions on this manner? Why do they get to "play god"?
These types of Copyright or Trademark issues have a proper and appropriate channel for handling these disputes. Facebook should be using the APPROPRIATE channels (ie the Judicial system) to handle this. The courts could issue a subpoena to Namecheap and Namecheap can take it down or hand over the information or whatever a judge decides should be done. But a sworn judge is the one that should be making these decisions, not a private company. This is where Namecheap is right in its stance and Facebook is wrong. Facebook is big and has lots of money, but that doesn't allow them to circumvent the Justice system. We swear in Judges to handle things like this. The judge can decide if this is "clearly" a violation or not. The judge will also help decide on the gray cases as well. The Judge will look at the facts of each case individually and help to protect Facebook's copyrights and trademarks while also protecting the rights of the citizen that owns the domain in question. He is the impartial authority that is trained and authorized to make these decisions.
Namecheap is doing it right, and this makes me very happy to be registering domains through them. I am happy that they don't buckle to the pressure of a big scary corporation. Facebook is once again proving that they are not a good internet citizen. Another reason the world would be better if they disappeared. Facebook isn't above the rest of us, or our governmental processes. The fact that they think they are is reason enough to never trust them with your data.
Facebook is suing Namecheap because Namecheap is not handing over the information just because Facebook asked them to. Facebook decided that the domain should be taken down and expected Namecheap to just do what Facebook said. Namecheap refused. That is why Facebook is suing them.
What Facebook should do is file a trademark dispute against the domain owner. Then a judge will look at the case, decide if Facebook has been wronged, and if so, the judge will ask Namecheap for the domain owner's information, at which point Namecheap would then be expected to (and not wrong for doing so) hand over the information to the judge. The court system will handle the rest. That is why we have these court systems. I know Facebook is confused and thinks they are above the government, but that is why it is good for Namecheap to remind them of that.
Otherwise the liability falls to Namecheap. Presumably Facebooks motivation for actually suing is to prevent name registrar's from protecting obvious scammers for profit.
Not sure how I feel about this, site owners who act in good faith clearly should be able to stay private. On the other hand, scammers can open sites much more quickly than they can be reasonably be sued. Most businesses try to keep scammers from obtaining similar domains, having to sue each time to take a page down could make this infeasible for smaller ones.
An obviously malicious site like "whatsappdownload.site" would be taken offline very quickly, but under no circumstances could we give non-public subscriber information to a third party without a warrant.
> You're glad Namecheap is protecting the registrant of "whatsappdownload.site"?
In most cases I've seen, registrant data would either be fake, the result of identity theft, or an innocent customer's whose account got hacked.
It's the same reason I'm glad that HTTPS and SSL protect the registrant of whatsappdownload.site.
Now, $2000 would be worth it to shut down a scammer like that, except nothing stops them from simply ignoring the UDRP claim and once their domain is shut down, they can register autotempests.com or something for another 10 bucks. (They actually did end up registering autostempestgroup.com and several others.)
On the other hand, if you could simply go to the registrar, show clear evidence of the very obvious infringement, and have them shut down the domain, perhaps it would actually be feasible to put a dent in that kind of scam.
I do understand the concern of having a private company like Namecheap be the judge in these matters, but I'm not sure it's as black and white as that. I could see a system working where they do take unilateral action on obvious cases (autostempest, whatsappdownload.com, faceb00k, etc.), but require the formal process for less clear cases.
"Slütsof In Stagram", naturally, what did you expect? See also "Whöresof In Stagrâm" at similar URL.
Yes, someone tried to register SlutsOfInstagram.com and WhoresOfInstagram.com and when Facebook/Instagram objected, they turned the sites into something else entirely.
The point being that you can't really tell anything from the name.
But then you can't really tell anything from the content either, because if there is phishing content the first thing the registrant will claim is that they've been hacked. Which is hardly uncommon in that context. So then you need someone to make a judgement call. Which is what courts are for.
Going to court just wasn't an option. For one thing, we couldn't even identify the people behind these sites without first going to court against namecheap. And after all that effort and expense, it's entirely possible they'd registered the domain with fake info and the effort would have been wasted. Even the UDRP option was not cost effective, because nothing would stop the scammers from opening a new fake domain. What we eventually did that worked was found a "CSIRT" company that would use its private connections to hosting providers to, for a fee, get offending content taken down. So, that's the kind of thing the status quo is incentivizing. Hardly better than if there was a takedown process available through namecheap it seems.
That said, you'd certainly want to avoid the situation with Youtube, where the power is swung all the way in the other direction, so creators have almost no recourse when purported rights holders issue a claim.
Maintaining a trademark costs time and money. You can save money by doing the work yourself, or by using backchannels, as you mentioned. You can save time by hiring someone to do the tedious work for you. Even a single-partner specialist law firm should have boilerplate templates on hand for taking down an infringing website fast, using regular channels. I imagine that most of the cases result in no answer from the main defendant and default judgment that orders the registrar to transfer the domain to the plaintiff, who can then blackhole it or redirect to the genuine site.
A higher-service firm will also proactively scour the Internet for threats to your brand--at a higher price, of course.
I would not recommend my former employer for this, as they got bought out, and the new owner arbitrarily fired the entire development team.
So then they claim their company is called Auto Stem Pest in the business of selling automatic pest control devices, and their website had your logo on it "temporarily" because it had been compromised by third party malicious hackers.
Somebody has to decide whether that story is a load of BS. But it's a thing that could realistically have happened, and Namecheap has neither the resources nor the qualifications to stand in judgement.
> Going to court just wasn't an option. For one thing, we couldn't even identify the people behind these sites without first going to court against namecheap. And after all that effort and expense, it's entirely possible they'd registered the domain with fake info and the effort would have been wasted.
The thing is, that's what happens anyway. Most of the people doing this are in countries that just don't care. Having their names generally won't do you any good.
> Even the UDRP option was not cost effective, because nothing would stop the scammers from opening a new fake domain.
Which points to domains being a bad point of attack to go after them. It's like trying to catch cat burglars by maligning department stores that sell gloves. It's just not a useful place to apply pressure.
For fraudsters in a friendly jurisdiction, courts work, because the process is a pain in the butt but at the end of it they go to jail which is a large enough deterrent that it mostly stops them to begin with.
When they're in an antagonistic jurisdiction (which is most common), the law can't help you, because it isn't your law that applies. At that point you're down to technical and market solutions, like the one you found.
It's not clear at all what the process is. Can you elaborate?
At least two of the 4 examples I gave are perfectly legal even under trademark and/or copyright law. And 3 are non-malicious
Rich coming from FB.
On the one hand, scam sites should be stopped, on the other, I am not sure we should let companies wantonly decide which domains other people register are bad.
I can't even tell what the legality of this is. What does facebook even sue for, trademark infringement? Or is it fraud related which I would assume they'd go to the courts for. If namecheap is breaking the law, then the justice system should be involved, otherwise it's namecheap rolling over anytime facebook decides to sue them for anything they want.
i always end up finding the same item on aliexpress and then just dropping the item entirely coz it's gonna be low quality and have no customer support
For the stuff the sucks, I throw it in the trash and move on with my life. It's usually only a few dollars
Isn't this the point of the legal process that FB is doing? FB aren't the ones to decide whether a domain is bad or not, it's down to the judge.
But in some cases good enough proof of unauthorised compromise of computer systems can be collected, in those cases, why isn't there any cooperation? E.g. botnet makers.
Some companies have registered misspellings and openly hostile domain names similar to their trademark, but it's hard to consider all permutations e.g. https://bankofamericasucks.com redirects to Coin Wallet.
Misspellings should be covered. But hostile uses should not.
If I register "facebook-sucks.com" and put a disclaimer that facebook is a registered trademark of Facebook Inc etc etc then I'm not attempting to confuse customers of facebook (btw, do "users" of facebook = "customers" of facebook?).
Therefore there is no trademark infringement and no cause for me to cease and desist.
That's different to registering "faceb00k.com" and trying to pass my site off as being facebook. That's exactly what trademark rights are there to protect. It's not the registering of the domain that is the infringement, it's the attempt to pass off my site as being facebook's. In that case, a court can order me to take down my content, and if "me" is not identifiable, then they can order my hosting provider to do the same.
Facebook itself has numerous different domains registered and its not known that some of them are facebook's registrations.
That's not their goal at all (obviously).
This is at best tangentially related, but I once had a business model where I asked people to send me a friend request on Facebook. Rather than give them the FB URL directly, I registered [name]onfacebook.com and just had that on the card they received. All the domain did was redirect to my profile. No interstitial, the URL was replaced on redirect, literally just so I could say "[name] on facebook dot com" and have be easy to remember.
Less than a week later I received a nastygram from FB legal about protecting their copyright and that they expected me to shut the domain down immediately.
I expect the people who post on HN to be representative of people who buy domain names. So while it may be bad publicity for the general public, it doesn't really matter if potential customers see it as a good thing.
It feels like an unessisary and possibly harmful step for a non-victim private company to suing another non-criminal private company so they can get these criminals to justice.
The fact that the domains are used for phishing or to perpetrate criminal acts is a secondary matter that adds gravitas to Facebook's public presentation of why they are suing Namecheap.
The infringing parties are those that register the domains using Whoisguard, and Namecheap is a non-party witness to the infringement.
So, serving Namecheap a subpoena, and then suing them for compliance after they neglect to respond to the subpoena is apparently a normal method for getting information from an uncooperative non-party witness in a civil legal proceeding.
Presumably, once they are successful in their lawsuit and have the names of the individuals responsible for the domain names, they will hand the evidence over to the police for investigation of criminal acts such as wire-fraud etc.
It indeed disgusts me that as a society of laws we go after violent criminals, not because they violate real victims, but because they infringe on a trademark of a multi-billion dollar company.
They'll take a report if you want, but there are only so many detectives. And these internet crimes need so many special skills and cross jurisdictional lines so easily...
We could establish a specialist police unit with the skills and funding levels needed to go after crimes against Facebook. Facebook might even be willing to help with funding and training, and doubtless big copyright holders would also be interested. Personally I don't think that would be a step in the right direction though.
I also get the sense that there is still a lot of victim blaming when it comes to scamming. This also has to change. Victims of scams have not done anything wrong. The criminals that scam other people are of full blame for their crimes, and they need to be brought to justice for their violent behaviour.
A lot of definitions put a physical qualifier, but that is not how the term is used by English speakers, e.g. bullying or psychological tormenting, is violent even though it is only verbal.
> behavior involving physical force intended to hurt, damage, or kill someone or something.
In every definition, violence requires physical force. Nobody calls psychological abuse violence, they call it "gaslighting" or "bullying" or "emotional trauma".
I would also argue that emotional and psychological abuse should be considered a serious crime, but I am not convinced that conflating it with violence is appropriate.
I realize that my categories leave a blind spot for more subtle method of bullying, especially in intrinsically violence-free cases like cyber-bullying or "intense-gossiping" which can be seriously damaging.
Still I do not think that classifying that as violence in and of itself is an appropriate solution.
Sure different forms of violence do vary in severity, but finding a new name for a type of violence that is done remotely and causes a different kind of harm both undermines and complicates the term “violence” and gives discount to some forms of violence by not labeling them as such.
Here I don't agree.
> Sure different forms of violence do vary in severity,
Also this is not the point. Emotional violence can be definitely worse than physical violence, I am not ranking them.
I am often bad at analogies, but I will try making one anyway.
When driving you are held to a concept of strict liability; if you cause an accident it is your fault; every time you sit in a vehicle you silently agree that every damage caused by your car will be (by default, but can be proven otherwise) your responsibility.
This is not the case when walking; if you push someone down the stairs because of a sneeze it is not manslaughter, it is manslaughter if you drive over a passerby because of that same sneeze.
Quite few things are considered in the context of strict liability, in general to be responsible of a damage the burden of proof is much higher.
Similarly physical and non-physical violence are held to different contexts; if I punch you then I am at fault a priori (there can be enough context to subvert this) and the reason is that I am expected to understand that punching you will cause damage (this is why accidental deaths in a fight can incur in manslaughter charges).
threats of psychological violence should be a crime, the same as other kinds of threats.
On the other hand, with psychological violence there is not bright red line that can be as clearly crossed or not. It is much harder to argue that the abuser was conscious of the damage, or that the damage was done maliciously, or that the abuser should be held responsible for it.
It is not a matter of severity, it is just that one case of violence is significantly harder to judge fairly.
PS: > if there can be violent threats, then there can be emotional violence.
> threats of psychological violence should be a crime, the same as other kinds of threats.
should be after the last line.
It’s even worse if you use a credit card, get skimmed, have money stolen from you then your credit card company tries to deny your claim. No where in this situation are there police going to the ATM to view the video surveillance of who stole your money.
Most law enforcement seems to rely on identity fraudsters being high on drugs in cheap hotels and being caught with hardware / stolen cards etc etc.
Then again I haven't seen the court filings so maybe that's exactly what they did and Namecheap is just mentioned as an additional defendant.
Either way, I would also expect Namecheap not to reveal anything unless they are compelled to by court order or another legal obligation.
Their chat support is unable to take spam complaints and instead directs you to their “Legal & Abuse Department” based in Eastern Europe. And what you get is basically what you’d expect from an underpaid, disgruntled level one IT support.
I wouldn't expect Namecheap, a low cost registrar with "cheap" in its name, to have the legal resources to investigate or make a conclusion for each accusation that comes their way for one of their 10 million domain names.
As with everything internet related, I think there's a vast misunderstanding of scale, and difficulty in automation (domains sniping!), for what they're facing.
I also wouldn't expect them to hand out information to anyone that asks for it, especially a large company known for misusing any information they can get their hands on, without a subpoena.
I think the real solution would have to come from a third party group(s) that could collect, monitor, and produce high quality reports, with a high level of accuracy, that all of these registrars could use. Who would fund these groups? Probably whomever gains/loses less from the phishing scams being terminated.
Exactly. And if they _did_ I'd be just as concerned that they're now allowing a vector to take domains down.
Balancing the two is difficult..
Eg, i'd wager the GGP comment who reported 26 domains did so in a manner that would be fairly easy to fake. So what is the requirement of reports? Too loose and it's easy to fake, too strict and it becomes to difficult to report _(or too costly to verify)_.
It wasn't hard to verify or easy to fake, or loose. Namecheap's legal/abuse department are just completely incompetent/don't care about their own TOS.
I am sure there are other examples not in cahoots with the Russian government.
The analogy is more like writing a messaging app then being asked to revoke access to someone because they are texting while driving.
In that example the domain is likely compromised though, so you need to be reporting to all the hosting providers involved as well and not just the registrar.
This is just another attack on privacy and due process in order to strong arm companies that have services like WhoisGuard which is intended to protect millions of customer’s privacy.
(My personal perspective on this, to help you understand the tone I'm using, is that NameCheap is doing the Right Thing by not cooperating without a subpoena, and Facebook is doing the Right Thing by protecting their users from phishing attacks by shutting down the attackers, and the court will do the Right Thing by arbitrating within the context of the laws.)
Can you explain the legal details of what's happening here? Who's responsibility is it to deal with domains that are potentially dangerous, what exactly is facebook suing you for? What rule are they talking about when they say you're supposed to provide the WhoisGuard information (someone else mentioned that's only for government requests)?
I've also seen some complaints by other people here that there are some namecheap domains that are sometimes scammy and namecheap sometimes deals with them and other times they don't (based on user comments here). Can you clarify if namecheap does indeed take action and if so, why they haven't here?
Also in the future, you might want to sign off at the end of the comment since it's really easy to ignore the username as it's grayed out. And FWIW, great job with namecheap, I've had a really good experience with it.
Why do you want to take money from criminals, in exchange for helping them to do criminal activity? From a risk management perspective, you should very much not want these customers.
I think that's a pretty comparable analogy because in both cases, a party is being unreasonably expected to police third-party content provided through their platform/business, or else be sued for failing to do something completely infeasible.
Still got the billion dollar lawyer army to get through.
Contrast their behavior with Go Daddy who will turn over data of people who dare complain: https://skepchick.org/2014/04/godaddy-released-my-personal-i...
Is our memory really this short?
If you give the permission to Messenger to use the microphone, that is required to make voice calls, then I believe it's possible for it to use it anytime.
What -does- have a lot of that, is the statement that humans are particularly bad at classifying random events.
Criminal activity like election interference? Has Facebook been fined for that yet?
Edit: what's with the downvotes? I'm not defending the practice, just stating facts.
> We found that Namecheap’s proxy service, Whoisguard, registered or used 45 domain names that impersonated Facebook and our services, such as instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate.
Specifically, they're suing Namecheap and their proxy service for not providing information about the true registrants of the allegedly infringing domains.
The press release says "for registering domain names" so I think the original title was accurate.
Previous similar court case where Verizon won a judgment against OnLineNic on the basis of trademark infringement: https://dockets.justia.com/docket/california/candce/3:2008cv...
So it doesn't seem like this suit is just about discovering the identities of the registrants.
(Title was "Facebook sues Namecheap for registering phishing domains", then "Facebook sues Namecheap for registrants of phishing domains".)
"Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name."
I think anonymous domain registration is an important property to preserve. Many people need such services for their safety. However, if you're going to serve as an anonymity shield for another party, you're taking on some of that party's liability, and in particular you need to take down malicious domains.
That doesn't mean it's impossible to deregister infringing domains. It means that there is a process to follow, which is probably what we're seeing right now.
Edit: Would "instagramsucks.com" or "facebooksucks.com" also be infringing?
And in terms of trademark law the owners are unlikely to be on stronger grounds if they're not a pure phishing operation as alleged, but have merely chosen to include Facebook's trademark in their website or email marketing name without Facebook's permission to increase the likelihood Facebook's customers will purchase services from them.
You don't have to imply you definitely are the owner of a trademark to fall foul of trademark law, you just have to be trying to profit from using the trademark without permission in their line of trade in a way you can't justify as 'fair use'. I think we can rule out the idea instagrambusinesshelp.com is commentary, comparison, parody or a list of third parties worked with.
My company also has a business portal. Can I take down domains that are similar to it as well? Or is this power just reserved for MegaCorp Inc. who can afford large legal teams? At what point does a company become large enough to warrant "protection" of domains similar to their own? Who makes that decision and is there any dispute process? Etc, etc...
So many questions and potential pitfalls surrounding this approach. I don't know if there's any better realistic "solution" than to let users ultimately be responsible for the domains they visit. Not much of a solution but I don't see any better options that are both realistic and helpful.
The big drawback of the process it that it doesn't work well for phishing attacks, where taking down one domain is of limited value. It's designed more for things like nissan.com
I'm not disputing that the sites themselves are scammy/phishing, but what Facebook is saying here sounds like an overreach that amounts to "using Facebook trademarked names in a domain name is misleading and inherently untrustworthy".
Do I also have the right to impose rules on other businesses naming conventions , or no because I'm not a $500B company?
 In a fair use context, not blatant copyright/trademark infringement or posing as the company in a phishing context.