Hacker News new | past | comments | ask | show | jobs | submit login
Facebook sues Namecheap (fb.com)
695 points by whoisjuan on March 5, 2020 | hide | past | favorite | 397 comments

As a Namecheap customer, I am glad that they aren't giving up their customers privacy. Facebook claims they have an obligation to do so- but they don't provide any citation for such an obligation.

ICANN has an established process for handling these types of disputes, and Facebook should avail themsleves of that process. https://www.icann.org/resources/pages/help/dndr/udrp-en

(It isn't clear if Facebook is seeking a financial judgement or just a court order to delete or transfer the domains to Facebook?)

I kind of agree. This is the sort of thing which should be handled through a $500 lawsuit, not a $50 million law suit:

* Namecheap should say: "That's not our problem. It's up to the courts. Get a warrant."

* Facebook should say "okay."

* Namecheap should notify the domain holder, and let them fight it if they want.

* If they don't fight it, Facebook should have a short filing explaining the problem and asking for a release of information.

If it's reasonable, the judge should sign it, and Namecheap should give up the information. If it's unreasonable, the judge should not sign it.

It's how courts should work, and it's how due process should work.

This should be namecheaps argument and its 100% true. The only reason facebook are doing this is to cut the courts out of the process and give that power to themselves.

If namecheap can make this case there isn't a judge in the country that would side with facebook. In my opinion judges tend to get pretty pissy when you try and cut them out of the process, I really hope this happens and it comes back to haunt facebook.

same. this is exactly the kind of process I want in our courts whether the requestor is private or governmental.

sadly at least in Australia we keep passing stupid new laws that erode the judicial oversight giving various authorities (and many more than just the "police") ability to do all sorts of things with no warrant or judge oversight and I don't like it.

Upvote for reasonable, pragmatic process.

Maybe typo on step four to "if choose to fight".

Facebook can't get a warrant (just like you or I can't get a warrant either), only law enforcement can get a warrant. I'm not sure if you're suggesting Facebook go to the police and file a criminal complaint under some law, and try to convince the police to get a warrant. Or maybe Facebook's lawyers could subpoena for discovery or something. I'm not sure. I'm not a lawyer.

It would be good to have a legal overview from someone that is actually familiar with relevant law.

Do you think that would make Namecheap change their ways at all? Won't it mean Facebook have to keep taking Namecheap to court; and other domain registrars?

By change their ways, do you mean Namecheap should violate their customer's privacy without any due process?

What ways are you seeking to change?

Registering domains for people who either clearly intend to use them for phishing or which are blatant trademark infringements.

I totally agree. Namecheap probably had to tell Facebook, "get a warrant". If they DIDN'T do this, they would then be responsible for policing EVERY site they provide WhoisGuard for, and that would be ridiculous.

Facebook is trying to use this as a way to show they are concerned about privacy and security, but they're coming across as bullies that didn't get what they wanted and now they have to use the necessary legal methods to do so.

Yeah, Facebook's trying to strong-arm registrars, but the fundamental premise comes off to me as entitled. It's like they're asserting they're too important and they don't want to go after these domain holders one-by-one, so the registrars should do their bidding.

I have no idea how facebook can presents themselves as "concerned about privacy" when their whole bloody business model is about exploiting it.

Standard Oil was concerned about Oil. Resource companies generally are concerned about the resource they exploit, and especially about keeping all access to it for themselves and none for others.


Doing something once does not, contrary to popular (on the internet) theory, create an obligation to do so perpetually and in all situation. That’s the whole point of Section 230 of the DMCA, for example.

Judging by this thread, this faulty logic has been embraced wholeheartedly, and it leads to the strange position that is actually immoral, apparently, to make any judgement calls in the cause of your everyday life or business. When you are asked to work for a scammer, you are supposed to throw up your hands, say “who am I to judge”, and take their money.

Courts are, apparently, the only unfailing entities that can tell right from wrong. Even when something is universally agreed to be wrong, you are supposed to ignore it lest you feel tempted or required to then make decisions in more nuanced cases.

It’s a rather convoluted scheme to abdicate all moral responsibility.

Who are they advertising to though? They might look like bullies to people in the industry but that's probably not who they're trying to market themselves as privacy/security concerned towards. Combined with how dire the state of mainstream tech 'news' is, I'd be surprised if this actually backfired regardless of which way the lawsuit goes.

Facebook cannot "get a warrant", only law enforcement officials can do that.

“File a suit, leading to discovery and a warrant ordered by a judge” doesn’t quite roll off the tongue.

Warrants are for criminal searches. Subpoenas are the process used to compel discoveryin civil cases and for some parts of criminal cases.

Sort of related: one time a scammer conned my grandma out of thousands of dollars by calling her and pretending to be me in distress. She wired the money to my name (I think it was Western Union or something), in a foreign country, and somebody "showed ID" as me.

We reported it to the police, of course, but I don't think it was ever really pursued. I wanted to dig in myself but whoever the company was said they wouldn't give up the records without a subpoena. Very frustrating as I am the person who was being impersonated.

It seems like there are times where you should have standing as an individual to get a subpoena for information directly related to you.

Thanks for reminding me about this. One thing I've established with my siblings was that none of us should transfer any money via a service like Paypal, Venmo, etc to each other without an explicit casual phone call first. It can't just be a text or a phone call asking for money, you have to have a casual conversation first. How is work? How's blah blah, what are you getting for dinner tonight, etc. For the case of elderly parents, I'm lucky that they would immediately hand that off as busy-work to siblings. Like they would never go to Western Union, they would call a child and say hey your sibling requested such and such can you go do that which would then raise all of the alarms.

If they impersonated you, aren't you technically requesting information about your self ?

Under European law, "you can request access to the personal data a company or organisation has about you, and you have the right to get a copy of your data, free of charge, in an accessible format." [1]

[1] https://europa.eu/youreurope/citizens/consumers/internet-tel...

Im sorry that sucks, but we should not give up rights because some customers are easily fooled. This is a slippery slope you do not want to start on, because where does it end?

But if John Doe wants information on someone named John Doe who "showed ID" to claim the money, he's just asking about "himself".

I kinda get the point. If someone impersonates you, that information should not be protected because it's supposedly you.

Unless fake John asks for info on real John.

But that's more an issue of identity confirmation.

I believe there has to be a reasonably high bar that a person has to clear before a company should be even allowed to assume they are who they're claiming to be, but once that bar is cleared no information regarding or directly linked to the person in question should be withheld from them.

But then, hasn't the company already shown that it's bad at identity confirmation? Why would you expect them to be better at it in the other direction?

Isn't this problem solvable by looking at it differently? To me, the problem is that it's easy for scammers to impersonate someone. What if there was a way to reasonably check a person's identity in a standard way accessible to everyone without going through hoops?

> What if there was a way to reasonably check a person's identity [...]

I would expect my relatives to validate my identity before sending money to me via any new method.

> What if there was a way to reasonably check a person's identity in a standard way accessible to everyone without going through hoops?

There is, or there are. Western Union just doesn't care about it, because it costs money and their fee still gets paid if the scam works.

That ideal won’t come true for a very long while. I appreciate your idealism, but for better or worse, we need a reasonable and attainable solution in the interim.

That's frightening. When we drew up our household information for babysitters, we put in codewords to identify ourselves and for the babysitter to identify him/herself to us in case of an emergency.

We felt more than a little paranoid (and the babysitters probably thought we were nuts) but anecdotes like yours reinforce the need to be careful when relying on easily-spoofed caller ID for identity protection.

This is a great reason for why modern data laws like GDPR and CCPA enshrine right of access so highly, I believe. I think it would be interesting to persue civil cases against fraudsters whose data you manage to collect out of PayPal audit logs or whatever, but you'd probably be contending with international courts and it would be an expensive and time consuming affair.

Please don't be obtuse, I think we all know fine what this means.

There is a big difference between a subpoena and a warrant. Glossing over that may be fine to you, but it's wrong and misleading.

Then politely correct him with that he probably meant subpoena. Your previous comment did not mention the word "subpoena" anywhere.

Btw, in my language there is no distinction between warrant and subpoena, both are just court orders.

Sometimes, but not in this context.

I honestly did not. All I knew is they couldn't have a warrant.

> If they DIDN'T do this, they would then be responsible for policing EVERY site they provide WhoisGuard for, and that would be ridiculous.

Why would that be ridiculous? If they can't make sure that their clients are legit, they shouldn't be in the business at all.

In fact domain name ownership shouldn't be private at all (in the same way that land ownership isn't private)

> If they can't make sure that their clients are legit, they shouldn't be in the business at all.

Banks are required to have Know Your Customer systems. Domain registrars, hardware stores, and grocery stores are not. Do you really want to extend this additional expense to all the businesses from which you buy?

I personally would want it see extended in areas where fraud is common. I don't think grocery store fraud is very common, misleading domain names however are exceedingly common and a huge problem so I don't really see what the issue is with extending those expenses.

Mind you someone always has to pay these expenses when fraud occurs, they don't vanish and I would like to see it allocated in such a way that it gives an incentive to prevent fraud, not protecting it.

KYC laws in banking, to the extent that they even do anything anymore, were always for investigations of organized crime. They only work for large, high value targets. They discover that the mortgage on a mob restaurant is getting paid by some "Tony Johnson" so they freeze the account and see if "Tony Johnson" shows up to complain. If there is no such person or it's a stolen identity, you lose all the money in your account because there is nobody to show up and claim it. If there is such a person, now they're building a racketeering case and have somebody they can try to flip. It was never really useful for fraud.

The same thing in most other contexts is useless. There is no equivalent to "money in the account" to worry about losing so people will just use made up names or stolen identities with impunity, and the legal process for proving it's a stolen identity wouldn't reasonably be any easier than the existing legal process for having the domain seized whether or not you know who registered it.

Also, arbitrary foreign nationals can have domains. What do you even expect to do with the information that the domain was registered by Sergei from ScrewYouistan which has no extradition treaty?

>I personally would want it see extended in areas where fraud is common

Cool, how do you see it working on eBay?

Lots and lots of frauds are committed via the mail and telephone or email. Does your argument for KYC apply there?

Most registries have requirements that domain registrars must know their customers identity.

Such requirements are not always enforced, especially by ICANN, and the punishment for failure is pretty rare. That could however change at any moment, and the consequences (beyond possible legal ones) would be that the registrar would loose accreditation.

By design, contact information is registered along with domains. One function of this is to allow people to report abuse of that domain to a webmaster, and ultimately to pursue action against the registrant if abuse continues. By allowing people to frustrate this resolution process Namecheap are serialising the abuse process through themselves, as they are now the only party with that formerly public information. So yes, I do think it would be appropriate in this case to extend the expense of policing domain abuse to Namecheap and other registrars who provide WHOIS privacy

> Do you really want to extend this additional expense to all the businesses from which you buy?

No idea where you got hardware stores, grocery stores, and "all the business from which you buy" from. Read my comment again.

Domain name ownership should be public information, just like land ownership, and the ownership of media organisations.

land ownership is no different than whoisguard. It is possible to own land via a company or other designated agents.

In the US you can find the legal owner(s) of any land parcel in any county in any state. Companies can be legal property owners of course...

And you can have more or less anonymous companies in US.

So ...

Companies aren't anonymous in the US. Corporations must have registered agents in each state in which the corporation is registered, the name and address of whom is public in order to facilitate service of process. LLCs in most states must include at least one member, manager, organizer, or authorized individual in the public filing, and even in states that don't require this, a bank will want it in the public paperwork before opening an account in the LLC's name.

A company must have a registered agent; that registered agent may not be the beneficial owner of the company and could be someone's attorney.

Obviously you’ve never registered a company in any state in the US.

> Domain name ownership should be public information


Ownership of land, legal entities, and domain names should be public information because that would be better for society.

EDIT (HN won't let me reply or post any more):

> Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.

Sure there are edge-cases where anonymity would be desirable, but they pale in comparison to the real harm done every day to regular people through anonymously registered domain names.

> because that would be better for society.

Citation Needed.

I can think of many legitimate reason that a site owner might want to be anonymous. Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.

Maybe they have weird sex fetishes or are flat earthers etc. One has the right to be weird in certain contexts (swing clubs, flat earth rallies) and still have a public persona that’s professionally, politically etc valuable.

can't we ever separate these reasons?

I totally agree that in some cases anonymity is good, useful, etc.

But creating phishing sites for Facebook is not that. There is no good reason to register the domain "facebo0k-login.com"

I get that it's difficult to work out if the domain is going to be used for a legit purpose, but surely that's easier to do at the point of registration than it is to police afterwards?

It takes a human about 2s to work out that "fuck-facebook.com" is a legit protest domain, while "facebo0k-support.com" is a phishing domain. It's not even about trademarks or ownership of the word "facebook", it's about the intent of the domain.

I think insisting on ownership information for a domain that looks like it could be used for phishing, while allowing "furries-r-us.com" to be anonymous would be a better system than we have now.

> I get that it's difficult to work out if the domain is going to be used for a legit purpose, but surely that's easier to do at the point of registration than it is to police afterwards?

How could it be easier? I could always start legitimate[1] and then switch later. Now, if you think about the context of "faceb00k.com is probably not legitimate" you get in all sort of discussions about what is okay, what is not okay, what is an edge case.

All these proposals bring us further into a domain where private persons/companies are deputized to rule what is okay under the law, because court processes take so long and are so complicated. It ignores that there is a reason they are long and complicated. We've learned the hard way what happens if they are not.

[1] For the sake of this post let's assume legitimate means 'okay under the law' and split away the question of morality

Yes, this is complex. I agree; so far we've been pretending it's not complicated, and that's not really working any more.

The law is based on moral decisions, so I think "splitting that away" is probably circular - eventually a law will be made to deal with an immoral situation. We might as well consider the morality now and save some time.

I think we should get into all sorts of discussions about what's OK, what's not OK, and what is an edge case. People should be held responsible for what happens on their domain. There should be a discussion about whether the potential registration of "faceb00k.com" is legitimate or not.

What if there was a jury of 12 random people who had to approve every domain registration, and also decide whether that domain registrant should be anonymous or not? Would that lead to better results than we have now?

> while "facebo0k-support.com" is a phishing domain

Q: What makes it "a phishing domain"?

A: It's when it's actually used for phishing, not when we glance at it and it just looks, well, "bad".

And to be honest, the actual cause of the harm to these people done every day, is not in fact the result of the lack of transparency in domain registration, but in fact the unwillingness of police in their local jurisdictions to go after criminals. A good example of this would be Jim Browning, who has offered information to police departments operating within India relating to scammers and... he has never got a response.

With all due respect, that's not an answer, that's just reiteration of the same statement with a "because it would be better". The answer to "why" is a rationale and yours so far is "bad people doing bad things so better somehow force business to make sure their clients are legit and make things transparent", which is a perfectly fine opinion, but devoid of any actual analysis. That's my interpretation, though, and my apologies if it's incorrect and not what you've meant - I don't intend to introduce a strawman here.

I would recommend actually analyzing the pros and cons. What are the benefits for the society, why they're real (not a snake oil/security theatre, where bad actors would be easily able to work around), and why they overweigh the harm from the negatives (e.g. the obvious privacy concerns).

This idea conflicts heavily with GDPR first of all. Secondly, why should that information be public? Does car ownership need to be publicly disclosed even though tons of car crashes happen every day? No, because the driver is liable, not the manufacturer, and the driver carries insurance to reduce cost of liability.

The real issue is enforcement. Namecheap should not be there as an arm of the law. Instead, the people BUYING the domains should be held accountable for their fraud.

This gets messy quick. How does Namecheap verify the validity of an individual? What constitutes a valid individual? What evidence is required to prove this to a registrar? How does Namecheap verify the legitimacy of intent for that domain? How does Namecheap keep up with every possible brand that may be subject to abuse? At what point does a brand become protected in a way that restricts the selling of similar domains?

For KYC in the financial world, answers exist to ALL of these questions. There is some inherent level of identity tied to your personal finances. These systems are built around a real identity that can be validated, so it's easy to apply. The same is not true for any internet service.

> For KYC in the financial world, answers exist to ALL of these questions

This might offend us IT types, but I'm not sure there's always just one answer.

Anecdote #1: I can walk into the local branch of my bank - where all the staff know me - and withdraw money from my account without showing any form of ID, telling them my account number, or even stating my name. They know me, I just have to sign the form.

Is that in the KYC regulations, or even the bank's SOPs?

It sure is handy.

> Anecdote #1: I can walk into the local branch of my bank - where all the staff know me - and withdraw money from my account without showing any form of ID, telling them my account number, or even stating my name. They know me, I just have to sign the form.

They shouldn't do that. I am not saying they don't but they shouldn't. And in this scenario, you've already established your real identity over time in order to open the account and regularly withdraw or deposit funds.

You didn't build this relationship in a day without any evidence of who you are. And then you are physically showing up, which is proof that you are the person they have been dealing with over the course of the relationship. You could have lied initially and established a lie over time, but that stuff happens in the KYC process as well. KYC isn't a perfect system and it's completely possible to 'lie'.

> Is that in the KYC regulations, or even the bank's SOPs?

I would bet that it is in the Bank SOPs to NOT do what you described. But, as a person that does a lot of compliance, it's inevitable that people will ignore SOPs or policy to some extent.

WHOIS data cannot be handled in this way as this would be a violation of GDPR.

> (in the same way that land ownership isn't private)

You can make land ownership private by holding it in certain entities. I personally don't think land ownership should be public anyway. Nor do I think home ownership should be public.

Maybe in your country, where corporations make the laws.

In most of the world, the ownership of "entities" is also public data. The privilege of being an entity is bestowed by the public through the state, and any status or license granted by the the collective (the state) is and ought to be public information.

> In most of the world, the ownership of "entities" is also public data. The privilege of being an entity is bestowed by the public through the state, and any status or license granted by the the collective (the state) is and ought to be public information.

Under that theory, bestowing the privilege of privacy doesn't seem any difference to bestowing the privilege of being an entity.

So why should we do one but not the other? What are the trade-offs?

That seems like an attempted insult on the US but your comment is dishonest. There are a lot of layers to laws (Constitution, Congress, state's rights and their laws, local laws, etc).

What country are you from? I'd be interested to read up on any country that doesn't have corporate lobbyists or special interests involved in lawmaking.

Anyway for future reference, unless specified, most readers are going to assume you are referring the US.

What happens in your country if a foreign company wants to buy some land?

Depends. Some countries ban homes, some agricultural land but other forms investment might be available.

"If they can't make sure that their clients are legit, they shouldn't be in the business at all"

Really? Then why do we have courts, prosecutors, police and a whole shebang of associated entities. It is their job and they're being paid for it.

>ICANN has an established process for handling these types of disputes, and Facebook should avail themsleves of that process. https://www.icann.org/resources/pages/help/dndr/udrp-en

Facebook wants information on the registrants. A quick skim of the link you provided suggests that the process only results in the domain being taken down, not information revealed.

>Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name.

If that is all Facebook is seeking in their suit, then I am fine with their lawsuit- and I am glad that Namecheap is holding out for a final, legal court order in a court of competent jurisdiction. Facebooks PR piece trying to paint Namecheap in a bad light is something I am not okay with. Namecheap is right not to give up this information without legal due process.


Would the registrar normally be sued here? I would have thought it'd be against a fictitious defendant, with a Doe subpoena used to find out their actual identity.

ICANN's process for taking down domains works, if sometimes slowly. It's not always great for preventing the next phishing domain from popping up three minutes later from the same attackers.

I can see both sides of this one. Namecheap is doing the right thing by protecting customer privacy, and Facebook reasonably wants to stop what is probably a well-organized and persistent phishing campaign aimed at their own customers.

Facebook could pay NameCheap a few bucks to attach an observer pattern to some registration watch filter and get real-time notification from some narrow scope of name patterns.

In the olden days one would make a 20 line Perl script w/a nasty regex that's forked off for every registration -- and bill on the value not time to code.

Is a more modern pattern to egregious? FB just send NC a filter table.

Other name sensitive watchers could be added too.

You can apply directly to the registry to get zone file access. There are also services which already do this and provide APIs, etc. No need to set up special relationships with registrars.

> must be resolved by agreement, court action, or arbitration

You can't bring someone to court over trademark infringement if you don't have their legal address.

Yes you can.

You file what's colloquially known as a "John Doe lawsuit", then serve a subpoena to a third party (such as Namecheap) to obtain that information. You then have the information to amend the pleading and proceed against that party.

"Agreement, court action and arbitration" - all three of those require knowing the identity or at least directly communicating with the other party to start the process.

Not necessarily- they explicitly mention filing an in-rem action- which does not require knowing the identity of the domain registrant.

Didn’t they file that against Namecheap, not the registrants?

https://www.icann.org/resources/pages/approved-with-specs-20... Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.

I don't think that applies here. What this is saying is if Bob registers joe.com from Namecheap, and then licenses joe.com to Joe to use, then Bob is required to provide his own contact information to Namecheap, and Joe must provide contact information to Bob. Then if Bob is informed of wrongful use of the joe.com, he must hand over Joe's contact information, or be liable for the harm done. It says nothing about Namecheap's obligations.

But maybe it does apply. Isn't the registrant listed as WhoisGuard? So, shouldn't WhoisGuard be responsible for providing the contact information? Hence Facebook sued Namecheap. I think Namecheap is doing right, and I think Facebook is technically doing right, but they are talking up the action as Namecheap is evil and Facebook is good, which is nonsense. Honestly, what corporation puts up public notice they are suing someone? Anyone worth their salt waits until the outcome to talk about a court case.

That’s exactly how tools like WhoisGuard operate. They are registering the domain name and then subleasing (licensing) it to the entity who doesn’t want their information out there. By not sharing their client’s information upon a reasonable suspicion they have accepted contractual liability.

One applicable section is the requirements for registers that provide privacy proxies, and that has no specific requirements for when a registrar must hand over contact information.


Is it not enough that Facebook and Zuck tread all over their customers privacy on their own platform? Now they want other companies to do it for them with their own customers as well. This is just another attack on privacy and due process in order to strong arm companies that have services like WhoisGuard which is intended to protect millions of customer’s privacy.

I agree with everything you said, just a minor comment... Facebook users are not Facebook customers, they are the product. Facebook customers are all the companies which pay Facebook for advertisement.

This tired cliché is annoying enough when people use it in situation where it arguably has some explanatory power—a complaint about FB’s customer service, say.

It adds absolutely nothing to this discussion. Facebook has an interest in retaining users that is indistinguishable here from an interest to retain customers.

I struggle to come up with reasons that motivate the incessant regurgitation of memes such as this in online discussions. Sure, I chuckled the first time I saw it because it was novel and somewhat contrarian. But after the hundredth time it feels more like bad ML picking up on the wrong keywords.

> Facebook customers are all the companies which pay Facebook for advertisement.

I dont know about FB but there are companies who will sell the data of their paying customers as well.

Are you actually your username I wonder?

Same here. Namecheap customer with a few domains. Glad they aren't just rolling over. Even if they just asked FB to get a subpoena I'd be happy.

Me too, I'm also a Namecheap customer and have nothing but good thinks to say about them. This makes me like them even more.

If only FB were as professional with their customer's data as Namecheap...

"If only FB were as professional with their customer's data as Namecheap..."


Facebook customers are companies that pay for advertising. Billions of sheep,who signed up for the chance to see endless streams of cat pictures, are the product.

Same here. Shifted all my domains to Namecheap from GoDaddy. It was a breath of fresh air not being upsold to all the time, and not dealing with ridiculous renewal fees.

I did the exact same. I used to be a Godaddy customer and had a bunch of domains with them. One day I cancelled some of them, but when I did this it didn't auto-cancel the associated services, as I expected, so they continued to charge me for whois guard, and some other services for domains I no longer owned after they expired.

Godaddy are thieves. I'll never use them again.

As much as I like Namecheap, you can't really say they don't upsell. At least not anymore. Every domain purchase comes with the chance to register premium DNS, hosting, all sorts of guff

Registrars normally have terms of service that allow them to cancel domains at their own discretion.

Now here's a registrar that's made aware that the domains are used for a crime.

While I agree that registrars should not be tasked to proactively check and police domain content, it's a bit different to receive proof that a customer is doing criminal activities and to say you need a court order to do anything?

The handing out of personal data is a bit more sensitive, but I would assume FB is already involving the police in the process. Not to hand data to FB seems fine, not to hand data to the involved police force seems like you might be actively helping them to hide/keep the crime going (again, assuming that the scam/crime is obvious).

And i am sure if police wants the site taken down Namecheap will do it. FB asking for this data is ridiculous. Go through process as anyone else.

I am glad that Namecheap is standing their ground protecting private whois data.

Effective strategy on the part of facebook. Namecheap can either decide to spend untold sums and fight this (and let's see the amount and how that goes) or they can turn over the info and move on. No legitimate customer of namecheap that isn't fishing is going to take this as anything important to them and importantly even if they even know it's happening.

I don't get all of this rah rah.

My question for you (the OP) is how many domains do you have with namecheap? And how many customers like you do you think make up their business?

Nobody is filing a lawsuit to uncover whois privacy info trivially unless the reason makes sense (on the end of the person wanting the info).

I have several, but not as many as I have had registered either for myself or customers in the past. I will probably have more in the future.

I am fine with Facebook filing a suit in a court of competent jurisdiction to get this information. However, they don't state what they are seeking in their post. Further, they attack Namecheap as if Namecheap were doing something wrong.

I don't expect Namecheap to spend a fortune fighting this- but I would like to see due process followed. If a proper court of competent jurisdiction rules that Namecheap has to reveal the identity of the domain owners, and their are no bounds for appeal, and Namecheap does, that is an acceptable legal outcome.

The problem is Facebook trying to paint Namecheap as being in the wrong here, when it appears that they are doing the right thing.

Same here. This is a huge endorsement of Namecheap as far as I'm concerned.

They do not have any obligation. Facebook is not an authority and they can only request that information via normal means. The fact that they claim that the other company has any obligation just point out how obnoxious and entitled they have become.

In my experience, namecheap takes care of issues when you report them but the do not prevent on-going issues. They let you play a game of whack-mole, where scammers can buy domains faster than those domains can be taken down.

You're not their customer. You're actually trying to harm some of their customers, so it's difficult to imagine why they'd do anything to help you, absent some sort of legal obligation.

I guess ethics and good faith do not matter then. If your business is selling mostly to scammers then what does that make you?

I'm saying that namecheap is unethical. You are right, I'm not their customer and never will be. If it was easy to spam block every single domain ever sold by namecheap then I would do that.

If your business is selling mostly to scammers then what does that make you?

Not even Facebook claims that Namecheap sells "mostly to scammers".

There isn't even a question over which of these two firms helps scammers more or harms society more. Facebook wins all of those contests. They're, like, Vladimir Putin's favorite! If any online service should have to follow the law and actually litigate each instance of such allegations of "cyber-squatting" in court, it is certainly Facebook.

I just registered a domain with namecheap a few weeks ago and it definitely came up as something they didn't want to give me. It was close to another trademark name. I had to agree to accept the risk. I looked it up, and they are in a different business (and the names are really that close to a human, just to an algorithm). So I accepted the risk.

So FB can't claim they ignore this stuff. They seem to be making a good-faith effort to prevent this kind of fraud.

>As a Namecheap customer, I am glad that they aren't giving up their customers privacy.

Namecheap has been on the good side for most part, at least comparing to GoDaddy. I find it unfortunate that they had "Cheap" in their name that sort of give a slight negative impression in terms of quality.

For me its the opposite, the name tells me their prices are cheap which they are.

Facebook press release is a classical PR whitewash to rebrand Facebook through POSITIONING it as the FIRST brand that is fighting for users privacy.

>>As a Namecheap customer, I'm glad that they aren't giving up their customers privacy. This is how we at the community of HN and engineers see it, but not how average non-technical person sees it.

I'm a hacker who worked in PR and advertising; I worked on media monitoring; I drafted many press releases like this and worked on PR campaigns for P&G, LG and Unilever and other global brands.

Here is what I learned: every time I read a stupid press release like this, I ask which audience is this company targeting? And why?

To read this differently, think of the target audience. Who is Facebook targeting with this press release? Clearly, Facebook is not targeting the community of HN, or tech, evident by the number of people saying Facebook shouldn't sue Namecheap.

Facebook is targeting the average person. Facebook is whitewashing/managing its PR crisis of privacy invasion by establishing itself as the FIRST tech leader who is fighting for people privacy.

Like it or not, Facebook is the only one in the tech industry who is doing it and is being loud..underscore being loud. No other tech giant is fighting to be the leader in protecting users privacy and is being loud, I'm not talking about non-profit. I'm talking about Apple, Google, Amazon, Facebook.

Just read these poetic lines from the press release: "We don't want people to be deceived by these web addresses, so we've taken legal action. We filed a similar lawsuit in October 2019 against OnlineNIC, another domain registrar, and its proxy service. Our goal is to create consequences for those who seek to do harm and we will continue to take legal action to protect people from domain name fraud and abuse."

Facebook is taking the initiative of fighting for users privacy, and it doesn't matter whether they are truthful or deceptive. What matters is that they are the first.

We only remember the first.

"The easy way to get into a person’s mind is to be first. If you can’t be first, then you must find a way to position yourself against the product, the politician, the person who did get there first What’s the name of the first person to fly solo across the North Atlantic? Charles Lindbergh, right? Now, what’s the name of the second person to fly solo across the North Atlantic? Not so easy to answer, is it? What’s the name of the first person to walk on the moon? Neil Armstrong, of course. What’s the name of the second? What’s the name of the highest mountain in the world? Mount Everest in the Himalayas, right? What’s the name of the second highest mountain in the world? What’s the name of the first person you ever made love with? What’s the name of the second? The first person, the first mountain, the first company to occupy the position in the mind is going to be awfully hard to dislodge. Kodak in photography, Kleenex in tissue, Xerox in plainpaper copiers, Hertz in rent-a-cars, Coca in cola, General in electric. The first thing you need to “fix your message indelibly in the mind” is not a message at all.

Ries, Al. Positioning: The Battle for Your Mind

Lawsuits don't always mean monetary damages are sought. It could be an injunction (do this thing or stop doing that thing) or forced turnover of data.

You're glad Namecheap is protecting the registrant of "whatsappdownload.site"?

They're glad that Facebook isn't being handed information just because they're a big company. Want private registrant info? Get a subpoena. It should be very easy if you have a legit reason.

In cases like the example mentioned, this is clearly a malicious entity. I don't agree that "get a subpoena" is the right response, some judgement should be applied to cases where someone is clearly using your service to do harm.

I'm pretty happy with "judgement" being a thing that courts do and not a thing unqualified call center drones do.

> some judgement should be applied to cases where someone is clearly using your service to do harm

This is Facebook's argument essentially. But who decides that it is "clearly" doing harm? Should Facebook have the power to just tear domains away from their owners at their sole discretion? Should Namecheap be deciding if they break their privacy contract (the entire WHOISGUARD product that they offer) because a domain sounds too close to another company's product? Why should Facebook (or Namecheap) have the power to soley make decisions on this manner? Why do they get to "play god"?

These types of Copyright or Trademark issues have a proper and appropriate channel for handling these disputes. Facebook should be using the APPROPRIATE channels (ie the Judicial system) to handle this. The courts could issue a subpoena to Namecheap and Namecheap can take it down or hand over the information or whatever a judge decides should be done. But a sworn judge is the one that should be making these decisions, not a private company. This is where Namecheap is right in its stance and Facebook is wrong. Facebook is big and has lots of money, but that doesn't allow them to circumvent the Justice system. We swear in Judges to handle things like this. The judge can decide if this is "clearly" a violation or not. The judge will also help decide on the gray cases as well. The Judge will look at the facts of each case individually and help to protect Facebook's copyrights and trademarks while also protecting the rights of the citizen that owns the domain in question. He is the impartial authority that is trained and authorized to make these decisions.

Namecheap is doing it right, and this makes me very happy to be registering domains through them. I am happy that they don't buckle to the pressure of a big scary corporation. Facebook is once again proving that they are not a good internet citizen. Another reason the world would be better if they disappeared. Facebook isn't above the rest of us, or our governmental processes. The fact that they think they are is reason enough to never trust them with your data.

And in cases that aren't so clear? One of the three cited in the press release was instagrambusinesshelp.com - that doesn't sound remotely malicious to me.

Still a likely trademark violation. But yes, not something Namecheap should decide.

That's literally what they're doing?

Yeah and that's why they're happy.

Yes. I'm fine with Namecheap taking the domain down. Handing information like that just because they ask for it? That's a huge no. Let them proceed through the legal channels to get that information.

Yeah, we have a process for this. I realize that FB thinks laws don't apply to them, but they do, or maybe will at some point?

A lawsuit is exactly that process.

Sort of. But not this lawsuit.

Facebook is suing Namecheap because Namecheap is not handing over the information just because Facebook asked them to. Facebook decided that the domain should be taken down and expected Namecheap to just do what Facebook said. Namecheap refused. That is why Facebook is suing them.

What Facebook should do is file a trademark dispute against the domain owner. Then a judge will look at the case, decide if Facebook has been wronged, and if so, the judge will ask Namecheap for the domain owner's information, at which point Namecheap would then be expected to (and not wrong for doing so) hand over the information to the judge. The court system will handle the rest. That is why we have these court systems. I know Facebook is confused and thinks they are above the government, but that is why it is good for Namecheap to remind them of that.

Traditionally site owners are either public or can be requested in a 7 day span by showing clear harm.

Otherwise the liability falls to Namecheap. Presumably Facebooks motivation for actually suing is to prevent name registrar's from protecting obvious scammers for profit.

Not sure how I feel about this, site owners who act in good faith clearly should be able to stay private. On the other hand, scammers can open sites much more quickly than they can be reasonably be sued. Most businesses try to keep scammers from obtaining similar domains, having to sue each time to take a page down could make this infeasible for smaller ones.

They don't know the owner though, because Namecheap won't tell them, presumably without FB obtaining a court order in some way.

The court order is that a judge rules there has been trademark infringement and asks namecheap to take it down. If facebook would like to pursue suing for infringement then, they get another injunction with a court order, and the judge asks namecheap for the name associated with the infringement.

I worked for a European domain registrar a few years ago.

An obviously malicious site like "whatsappdownload.site" would be taken offline very quickly, but under no circumstances could we give non-public subscriber information to a third party without a warrant.

> You're glad Namecheap is protecting the registrant of "whatsappdownload.site"?

In most cases I've seen, registrant data would either be fake, the result of identity theft, or an innocent customer's whose account got hacked.

Yes. I don't want Namecheap stepping in to judge how I use my domains- I want a court of competent jurisdiction to make those determinations. There is an appropriate process for these issues.

It seems that the appropriate process for this issue would be suing the registered owner of these domains (Whoisguard), which is what they're doing now - and a court of competent jurisdiction will be ruling on it.

Facebook doesn't say exactly what they are seeking, but that is one possibility. However, this PR piece seems to be accusing Namecheap of doing wrong- and it appears that Namecheap is entirely in the right. If all Facebook was doing was seeking control of the domain name, and they didn't make this accusatory post, I would agree that they were following the proper process.

Yes. I want Namecheap to protect my privacy. When they show they're even willing to protect the privacy of a low-reputation actor, it proves to me that they are likely to protect my privacy as well.

It's the same reason I'm glad that HTTPS and SSL protect the registrant of whatsappdownload.site.

I have the same sentiment, I'm glad it's not automated.

First they came for faceb0ok.com and I did not speak out

It’s about there already being a process for this, and not being cool with Facebook using lawyers to do it.

For what it's worth, the problem with that process is that it creates an uneven burden. Any scammer with 10 bucks can create a misleading domain. This happened to us when some scammers created "autostempest.com" to mimic our car search site, autotempest.com. They put fake listings up and scammed many people out of tens of thousands of dollars. Our only legal recourse was a UDRP claim (short of suing namecheap, which would have been even more expensive), but that would have cost about $2000 because you need to go through a registered provider—and these are private companies, which take advantage of this regulatory oligopoly.

Now, $2000 would be worth it to shut down a scammer like that, except nothing stops them from simply ignoring the UDRP claim and once their domain is shut down, they can register autotempests.com or something for another 10 bucks. (They actually did end up registering autostempestgroup.com and several others.)

On the other hand, if you could simply go to the registrar, show clear evidence of the very obvious infringement, and have them shut down the domain, perhaps it would actually be feasible to put a dent in that kind of scam.

I do understand the concern of having a private company like Namecheap be the judge in these matters, but I'm not sure it's as black and white as that. I could see a system working where they do take unilateral action on obvious cases (autostempest, whatsappdownload.com, faceb00k, etc.), but require the formal process for less clear cases.

I understand this complaint. But Facebook attacking Namecheap in a public post for doing the right thing is the wrong way to go about changing the system. They should instead petition ICANN and/or their political rulers to change the process.

So here's the trouble with "it's obvious":


"Slütsof In Stagram", naturally, what did you expect? See also "Whöresof In Stagrâm" at similar URL.

Yes, someone tried to register SlutsOfInstagram.com and WhoresOfInstagram.com and when Facebook/Instagram objected, they turned the sites into something else entirely.

The point being that you can't really tell anything from the name.

But then you can't really tell anything from the content either, because if there is phishing content the first thing the registrant will claim is that they've been hacked. Which is hardly uncommon in that context. So then you need someone to make a judgement call. Which is what courts are for.

If there's a combination, it's very obvious. To use my personal example again, the domain was autostempest.com, and they had copied our logo directly, and created a car listings site. It would be trivial to see that we were using the name and logo first.

Going to court just wasn't an option. For one thing, we couldn't even identify the people behind these sites without first going to court against namecheap. And after all that effort and expense, it's entirely possible they'd registered the domain with fake info and the effort would have been wasted. Even the UDRP option was not cost effective, because nothing would stop the scammers from opening a new fake domain. What we eventually did that worked was found a "CSIRT" company that would use its private connections to hosting providers to, for a fee, get offending content taken down. So, that's the kind of thing the status quo is incentivizing. Hardly better than if there was a takedown process available through namecheap it seems.

That said, you'd certainly want to avoid the situation with Youtube, where the power is swung all the way in the other direction, so creators have almost no recourse when purported rights holders issue a claim.

I used to work for a company that offered brand-protection services. The customer would grant my old employer power of attorney to send C&D letters and file takedown lawsuits on their behalf, and we would do all the monitoring and brand-defense work, then send a report to the customer justifying the exorbitant fees.

Maintaining a trademark costs time and money. You can save money by doing the work yourself, or by using backchannels, as you mentioned. You can save time by hiring someone to do the tedious work for you. Even a single-partner specialist law firm should have boilerplate templates on hand for taking down an infringing website fast, using regular channels. I imagine that most of the cases result in no answer from the main defendant and default judgment that orders the registrar to transfer the domain to the plaintiff, who can then blackhole it or redirect to the genuine site.

A higher-service firm will also proactively scour the Internet for threats to your brand--at a higher price, of course.

I would not recommend my former employer for this, as they got bought out, and the new owner arbitrarily fired the entire development team.

> To use my personal example again, the domain was autostempest.com

So then they claim their company is called Auto Stem Pest in the business of selling automatic pest control devices, and their website had your logo on it "temporarily" because it had been compromised by third party malicious hackers.

Somebody has to decide whether that story is a load of BS. But it's a thing that could realistically have happened, and Namecheap has neither the resources nor the qualifications to stand in judgement.

> Going to court just wasn't an option. For one thing, we couldn't even identify the people behind these sites without first going to court against namecheap. And after all that effort and expense, it's entirely possible they'd registered the domain with fake info and the effort would have been wasted.

The thing is, that's what happens anyway. Most of the people doing this are in countries that just don't care. Having their names generally won't do you any good.

> Even the UDRP option was not cost effective, because nothing would stop the scammers from opening a new fake domain.

Which points to domains being a bad point of attack to go after them. It's like trying to catch cat burglars by maligning department stores that sell gloves. It's just not a useful place to apply pressure.

For fraudsters in a friendly jurisdiction, courts work, because the process is a pain in the butt but at the end of it they go to jail which is a large enough deterrent that it mostly stops them to begin with.

When they're in an antagonistic jurisdiction (which is most common), the law can't help you, because it isn't your law that applies. At that point you're down to technical and market solutions, like the one you found.

Well, part of the appropriate process may involve lawyers- but they do not appear to be following the process properly, and this PR stunt is absurd.

> there already being a process for this

It's not clear at all what the process is. Can you elaborate?


Yup, more so with GDPR. It is nobodies business who's behind a domain. Authorities can of course figure it out (with subpoena, as it should be) should the need arise.

Yes. Do you know what content was on there? Scam/malware? Critical reporting on facebook's business processes? A parody site making fun of whatsapp? A redirect to Signal?

At least two of the 4 examples I gave are perfectly legal even under trademark and/or copyright law. And 3 are non-malicious

Lookup cybersquatting laws in the US, fb can just take over the domains.

This doesn’t scale to companies that, unlike Facebook, can’t afford the ongoing associated costs.

> Our goal is to create consequences for those who seek to do harm

Rich coming from FB.

On the one hand, scam sites should be stopped, on the other, I am not sure we should let companies wantonly decide which domains other people register are bad.

I can't even tell what the legality of this is. What does facebook even sue for, trademark infringement? Or is it fraud related which I would assume they'd go to the courts for. If namecheap is breaking the law, then the justice system should be involved, otherwise it's namecheap rolling over anytime facebook decides to sue them for anything they want.

And yet they are happy to keep running ads for obvious Shopify scam sites that offer insane spec computers for $199 (where the GPU offered alone costs twice that) or an entire electric branded toolkit for $89.

People selling dropshipped items for 500percent markup are the bane of e-commerce for me right now.

i always end up finding the same item on aliexpress and then just dropping the item entirely coz it's gonna be low quality and have no customer support

I've made a game out of it, anytime I see an ad (and have some free time) for a "revolutionary" product or one that is obviously too good to be true I go searching for it on Amazon/Aliexpress. Often I can find a handful of versions on Amazon alone for half the price and/or terrible reviews.

Honestly I've been happy with 90% of what I get on AliExpress and it's rare to spend more than $10 on whatever it is anyway. I've saved many hundreds of dollars over buying from Amazon (often anyway from twice to ten times as expensive).

For the stuff the sucks, I throw it in the trash and move on with my life. It's usually only a few dollars

You buy garbage? Like you literally buy stuff and and just throw it away?

Got some items as examples? How do you know the item on AliExpress is the same thing as what's on Amazon?

In the meantime, Facebook claims it is unable verify political ads for truth.

that is indeed partly impossible to do, one thing they should improve is checking that the one buying ads is actually affiliated with the politician/party in the ad.

I think that is a problem with ads in general. Most of them are generally designed to mislead.

> I am not sure we should let companies wantonly decide which domains other people register are bad

Isn't this the point of the legal process that FB is doing? FB aren't the ones to decide whether a domain is bad or not, it's down to the judge.

Seems like a lawsuit is the exact legal method that should be used to uncover the names that Facebook is seeking. As a Namecheap user who also sometimes uses whoisguard, I would expect Namecheap NOT to turn over any information until required to do so buy a subpoena signed by a judge. There is probably no other way to get one than to file a suit and ask a judge for it.

I am fine with Facebook petitioning a court of competent jurisdiction and following legal due process to stop phishing activity. I am glad that Namecheap is not giving up this information without a proper court order. I am not happy with Facebook making this PR release trying to paint Namecheap in a bad light because they are standing up for privacy. This PR release is completely unnecessary if Facebooks intentions were simply to stop the phishing attacks.

While I'm happy that Namecheap won't reveal the names,I'm not happy that these kind of website names can not just be registered but also kept running for years.

Again, that's how it's supposed work though. If I pay for 10 years for my domain name, I don't want it to stop working because evilCorp makes a request to take it over (for whatever reason). If I am ruining the internet with a nefarious use of my domain, then it should be easy enough to prove to a valid court, and then there should be a legit way to take over control. It shouldn't be impossible, but it shouldn't be a cake walk either.

A court from what country?

Whichever country the registrar associated with that domain is currently in?

Indeed, it's a difficult question. But we should rather be asking, why isn't there better cooperation to catch cyber-criminals across borders?

Maybe because some governments are directly involved in the cyber crime?

Some? More like basically all.

What's a crime in my country is not necessarily a crime in yours. And international law without extradition backing it is at best a suggestion.

Absolutely, especially in terms of copyright and liability (of open computer systems, e.g. Germany's open WiFi nonsense).

But in some cases good enough proof of unauthorised compromise of computer systems can be collected, in those cases, why isn't there any cooperation? E.g. botnet makers.

What type of heuristic can capture "these kind of website names"? There are too many possibilities.

Some companies have registered misspellings and openly hostile domain names similar to their trademark, but it's hard to consider all permutations e.g. https://bankofamericasucks.com redirects to Coin Wallet.

Trademark law, as far as I understand, is to prevent customer confusion. Customers should be able to trust their intuition on who made a given product.

Misspellings should be covered. But hostile uses should not.

Please define "hostile uses" in a way that can be interpreted by law enforcement and the courts.

If I register "facebook-sucks.com" and put a disclaimer that facebook is a registered trademark of Facebook Inc etc etc then I'm not attempting to confuse customers of facebook (btw, do "users" of facebook = "customers" of facebook?).

Therefore there is no trademark infringement and no cause for me to cease and desist.

That's different to registering "faceb00k.com" and trying to pass my site off as being facebook. That's exactly what trademark rights are there to protect. It's not the registering of the domain that is the infringement, it's the attempt to pass off my site as being facebook's. In that case, a court can order me to take down my content, and if "me" is not identifiable, then they can order my hosting provider to do the same.

Facebook itself has numerous different domains registered and its not known that some of them are facebook's registrations.

What goes under “hostile uses”? Would people be confused if I made “facebook-sucks.com”? Because if you let something like this through, Facebook has an incentive to go after things like that…

I did a bit of research on this when I started killedbygoogle.com . It’s fine to use a trademark when it is being used for criticism, parody, or other creative work. It’s not okay to use for impersonation, fraud, or other commercial purposes that mislead consumers to believe an endorsement or association with the trademark’s owner.

Trademark law is to prevent "damage" to brands, not protect customers. If a system was in place to protect the customers, it would be the customers who were deceived that sue and receive compensation, not the company owning the trademark.

> This PR release is completely unnecessary if Facebooks intentions were simply to stop the phishing attacks.

That's not their goal at all (obviously).

This is at best tangentially related, but I once had a business model where I asked people to send me a friend request on Facebook. Rather than give them the FB URL directly, I registered [name]onfacebook.com and just had that on the card they received. All the domain did was redirect to my profile. No interstitial, the URL was replaced on redirect, literally just so I could say "[name] on facebook dot com" and have be easy to remember.

Less than a week later I received a nastygram from FB legal about protecting their copyright and that they expected me to shut the domain down immediately.

Judging by the comments here, they are doing good publicity for Namecheap.

I expect the people who post on HN to be representative of people who buy domain names. So while it may be bad publicity for the general public, it doesn't really matter if potential customers see it as a good thing.

Question: If what the domain name holders are doing is illegal (presumably phishing for secrets; which is probably against some sort of misdirection or scam laws) why is Facebook doing the suing? Why aren’t police departments or federal investigation units the once asking judges for subpoenas and going after the actual criminals?

It feels like an unessisary and possibly harmful step for a non-victim private company to suing another non-criminal private company so they can get these criminals to justice.

It sounds like the fraudulent domains are foremost a trademark infringement.

The fact that the domains are used for phishing or to perpetrate criminal acts is a secondary matter that adds gravitas to Facebook's public presentation of why they are suing Namecheap.

The infringing parties are those that register the domains using Whoisguard, and Namecheap is a non-party witness to the infringement.

So, serving Namecheap a subpoena, and then suing them for compliance after they neglect to respond to the subpoena is apparently a normal method for getting information from an uncooperative non-party witness in a civil legal proceeding.

Presumably, once they are successful in their lawsuit and have the names of the individuals responsible for the domain names, they will hand the evidence over to the police for investigation of criminal acts such as wire-fraud etc.


Quite typical that the crime being investigated is a petty trademark infringement, while there are real victims who’s privacy and dignity is violated by these scammers.

It indeed disgusts me that as a society of laws we go after violent criminals, not because they violate real victims, but because they infringe on a trademark of a multi-billion dollar company.

I'm no expert, but as I understand things the cops don't give a shit. Like if you witness someone speeding, or if someone steals your bicycle.

They'll take a report if you want, but there are only so many detectives. And these internet crimes need so many special skills and cross jurisdictional lines so easily...

We could establish a specialist police unit with the skills and funding levels needed to go after crimes against Facebook. Facebook might even be willing to help with funding and training, and doubtless big copyright holders would also be interested. Personally I don't think that would be a step in the right direction though.

But violent crime is down over the last 30-years, seems to be more cops employed and less petty crime laws being enforced. Doesn’t quite make sense but I often hear this excuse.

I think we need to start thinking about scammers as violent criminals. Victims of scammers do feel extremely violated after the fact. They loose not only valuables, but also their dignity and their sense of security. Scamming is indeed a violent crime that causes significant harm to the victim.

I also get the sense that there is still a lot of victim blaming when it comes to scamming. This also has to change. Victims of scams have not done anything wrong. The criminals that scam other people are of full blame for their crimes, and they need to be brought to justice for their violent behaviour.

Can't just change the definition of violent. Agree that the crime is much more serious than it looks on the surface. There's probably a perfect word. Predatory?

Violence is already really loosely defined (e.g. violence seems to be done up the social hierarchy; e.g. a state is not considered violent if they deport a refugee, while a protestor is considered violent if they block traffic). But even in this loose definition scammers fit perfectly as being violent criminals. They intentionally cause significant harm to their victims with their actions.

A lot of definitions put a physical qualifier, but that is not how the term is used by English speakers, e.g. bullying or psychological tormenting, is violent even though it is only verbal.

> vi·o·lence | ˈvī(ə)ləns | noun

> behavior involving physical force intended to hurt, damage, or kill someone or something.

In every definition, violence requires physical force. Nobody calls psychological abuse violence, they call it "gaslighting" or "bullying" or "emotional trauma".

I would argue that violence also include "threats of physical force being applied," which is in many places the bar for aggression

If there can be violent threats, then there can be emotional violence.

Sure, but that is different from physical violence or threat of physical violence. Not to mean it is inherently less serious, but I would argue that they need to be treated as part of different categories.

I would also argue that emotional and psychological abuse should be considered a serious crime, but I am not convinced that conflating it with violence is appropriate.

I realize that my categories leave a blind spot for more subtle method of bullying, especially in intrinsically violence-free cases like cyber-bullying or "intense-gossiping" which can be seriously damaging.

Still I do not think that classifying that as violence in and of itself is an appropriate solution.

I don’t personally think it is helpful to make a distinction between physical and non-physical violence. Harm is severe in either case, and there is an obvious victim and and obvious perpetrator that needs to be brought to justice in either case.

Sure different forms of violence do vary in severity, but finding a new name for a type of violence that is done remotely and causes a different kind of harm both undermines and complicates the term “violence” and gives discount to some forms of violence by not labeling them as such.

> an obvious victim and and obvious perpetrator that needs to be brought to justice in either case.

Here I don't agree.

> Sure different forms of violence do vary in severity,

Also this is not the point. Emotional violence can be definitely worse than physical violence, I am not ranking them.

I am often bad at analogies, but I will try making one anyway.

When driving you are held to a concept of strict liability; if you cause an accident it is your fault; every time you sit in a vehicle you silently agree that every damage caused by your car will be (by default, but can be proven otherwise) your responsibility.

This is not the case when walking; if you push someone down the stairs because of a sneeze it is not manslaughter, it is manslaughter if you drive over a passerby because of that same sneeze.

Quite few things are considered in the context of strict liability, in general to be responsible of a damage the burden of proof is much higher.

Similarly physical and non-physical violence are held to different contexts; if I punch you then I am at fault a priori (there can be enough context to subvert this) and the reason is that I am expected to understand that punching you will cause damage (this is why accidental deaths in a fight can incur in manslaughter charges).

threats of psychological violence should be a crime, the same as other kinds of threats. On the other hand, with psychological violence there is not bright red line that can be as clearly crossed or not. It is much harder to argue that the abuser was conscious of the damage, or that the damage was done maliciously, or that the abuser should be held responsible for it.

It is not a matter of severity, it is just that one case of violence is significantly harder to judge fairly.

PS: > if there can be violent threats, then there can be emotional violence.

I made a small formatting mistake, the sentence

> threats of psychological violence should be a crime, the same as other kinds of threats.

should be after the last line.

Both local police and the FBI rarely care about fraud or scams. Most local fraud seems to be caught by individuals hiring private investigators that are former law enforcement. And even then, the punishment to the con-artist is often 1-2 years.

It’s even worse if you use a credit card, get skimmed, have money stolen from you then your credit card company tries to deny your claim. No where in this situation are there police going to the ATM to view the video surveillance of who stole your money.

Most law enforcement seems to rely on identity fraudsters being high on drugs in cheap hotels and being caught with hardware / stolen cards etc etc.

Are more cops employed? In the UK at least police numbers were cut drastically. One of the many hilarious pledges of the newly elected Tory government of the UK is that they'd hire lots of extra police to fix problems that some might argue were caused by the er... Tory government which had cut police numbers...

They are too busy going after victimless crimes.

It should be a lawsuit against the unnamed clients, rather than the hosting provider itself. Namecheap is a third party here imo, but there is plenty of precedent and process in using a lawsuit to compel third parties to provide information via subpoena.

I would agree, but I don't understand why Facebook would file a lawsuit against Namecheap. I would have thought they'd file a lawsuit against John Does (the owners of the domains) and obtain an order from the Judge to compel Namecheap to reveal the names of the John Does.

Then again I haven't seen the court filings so maybe that's exactly what they did and Namecheap is just mentioned as an additional defendant.

Either way, I would also expect Namecheap not to reveal anything unless they are compelled to by court order or another legal obligation.

For what it’s worth, I reported dozens of domains used in phishing scams to Namecheap and their support could not possibly give less of a crap. I reported about 26 domains used in SMS scams in Australia and Namecheap refused to action more than one domain. As far as I’m aware, the remaining 25 or so are still active.

Their chat support is unable to take spam complaints and instead directs you to their “Legal & Abuse Department” based in Eastern Europe. And what you get is basically what you’d expect from an underpaid, disgruntled level one IT support.

You should report illegal activities to the authorities, not companies.

I wouldn't expect Namecheap, a low cost registrar with "cheap" in its name, to have the legal resources to investigate or make a conclusion for each accusation that comes their way for one of their 10 million domain names.

As with everything internet related, I think there's a vast misunderstanding of scale, and difficulty in automation (domains sniping!), for what they're facing.

I also wouldn't expect them to hand out information to anyone that asks for it, especially a large company known for misusing any information they can get their hands on, without a subpoena.

I think the real solution would have to come from a third party group(s) that could collect, monitor, and produce high quality reports, with a high level of accuracy, that all of these registrars could use. Who would fund these groups? Probably whomever gains/loses less from the phishing scams being terminated.

> I wouldn't expect Namecheap, a low cost registrar with "cheap" in its name, to have the legal resources to investigate or make a conclusion for each accusation that comes their way for one of their 10 million domain names.

Exactly. And if they _did_ I'd be just as concerned that they're now allowing a vector to take domains down.

Balancing the two is difficult..

Actually, if it violates their tos they should normally appreciate the report and take action on it.

Of course, but how would they know? The vector I refer to is my ability to create "evidence" and report you to their customer service.

Eg, i'd wager the GGP comment who reported 26 domains did so in a manner that would be fairly easy to fake. So what is the requirement of reports? Too loose and it's easy to fake, too strict and it becomes to difficult to report _(or too costly to verify)_.

Every domain had the same content, was styled in the same format (something like a28d92.com, then b28d92.com...) and all were acting as redirection platforms for phishing sites and all were registered on the same day.

It wasn't hard to verify or easy to fake, or loose. Namecheap's legal/abuse department are just completely incompetent/don't care about their own TOS.

Has anyone tried maintaining a blacklist of sites or some kind of fuzzy domain resolver as a paid extension for businesses?

Like this one?


I am sure there are other examples not in cahoots with the Russian government.

There's a lot more regulation and guidance around taking down a phishing site at the domain level, rather than at the provider level. (E.g. Hosting company, CloudFlare and other DNS providers, etc.) If I remember correctly, ICANN requires takedowns to be either compelled by law enforcement, or done through the UDRP[1], whereas the providers themselves are typically more able to quickly respond to abuse. In addition, phishing domains are typically short lived, as once they're flagged by Google Safe Browsing[2] and the like, they're essentially worthless to the ne'er-do-wells that purchase them, regardless of if they're actually taken down.

[1]: http://www.icann.org/en/dndr/udrp/policy.htm [2]: https://safebrowsing.google.com/

This is not correct. It is not their job to police the internet.

The analogy is more like writing a messaging app then being asked to revoke access to someone because they are texting while driving.

Not attempting to excuse their lack of action, but there are cases where it's somewhat understandable why a registrar may not take action. For instance, if the only service they're actually providing is registration, the domain belongs to a long time customer, and they aren't hosting the site or dns, they're only left with one very blunt action they can take. It's frustrating for sure, but registrars are very hesitant to take such harsh action on long-standing customers.

In that example the domain is likely compromised though, so you need to be reporting to all the hosting providers involved as well and not just the registrar.

Why would they care at all? They are a domain registrar that's it. Not their place or responsibility to police domains.

This probably comes down to narrowing the number of people who can take action on these requests, as per the potential abuse that could come from taking action on invalid requests.

Is it not enough that Facebook and Zuck tread all over their customers privacy on their own platform? Now they want other companies to do it for them with their own customers as well.

This is just another attack on privacy and due process in order to strong arm companies that have services like WhoisGuard which is intended to protect millions of customer’s privacy.

Can you explain how using the court system to get what they want is an attack on due process?

(My personal perspective on this, to help you understand the tone I'm using, is that NameCheap is doing the Right Thing by not cooperating without a subpoena, and Facebook is doing the Right Thing by protecting their users from phishing attacks by shutting down the attackers, and the court will do the Right Thing by arbitrating within the context of the laws.)

^ Namecheap CEO

Can you explain the legal details of what's happening here? Who's responsibility is it to deal with domains that are potentially dangerous, what exactly is facebook suing you for? What rule are they talking about when they say you're supposed to provide the WhoisGuard information (someone else mentioned that's only for government requests)?

I've also seen some complaints by other people here that there are some namecheap domains that are sometimes scammy and namecheap sometimes deals with them and other times they don't (based on user comments here). Can you clarify if namecheap does indeed take action and if so, why they haven't here?

Also in the future, you might want to sign off at the end of the comment since it's really easy to ignore the username as it's grayed out. And FWIW, great job with namecheap, I've had a really good experience with it.

FWIW, a username like "NamecheapCEO" does not inspire confidence in its authenticity.

I mean, FB is trying to stop phishing here, and it doesn't seem like your company is cooperating with FB's investigation. A lawsuit seems like what they had to do to get you to take action here.

Why do you want to take money from criminals, in exchange for helping them to do criminal activity? From a risk management perspective, you should very much not want these customers.

Does this mean I can sue Facebook because, despite my (unreasonable) demands they stop showing me fake news and ads for crypto-mining mobile games that pretend to be affiliated with legitimate news sources or the games they're knocking off, they haven't stopped?

I think that's a pretty comparable analogy because in both cases, a party is being unreasonably expected to police third-party content provided through their platform/business, or else be sued for failing to do something completely infeasible.

You can (almost) do whatever you want, when you have enough money for it.

Couldn't fb's users start a kind of grouped judicial procedure ? A "class action" ? (I'm not a lawyer and not American)

There's most likely an arbitration clause to try and stop that in the EULA. Depending on your jurisdiction that might not apply though.

Still got the billion dollar lawyer army to get through.

The difference is that (I assume) you don't have billions of dollars.

I'm so happy to be a Namecheap customer right now.

Contrast their behavior with Go Daddy who will turn over data of people who dare complain: https://skepchick.org/2014/04/godaddy-released-my-personal-i...

So Facebook is suing to dispute the business model of whoisguard, because they believe they are "obligated" to work with fb? I'm scratching my head at the implications here, I can guarantee fb doesn't want to be responsible for kyc on their users or ad providers (both can deliver intentionally misleading content on their platform). So what is their goal? My best guess is they think they can scare namecheap into working with them, but this feels like a case of chicken.

It’s ironic how Facebook uses all kinds of lies and dark patterns to steal data from their users but gets pissed off when someone else does it (or provides services for it as it is in this case).

Yes, that's because phishing is an actual crime.

so is wiretapping, but in our household we have a running joke that if we're too lazy to google something, or say "ok google", we can just say "ok facebook bed frame bed frame bed frame" in the direction of our phones, and fb/instagram will start showing us ads for bed frames in a few hours. It works a surprisingly large amount of the time.

I can't speak for other platforms, but if you've ever developed apps for iPhone, you'd know this is pretty much impossible for FB to do.

Doing this specific thing is quite easy, using public APIs, just by correlating data between signed in users.

I should be more clear: I'm referring to secretly recording audio.

Depends if you're sitting on a pile of exploits. Or just abusing loopholes to collect information from minors.

Is our memory really this short?


This is not actually happening, and I'm sad to see how long this misinformation persists on HackerNews... Not only not technically feasible, it'd also get out in the numerous lawsuits that Facebook is involved in, which get access to internal information like this.

It happened to me and other people I know too. How can people in the comments deny that when a lot of people have empirical evidence?

If you give the permission to Messenger to use the microphone, that is required to make voice calls, then I believe it's possible for it to use it anytime.

There is not a lot of empirical evidence for this, and even less evidence of any other kind.

What -does- have a lot of that, is the statement that humans are particularly bad at classifying random events.

You’re imagining it. It’s crazy that this kind of disinformation is still going around.

Wiretapping is only illegal if you don't give permission for it. By having a device that's always recording audio, you're implicitly giving permission for what you describe.

Everyone worries about google. Google will become part of the public infrastructure after some external challenge forces it to. At what point does facebook turn hostile and start exposing personal secrets to the public unless you pay or at least come back and visit to change settings? You can feel it coming...

2 wrongs don't make a right. And sure, FB uses "dark patterns", but that's a lot more subtle than registering obvious phishing domains. There's simply no defense for that at all; it's obviously aiding and abetting criminal activity.

> it's obviously aiding and abetting criminal activity.

Criminal activity like election interference? Has Facebook been fined for that yet?

Pot calling the kettle blue...

One is illegal, the other is not. Apples and oranges.

Edit: what's with the downvotes? I'm not defending the practice, just stating facts.

I feel like the title "Facebook sues Namecheap for registering phishing domains" is somewhat misleading.

> We found that Namecheap’s proxy service, Whoisguard, registered or used 45 domain names that impersonated Facebook and our services, such as instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate.

Specifically, they're suing Namecheap and their proxy service for not providing information about the true registrants of the allegedly infringing domains.

We've edited the title in an attempt to thread that needle. If someone can suggest a better—more accurate and neutral—title, we can change it again.

"This week we filed a lawsuit in Arizona against Namecheap [...] for registering domain names that aim to deceive people by pretending to be affiliated with Facebook apps."

The press release says "for registering domain names" so I think the original title was accurate.

Previous similar court case where Verizon won a judgment against OnLineNic on the basis of trademark infringement: https://dockets.justia.com/docket/california/candce/3:2008cv...

So it doesn't seem like this suit is just about discovering the identities of the registrants.

Hmm. Maybe we'll just cut it to the minimum viable title.

(Title was "Facebook sues Namecheap for registering phishing domains", then "Facebook sues Namecheap for registrants of phishing domains".)

And to be clear, all Namecheap had to do to prevent this lawsuit was identify the owners of or delete the obviously-phishing and obviously-TM-infringing domain names. They didn't, so now Facebook is taking them to court over it.

Facebook listed 3 of the 45, including one that I'd argue does not at all violate TM or phish. In a post like this, they'd likely pick the most egregious examples, so your statement about how obvious this is is entirely baseless. Furthermore, I'm absolutely okay with Namecheap not honoring a demand for information without a subpoena. Those whoisguards protect me from spammers, scammers, and anyone who would want my information from a whois.

Agreed 100%. I'm a huge fan of removing all PII from whois info. Get a subpoena if you want that data. Otherwise next thing you know they'll be demanding registrant info for "facebookisevil.com" because it "infringes on our trademarks!!!"

Isn't "getting a subpoena" basically what they're doing?

I think normally they would sue the people who registered the domain to get a subpoena, not namecheap itself.

I thought the point was that they're suing namecheap to get the names of the people who registered the domain, because namecheap was serving as an anonymity service.

Actually all PII information is already removed from whois info. I think it was a consequence of gdpr

Nah namecheap made whoisguard free for all long before GDPR if memory serves correctly

They may have but regardless of them doing so, gdpr resulted in the making of whois data not generally available to anyone.

Why do I care about the other examples if the egregious examples include obvious phishing sites?

It sounds like Facebook asked, not a court. Just because you're a big company doesn't mean others need to bend to your will.

Well what's the point of protecting the domain owner if anyone who comes by and asks can get that info?

According to ICANN they cannot simply delete the domains- https://www.icann.org/resources/pages/help/dndr/udrp-en

"Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name."

Or, alternatively, remove the domain names, since they're blatantly phishing domains.

I think anonymous domain registration is an important property to preserve. Many people need such services for their safety. However, if you're going to serve as an anonymity shield for another party, you're taking on some of that party's liability, and in particular you need to take down malicious domains.

Namecheap is responsible for administrating domain ownership. They are not free to unilaterally change or remove ownership at will.

That doesn't mean it's impossible to deregister infringing domains. It means that there is a process to follow, which is probably what we're seeing right now.

I know some attorneys are on HN, so question: does Namecheap/Whoisguard have a legal obligation to reveal that requested info?

Honestly, I'm glad they didn't. There's not much use in a whois privacy service if they'll give up the info just because a company says "this is infringing".

what value is there in whoisguard if anybody can strong arm you in giving the data away.

Then Namecheap is liable for determining what qualifies as phishing or TM infringement. This is not their responsibility.

This pretty much depends on the details.

How is "instagrambusinesshelp.com" impersonating Facebook services? Is the argument here that using "Instagram" in a domain name inherently not allowed?

Edit: Would "instagramsucks.com" or "facebooksucks.com" also be infringing?

One name implies it’s related to the company, another does not. That’s why there are judges instead of robots in court.

The name only loosely suggests it might be related, it doesn’t (at least to me) directly imply it.

I mean, it's alleged they were a phishing operation...

And in terms of trademark law the owners are unlikely to be on stronger grounds if they're not a pure phishing operation as alleged, but have merely chosen to include Facebook's trademark in their website or email marketing name without Facebook's permission to increase the likelihood Facebook's customers will purchase services from them.

You don't have to imply you definitely are the owner of a trademark to fall foul of trademark law, you just have to be trying to profit from using the trademark without permission in their line of trade in a way you can't justify as 'fair use'. I think we can rule out the idea instagrambusinesshelp.com is commentary, comparison, parody or a list of third parties worked with.

But you have to consider your everyday user who has no real understanding of how companies use domains outside of being a name. That domain suggests it's business support for Instagram.

I feel like an everyday person would see that and think “ah a 3rd party consultant to help with my influencer business” (or whatever the professional application of instagram is.)

Almost every windows website in existence is liable under this description. It is confusing, but protecting domain names via trademark law seems undesirable to me in most cases

Instagram has a business portal. When your site could easily be mistaken as an official company channel, that should not be allowed.

This seems like a bad knee-jerk reaction, not a real solution.

My company also has a business portal. Can I take down domains that are similar to it as well? Or is this power just reserved for MegaCorp Inc. who can afford large legal teams? At what point does a company become large enough to warrant "protection" of domains similar to their own? Who makes that decision and is there any dispute process? Etc, etc...

So many questions and potential pitfalls surrounding this approach. I don't know if there's any better realistic "solution" than to let users ultimately be responsible for the domains they visit. Not much of a solution but I don't see any better options that are both realistic and helpful.

There's an ICANN process that allows you to file exactly this sort of domain-specific takedown notice. https://www.icann.org/resources/pages/help/dndr/udrp-en

The big drawback of the process it that it doesn't work well for phishing attacks, where taking down one domain is of limited value. It's designed more for things like nissan.com

But the language on Facebook's press release implies that the names themselves are misleading. They don't mention the content.

I'm not disputing that the sites themselves are scammy/phishing, but what Facebook is saying here sounds like an overreach that amounts to "using Facebook trademarked names in a domain name is misleading and inherently untrustworthy".

So if you started a small consulting company helping people advertise or build a brand on Instagram, and your website was instagrambusinesshelp.com, Facebook has the right to say "not allowed"?

Do I also have the right to impose rules on other businesses naming conventions [1], or no because I'm not a $500B company?

[1] In a fair use context, not blatant copyright/trademark infringement or posing as the company in a phishing context.

There is no fair context for that under the law. The name is trademarked so unless you have approval from Facebook to use their trademark then using it is not legal. It's not that complicated.

Maybe domain names are treated differently from book titles, but I don't see why they should be. There certainly is fair use of trademarks in book titles if the use is descriptive, not likely to lead to confusion about who produced the book, and can't be effectively replaced with a more generic term. E.g. "That Popular Graphics Editor for Dummies" isn't a sensible substitute for "CorelDRAW! for Dummies".

They don’t even like you use “book”.

My assumption is that "instagrambusinesshelp.com" was impersonating Instagram to scam people. Instagramsucks.com probably isn't trying to impersonate them, just complaining about them.

And likely wouldn't be infringing Instagram tm.

Well, their whois proxy services. Namecheap has other proxy services (email for sure, I think also some configurations like parking and redirection use an HTTP proxy), so not specifying whois proxy is pretty confusing.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact