Hacker News new | past | comments | ask | show | jobs | submit login
Facebook accused of trying to decloak domain owners' personal Whois info (theregister.com)
461 points by DyslexicAtheist on June 24, 2020 | hide | past | favorite | 133 comments

From TFA, Facebook "... continues to claim that being a registered trademark holder is sufficient to be granted full access to the Whois database, and that all other routes are unduly burdensome."

So any fraudster just needs a registered trademark and they would, according to Facebook's request, be granted full access to the database.

And no oversight, as "all other routes are unduly burdensome." That means they DON'T want subpeonas or any kind of restriction in between like a judge who could evaluate the request based on some kind of merit. No limits. Just a giant straw they can use to get all that juicy data.

Facebook's request doesn't sound very good to me. Sounds great for criminals though.

This is a wonderful admission by Facebook. So any one of the millions of companies who have had their copyrights or trademarks infringed by fraudulent Chinese advertisers on Instagram and Facebook should now be given FULL access to all advertisers personal details on Facebook including the complete historic library of ads that have ever run on Facebook since, by their own argument, “You don’t know who to sue until you’ve got the Whois information,”

No. They’re arguing anyone with a registered trademark should have full access to everything, with no infringement required.

They’re also arguing a restriction to advertisers would be an undue burden.

I agree. I also think getting a judge to sign off on that would be unduly burdensome.

Just holding the domain, without conducting business under that name, shouldn't be enough to be considered "infringing" in the mark. So this argument isn't valid under any means.

If someone has a business (offering goods and services in exchange for money) using an infringing trademark, then it should be possible to contact them through the same means that customers do to buy their product or service. No need for the "whois" data.

No if you are filing a lawsuit you can’t just “contact them” the same way a customer can.

You have to serve them pursuant to the law, which generally for businesses means serving their registered agent. In order to find the registered agent you will need the legal name of the business running the infringing website (you will need the state of incorporation as well).

Right. But to be a LLC, C Corporation, or S Corporation I have to have a "registered agent" listed with the State. There's no requirement that the domain owner's contact be a "registered agent." In fact, the person who owns the domain may be different from the business using it.

And while the Registered Agent is the correct legal way to serve a notice, if a business accepts and acknowledges it via another route, that's fine, too.

> There's no requirement that the domain owner's contact be a "registered agent." In fact, the person who owns the domain may be different from the business using it.

No, but if the domain itself is serving content then the domain owner is, and should be, party to any complaints related to the domain. Even if the domain owner isn't the "registered agent" of the business, they assuredly must know how to contact the registered agent and should have "skin in the game", so to speak, for being a proxy. Not knowing or being able to contact the business owner is, I would argue, grounds for fraud and misrepresentation.

I don't think CloudFlare knows who my registered agent is. But I am a paid customer of theirs and they cache my website and serve my DNS.

Do they own your domain? Or just serve it. Were taking about domain owners not hosts

CloudFlare responds to fraud claims and legal action.

So Facebook should be considered a proxy for frauds delivered through Facebook.

I agree .

They certainly should be...but they lobbied for laws that say they aren’t liable.

That is why there is a major effort to repeal those laws.

> There's no requirement that the domain owner's contact be a "registered agent."

That’s not what I said, or the point.

Example: If I launch fortran77.com and am infringing on your registered trademark, step 1 is for you to find the registered owner of the domain. Once you have that then you can find the business owners RA.

You can’t skip the step of identifying the owner of the infringing website to get to the RA. Assuming you are right and the infringing business would waive service of process (they won’t of course) but if they did you still need to identify the owner of the site to get request waiver of process.

Yes, but I said holding the domain without conducting business under that name.

Not sure if i’m picking up what you’re putting down.

I’m guessing maybe you register mymark.com, I get the Whois record and it’s not your legit business info but some made up business name and fake contact info.

Well if that’s the case, either icann will have some rule prohibiting registrations with fake info and maybe I could get the domain transferred once they confirm your info is fake or I could still file suit against the made up business and get my default/court order and then get icann to turn it over on that basis. But it’s all about that step 1, uncovering the domain owner (real or fake). Possibly I could subpoena the registrar and get your real info and/or payment info. Then I’d have to amend my complaint to add you (the legit business) and still have to serve your RA.

If I pay for my identity to be masked, would I not be entitle to a refund if my identity was revealed by the same vendor?

Do you really want your $10 (or however much cloaking cost you), rather than the right to sue for damages (and that right being what keeps the service honest and on your side?)

I have a great business: pay me $100 to guarantee the gender of your not-yet conceived child. If you didn't get what you asked for, I'll refund your $100. How does that sound?

morally maybe, but legally I'd guess they have provisions in whatever ToS you agreed to that mean not.

I agree with your position but that last sentence is a bit redundant.

Not disagreeing with you, but "criminals" is not a Boolean variable when you have power over those who determine who is and isn't a criminal.

Facebook (and other big social media) has a lot of power over those who define and enforce the laws, both within the bounds of the existing laws, and within a grey area where they'd be technically breaking the law, but nobody would want to enforce said law on them due to potential repercussions (Facebook could instantly shut down a lot of politicians' careers by just airing their dirty laundry, on which Facebook has a lot of visibility due to its omnipresence).

Those who make the laws rely on Facebook to succeed in their own personal interests (getting elected, which means money & power).

The problem here isn't just Facebook, it's the people that are supposed to be drafting & enforcing laws in the best interests of society are instead doing so to pursue their own personal interests instead. Facebook is just coming along for a free ride - can't really blame them.

I think you might have missed it, I was simply calling facebook a bunch of criminals.

Yep, I understood that, just wanted to add my (maybe unnecessary) 2 cents.

So if cyanide gets into your bloodstream we will blame Your body not the poison ?

I just wanted to clarify that this comment was meant to illustrate a thing... ONLY

nothing more. It was not worded in good taste.

> Progress has been slow going, in large part because commercial entities desperately want access to the full registration data of domains – which includes people’s home addresses, telephone numbers and email addresses – and have been trying to find ways around the privacy protections.

Ouch. This is going to make it very hard for people to host content on the web anonymously, forcing them to link their entire identity to their website. This sucks.

Some ccTLDs even make it impossible to use privacy protection the last time I read about the matter, like for example the .in ccTLD.

The next logical step will be to link whois records with your national digital ID. It will probably happen eventually, as most govts and corporations seem determined to destroy privacy while providing a thin illusion of it.

Yes, there is a concerted effort by wealthy string pullers to invade every facet of the little people's lives so that we have no recourse when we're eventually stripped of our remaining rights by the captured government. We'll have to swear fealty to neo-feudalist lords for protection. See: Cato institute politics.

Is it just the wealthy? In the age of cancel culture I also see individuals scouting every facet of other individuals’ lives, looking to doxx them or out them as failing some purity test. Deplatforming for political gain also is an anti privacy position. I feel like everyone, not just big corporations, is waging these battles.

It's just the wealthy who are bankrolling the capture and dismantling of government, yes. If you haven't noticed, wealthy people/corps have the most influence on policy. Deplatforming is something that happens in the realm of entertainment-politics, where the goal appears to be angering or appeasing mobs to keep people distracted from important policy issues and divided on the rest.

Hm? It is changing from a system were it is very hard to host content anonymously to one where it is (domains currently require full name, address, phone and email to register). Not the other way around.

Depends on the country - you do need to provide full info to theregistar.. but they cannot share that if you are a private person - at least over here.

Are you really forced to enter correct personal information for all domains, regardless of TLD and registrar?

Yes. https://www.icann.org/resources/pages/contact-verification-2...

> The Whois Accuracy Program Specification of the 2013 Registrar Accreditation Agreement (RAA) requires registrars to validate and verify certain Whois data fields, which may include contacting you by phone, email or postal mail. Registrars must suspend or delete domain names that are not timely verified.

Let me re-phrase, or ask the question differently: is this enforced? And out of curiosity, is there any reason the registrar for a domain can't be a corporation -- meaning you could either hide behind a shell company, or hire a company with the explicit purpose of anonymizing your domain? Or even hire a person for that matter, who only tracks what domain paid their yearly fee?

In my experience they only check the email. Considering that domain registrars operate on razor thin margins I doubt they would bother sending snail mail to validate addresses, for instance.

This is the whois privacy model used by many registrars already. The one issue is that ICANN then views the registrar as the rightful owner of the domain, which could cause issues with e.g. a registrar bankruptcy if the creditors decide to make use of that to sell off domains.

In my experience only phone numbers and email addresses are verified, and only on initial domain registration. Post registration I get regular "ICANN verification" emails which all pretty much say to only act if there's incorrect information.

With the exception of the .nyc TLD I've been able to use a PO Box and a forwarding phone number for registrations across registrars for years. .nyc provided no way to demonstration the required NYC nexus except for the postal address to be a physical building in New York City so I let that domain lapse.

To some extent they seem to do. For instance I had forgotten to update the WHOIS record for phone number when my number had changed and after some months I started getting reminders whenever I logged into my registrar's site that the phone number was not reachable and that I need to update it. But no emails, and certainly no paper mails regarding this. But no enforcement. Nothing happened even though I dragged my feet updating my phone number for a considerable time.

I imagine your bank card payments may be somehow traced to your own identity but don't quote me on that.

I guess some crypto options might help that.

I have accomplished anonymity in this respect (payment tracking) by purchasing visa gift cards with cash and registering a domain with said gift card.

I’m still sure I could be identified somehow.

Funny enough I was planning to do something along the lines of an ICO through this anonymous website/page and provide the ICO funds and transfer the domain itself to whoever identified me as the domain owner.

Surely Whois information does not include detailed information about past payments?

No, but as long as a payment to a CC is going through, then the registrar assumes you are "identified".

That gives me an idea. A privacy oriented NGO could create an address and agree to publicly upload all letters received and allow the users to read the mail anonymously.

Time to use a proxy. https://njal.la/

> That’s not the answer that’s going to work for us.

Well boo hoo hoo. You know what’s not going to work for me?

You having unrestricted access to whois details!

The gall of these companies is amazing.

Ultimately, these massive global corporations, with their massive political and monetary power, WILL gain control over these systems and databases.

We should be working to decentralize/anonymize these pieces of the infrastructure to rob them of the opportunity.

Personally, I don't see the value in putting my personal name and address on a domain. The owner of the domain should be whomever has the private key - period.

Like why do they even need it.

Assuming best intentions, Facebook could use this data to better identify spammers, fake news networks, etc.

That’s not what they’re saying. They claim it’s to fight phishing.

And as a side benefit, if they can decloak critical sites like facebooksucks.whatever, they can harass enemies with expensive, frivolous lawsuits more easily.

I wish “abuse of trademark” was more commonly applied. The way the law is intended to work:

- I register facebooksucks.com, and explain why.

- Facebook sues me for trademark infringement, arguing there is a real risk my (non-existent) customers will think I am Facebook, and buy my services instead.

- The judge rules that this is a frivolous lawsuit whose only purpose is to silence free speech (not to avoid brand confusion).

- The judge invalidates the “Facebook” trademark.

So could I! I even own a rigestered trademark(not thatbi am doing much with it), so i support this!

I had deleted my Facebook a/c 5 years ago. I recently needed to look for apartment for rent and that is, unfortunately, done best on Facebook where I live unless you want to involve brokers who charge insane brokerage and show places you'd hate instantly, so you'd end up just wasting your time.

I choose my name as "first name + initial of my last name" (iirc that was my name in my previous/deleted a/c as well) and email and my date of birth and a real photo of mine (very clear -- basically a mug shot). Sent friend requests to 10-12 friends of mine and most of them accepted immediately.

Next day when I logged in I got a prompt that my account was disabled (flagged?) and I can request a review (or it said I can reactivate) only after adding a mobile number and I did that.

Few days later I try to login again:

"Your account has been disabled"

"You can't use Facebook because your account, or activity on it, didn't follow our Community Standards. We have already reviewed this decision and it can't be reversed. To learn more about the reasons why we disable accounts visit the Community Standards."

Maybe I will try to open with another email but they may again force me to use my mobile number and I can't keep getting new mobile numbers. While I do need to look at those "on rent" posts.

This company really has too much power!

Power without accountability or responsibility *

Well, the other day there was a thread on hackernews full of people declaring how they dont trust democracy to deal with freedom of speech, and would rather trust a corporation with policing it.

Sometimes people of different opinions comment here. Some threads get bombed with opinions from one side or the other to the exclusion of another. I wouldn't read to much into it..

Get some cheap 30 day SIM cards from like Mint mobile that you can activate and use a burner numbers. Cheaper than a Burner (the app) number and won't be flagged as a VOIP number preventing you from using it.

On Amazon you can get a starter kit for $0.99 that has 2 SIM cards that gives you 100 texts, 100 minutes of talk and 100MB of data and you won't need the data part.

Can you activate them with fake data / without ID card?

I've had red team members in the past do so successfully

I own a domain that's <some other word>book.com

It's registered via one of those "privacy" services. There's no website on it, but I use the dns for some internet connected devices.

I keep getting requests, which I ignore, for information relayed by the privacy service. Lately, they've morphed into offers to "buy" the domain. I wonder if it's simply Facebook's attorneys who want to find some way to contact me to send a "notice of trademark infringement" to me?

> All they say is, ‘Go get a subpoena,’ or, ‘File a UDRP.’ That’s not the answer that’s going to work for us.”

If you can't find an answer that is going to work for you, many would take that as a hint to stop it and not ask that question.

That's pretty damn shady. The half-arsed attempt to dress it up as a security matter "harvest people's login details" makes it even worse.

Won't somebody think of the -c-h-i-l-d-r-e-n- Security(tm).

Are they seeking to get the customer details that the registrar has on file, or just the whois data? If it's the latter, aren't you protected if you use a whois privacy service? In that case it's just going to be a shell company in panama or something.

They are not just going after phishing sites but sites criticizing and protesting Facebook and it's other social media apps. There's a good chance it's a normal person behind those sites.

See: https://www.theverge.com/2020/6/15/21291666/ebay-employees-a...

Why does anyone think this won't happen to normal site owners?

I mean, normal site owners often get this service through their registrar for free nowadays. I run one of my project sites, https://dotbun.com, through google domains, and they just obfuscate your details as part of the purchase unless you opt out.

Take a look at my domain's whois info: https://www.whois.com/whois/dotbun.com

You will see that the name and org. aren't just redacted; they are in care of a company called "Contact Privacy Inc."

There's nothing for ICANN to unmask for FB in this case. They'd have to go to the company, and given that said company's entire business model is privacy, I would expect it to be a much more difficult argument.

Now, let me be clear that I don't like Facebook's actions here one bit. I just suspect it may be less of an issue that some people think.

It says they are contacting registrars directly. While the article mentions some new privacy protections I think it'd be fair to assume they're trying to work around the old protections as well.

wow....Namecheap, a company that makes a ton of money by selling services to crooks and fraudsters, sure likes to spin a tall tale

no... facebook is not requesting that.... facebook sued namecheap last month in an attempt to unmask domains used by both fraudsters and nso group, yet namecheap is protecting those details cause it knows once it folds, all its (not-so-legal) customers will move shop, so it's now inveted this bs about facebook trying to break gdpr

Why should Namecheap give up the name of its customers?

if their customers are breaking the law, then WHY NOT!

you're aiding and abetting at that point

Why are people surprised when facebook is caught doing sketchy stuff? Like I’m glad the media is covering it, but whatever.

I am getting very tired of "why are people surprised"

I am certainly surprised when FB does something evil because their CEO continually preaches the importance of privacy, so shame on me I guess for taking him at his word

Reporting new information does not mean people are surprised.

Off topic, I was given the option to "allow" "premium adverts", supposedly, non-tracking. But they come from a different site (ithinkthereforeiam.net) and therefore, it's a 3rd-party tracker. I'm fine with self hosted ads, but this is no different than the usual junk.

Is there something about ithinkthereforeiam.net that's keeping them off ad blocker lists, and is there some reason The Register felt the need to ask me before showing what they clearly could have shown without the prompt?

This has never been difficult to achieve, why is this a big deal? Privacy never existed in the first place. People have been able to eavesdrop on homes by targeting pretty much anything containing metal coils (including appliances) with advanced HAM radio equipment since the early 1970s. We need to stop pretending there is such a thing as privacy and start actually looking at where scientific progress is at right now. If you actually get a basic grasp of physics, radio theory and electrical engineering you're going to find out exactly how little privacy we have.

We can skip the formalities then!

Please state your full legal name, date of birth, current address of residence, bank account numbers, credit card numbers, email addresses, passwords, your favorite type of pornography, and your mother's maiden name.

Thanks in advance!

Just because there is no privacy does not mean we should give away our privacy easily.

If you have no privacy, what is there to give away? You can't have both!

Just because I have no cake does not mean I can't eat it.

Not really. Given a panopticon with infinite resources, yes, nothing can escape them, but there is relative privacy which is valuable in its own way and needs to be defended lest we get that panopticon much sooner than otherwise.

For example the requirement that every Joe hosting a small blog needs to provide his actual home address and phone number as per ICANN regulations is an insane and archaic holdover from the infancy of the WWW and needs to be seriously revised. An email ought to be sufficient for public access (though of course your Registrar will have the rest of the info in case you do illegal stuff on the domain)...

Stuff like this is important to discuss and revise. The loss of privacy is the case of the proverbial slow boiling of the frog. Taking an absolute view means one of two options: Opt out of modern society altogether or don't even care for the barest semblance of privacy. Most people won't find either acceptable or even sensible.

There was no privacy since the stone age! Any door can be lock-picked, warrants can be obtained under false pretences, mail can be opened, etc.?

The concept of protecting privacy is that targetting people is difficult and expensive. With custom radio equipment you can't spy on millions of people willy nilly because youll soon be bancrupt.

why should domain names have any privately identifying information with them anyway? it's not technically required.

Well, well. It's harder and harder every day to argue with the legal opinion offered by former SCOTUS justice Kennedy, which seemed hilariously corrupt at the time, that corporations are effectively people.

A defining trait of an awful lot of people is that they accuse what they're guilty of.

In this case, Facebook accusing other websites of trademark violations is the very definition of hypocrisy. Facebook in particular, but Twitter as well, are absolutely littered with t-shirt vendors selling other people's logos and brand names, logarithmically generated with ad data.

If you fill out your movies, music, and books "likes" as they tell you to do, within 2 days tops you'll be able to buy a Pink Floyd t-shirt from virtually anyone on the planet... except Roger Waters or David Gilmour.

The fact that Facebook refuses all search indexes makes policing Facebook's infringement on the copyrights of others impossible. At least with Napster any musician could log in and see how many users were giving their content away for free. Not so on Facebook, you can't ever know how many pirated logos of yours that Facebook sold.

> Well, well. It's harder and harder every day to argue with the legal opinion offered by former SCOTUS justice Kennedy, which seemed hilariously corrupt at the time, that corporations are effectively people.

I hate this meme. That's not what the decision said.

First "corporate personhood" means that corporations are allowed to sue and be sued like they were individuals. Along with being taxed and regulated.

Citizens United, the decision you are referencing did not involve this concept.

Rather it said that the rights of individuals to free speech is not diminished if they act collectively as opposed to individually.

If I'm allowed to say, "RNCTX doesn't understand the issue" and so is my friend, then us saying it together doesn't make it illegal because we acted in coordination.

Likewise if I'm allowed to purchase a billboard that says it and so is my friend then there should be no issue with us pooling our money to purchase one together.

And that's what Citizens United said. Corporations are one such mechanism through which we could pool our money to purchase that advertisement but others such as unions, non-profits, and all other forms of collective groups are covered.

It's actually a very common sense extension of the first amendment.

Corporations are "people" because their owners are people and people get to work together and corporations are how they work together.

Corporations are allowed free speech because their owners are allowed free speech as a group; the corporation is the tool for organizing it. Corporations are not allowed to vote, because people are not allowed to vote as a group.

This is not new. This is not Kennedy's fault. This has been the case since the beginning of the United States, and it has been Supreme Court precedent since 1819, when the New Hampshire Legislature said they could take over a private university because it was a corporation, and therefore had no rights, and they could take its property and change its rules at will, ant the court said No. (Dartmouth College v. Woodward)

If corporations were not treated as people and not afforded civil rights, it would be legal for the government to censor newspapers at will because they have no First Amendment rights (News Corp, NY Times, etc are corporations). It would be legal for the President to order a warrantless search of the DNC headquarters, for the DNC is a corporation, and the Fourth Amendment would not apply. It would be legal to impose a trillion dollar fine on Planned Parenthood, a corporation, for any minor paperwork infraction, for the Eighth Amendment prohibition on excessive fines would not apply. It would be legal for the government to sue them for this infraction without a jury, for the Seventh Amendment would not apply.

> because people are not allowed to vote as a group

I see you've never been an observer for a New York City or Chicago election.

> First "corporate personhood" means that corporations are allowed to sue and be sued like they were individuals. Along with being taxed and regulated.

A person doing business face to face in a store cannot hide the nature of their business from their own 'customers' for lack of a better word. How long would it take the police to show up at a business that wouldn't let anyone including the people buying things from it see inside the doors or windows? Everyone could only buy things from them in the parking lot, with payment made to anonymous intermediaries, and the product delivered later by a third party. Every customer walks out holding a fake Rolex, talking about how great a store Facebook is.

See how ridiculous Facebook is when compared to the scam 'businesses' of the 80s and 90s that it emulates?

> Citizens United, the decision you are referencing did not involve this concept.

I've read the case, thanks. It equated speech with money. Individuals (only) had that right prior to it, now money has speech. Corporations are money; they hoard it and do all of the bad things that it can do with it.

> It's actually a very common sense extension of the first amendment.

Sure, if corporations can also go to prison and/or be executed. When Facebook lies to their own customers about their ad performance for the 13th month in a row, no more fines and civil suits, the board will go to prison. When a random nutjob goes and shoots up a nightclub or a school based on his political radicalization on Facebook, we'll just send the police over to arrest those same board members and management as accomplices to murder. After all, a getaway driver can be charged with a murder in a lot of US jurisdictions if the bank robber shoots the teller, and in the relationship between terrorists and victims compared to robbers and banks, Facebook is serving basically the same role as the getaway driver in the terrorist's case.

Alternatively, if Facebook refuses to hand over a board member or senior management member for prosecution in these cases we will simply 'execute' the company. Its assets will be seized and spent by the state, just like we do to the property of individual street drug dealers, for example. There's no need to convict them, just as there's no need to convict the street drug dealer. Take the money first, and if Facebook chooses to ask for it back they can hire their own legal representation and ask the courts for the money back, with their own money not the corporation's money... because they don't have that anymore.

Oh wait... corporations don't want that. They just want the rights, not the responsibilities, of personhood. They want to keep the individual indemnity.

Which is my point, in a roundabout way the decision justifies itself by becoming a self-fulfilling prophecy. If money is speech then money is a person, and if money is a person then money has rights, and if the whole society is based on money, then money is not only a person but the best person.

Yes, and the road to hell is paved with good intentions. I don't disagree with your reasoning. Do you agree with my observation that superpacs are destroying (even more) democracy?

Something should be done about these sorts of things. I'm not saying that law needs to be removed, but something should be done. There's plenty of precedent around the world that democracy can work pretty fine without Coca Cola buying superpacs.

What you're looking for is the American Anti-Corruption Act https://anticorruptionact.org

> logarithmically generated

I think you got something mixed up here.

an exponentially growing number of tshirts perhaps ?

You got me, it's early yet ;)

“Corporations are people” was first inserted into the Supreme Court’s findings by an railroad baron that was for some reason acting as the court reporter.

I actually agree with Facebook on this one, domain owners should have legal personalities.

That said, it shouldn't necessarily include their email, phone and address. Just the legal owner name (company or person) would be sufficient.

"Legal name" policies are randomly discriminatory and thus not fair in principle. Some people have unique names, others have a name that is shared among thousands of people. Imposing a real name policy is a great burden on the former, but it does not really matter to the latter.

That's a fair point but usually that is solved by disclosing an additional datapoint like the date of birth of the person.

Despite the implications to people who understand the relevance for data matching purposes.... the majority of people in my experience don’t actually care about sharing their birthday. Even without the year it’s a powerful de-anonymising datapoint.

Yes, exactly. it's sufficiently identifying to solve the discriminatory treatment the parent pointed out

Well, my intended conclusion was to reject "real name" policies altogether... But I agree that if you enforce the publication (not only the storage) of the birth date along the real name, then the discriminatory problem mostly disappears.

It looks to me like that you've chosen to solve the problem by harming everyone equally, rather than dealing with the root of the issue.

If the article is correct in that Facebook is requesting this data for domains that look alike to Facebook and/or do Phishing, then I very much believe they should receive the data necessary to go to court.

Just because Facebook is highly unsympathetic, doesn't mean that all their initiatives are evil.

And shady websides hiding behind third party privacy providers to avoid legal responsibility for their illegal content is sadly something that I've had to deal with myself in the past.

Then facebook can do that through the official means by submitting requests. They want to skip that process. I'd prefer their requests to be vetted before personal information is divulged. That way there is oversight.

We've already seen with the DMCA what happens when you give free-reign to companies in this area.

What process would that be? Genuine question, since the only process that the article mentioned apparently was only meant for law enforcement and registrars.

In particular, in the linked to lawsuit there's example sites that Facebook requested details for from Namecheap, and Namecheap chose not to give out the information. Many of them were 100% obvious phishing sites [0]. Clearly no option where the registrar gets to decide when to reveal information about the owner would work.

[0] E.g. facebo0k-login.com, facebokloginpage.site, faceboookmail.online

If you're genuinely confused, you really should get yourself informed on the concept of an independent court operating under the rule of law, and how it's implemented in our current systems. There are well-established legal procedures for requesting information on other parties that doesn't involve megacorps deciding to do whatever they please.

The phrasing that amaccuish used was "submitting requests". At least I've never heard filing a lawsuit be called "submitting a request", so the implication seemed to be that there was in fact some other process that was supposed to be followed.

The normal process is Facebook files a lawsuit against a John Doe respondent ("Facebook vs The Registrant Of Domain facebo0k-login.com"), then issues a subpoena to Namecheap.

...then a judge who is assigned the case evaluates the claim and then issues a subpoena if the request meets the standards of the law.

Facebook thinks they're above this process and should have unrestricted access to the PII behind every single domain name in existence. I'm sure we, collectively, could rustle up a few dozen instances where Facebook would immediately abuse such information, in moments.

> In particular, in the linked to lawsuit there's example sites that Facebook requested details for from Namecheap, and Namecheap chose not to give out the information.

So if I ask the phone company to give me a log of all of your phone calls, you'd be fine with that? How else could i get that log of calls?

Hopefully, we can agree that it is private information we wouldn't want a company sharing or selling to other companies. The same principal is in play here. There is no reason a registrar should be compelled to release private customer information because someone demands it without following the legal process.

The clear examples given of FB repeatedly trying to gain the personal owner details of non-shady websites, purely in order to sue them... that's ok with you?

This might be an unpopular opinion, but it’s ok with me. I don’t find restricting discovery needed to allow the filing of lawsuits to be something beneficial for society. There’s a real reason corporations need to have registered agents, mostly so they can be contacted (including to be sued) via a reliable process. I don’t see why a domain owner should be entitled to avoid official contact via privacy policies. I’m fine if there’s a reasonable policy to access it (including a possible workaround of an agent willing to accept official contacts).

That someone would use the information purely in order to sue someone is a desirable feature, not a bug.

> That someone would use the information purely in order to sue someone is a desirable feature, not a bug.

The only problem with this is that your legal system is fucked so the winner is always that big corp. Have fun being sued to hell and bankrupt after a corp decides to go after your website criticising them. Have you even looked at the list of domains they are going after?

> And then it has a whole section for “domains that use the full trademark [but] nevertheless evince an indication that the domain is or will be used to discuss grievances with the company in question.” Every one of them comes from Facebook: addictedtofacebook.org, banned-by-facebook.com, divestfacebook.com, facebooksucks.org, protestfacebook.org, saynotoinstagram.com.

And there are legal processes to sue someone as others have explained. Facebook wants to avoid them.

Also did people forget - https://www.theverge.com/2020/6/15/21291666/ebay-employees-a...

I don't see how owning a domain could possibly be anything like running a company.

Just by incorporating you take on resposibility of paying taxes, accounting, submitting regylar reports, etc. Presumably you will be selling something, and people need to have an address for recourse. That 'address' could be a PO box somewhere, or be in a tax heaven.

By contrast owning a domain does not obligate you to do anything in society, and doesnt affect anyone life.

Most people register a domain to have a custom email. Why should you have the right to deanonimise that?

If you are concerned about hatemail: you can send real post anonymously, with a postage stamp, though an unattented mailbox. I can even put somone else's return address on it.

They do not avoid official contact. They avoid unofficial contact, such as that of FB directly approaching any domain owner they feel like without proving to a judge that there is reasonable grounds to file suit.

The same way you put your email address in a mildly obfuscated format instead of jim@cimpress.com. You don't want anyone or anything that comes across your bio having access to your email address without human intervention, or at least a degree of intelligence.

> but it's ok with me.

yeah I'm sure facebooksucks.org is phishing facebook accounts

They have for most registrars, although many act as a delegate and you need to contact them for personal contact information. It should be noted that the mail address you enter there will get a lot of spam. Quite a lot...

I have my main email in the whois records for my website and I haven't noticed any increase of spam before and after. Perhaps the level of spam is proportionate to the popularity/traffic of your site?

Hm, it certainly doesn't have to do with popularity. My domain has a single visitor and he looks suspiciously like me. I use it as a test server for all kinds of general software vandalism. It does get visits from bots though, perhaps my registrar has "helped" me by registering it at search services. Pretty certain that I am linked nowhere.

I noticed that too: bot traffic even though (at that time) my site was linked or mentioned nowhere on the www. I guess the search companies crawl the WHOIS records for new domain names and send their bots over, even if your site is nothing but a blank placeholder page. :-)

You are lucky. Years ago, I made a mistake of buying domain on GoDaddy and my inbox was full of spam everyday. There was lot of questionable spam and I ended up deleting the email address.

I bought a domain on GoDaddy a while back and the very next day I started getting robocalls and spam emails when I had been getting basically none before. They hold your personal info hostage; either pay extra or we expose this info to a legion of scrapers.

No, they shouldn't if you don't want web to be censored and tranny of few people.

Whois shouldn't exist publicly at all in the first place.

Do you really want big corps to send some goons at your home to harass you for putting up a bigcorpsucks.com ?

example: https://www.theverge.com/2020/6/15/21291666/ebay-employees-a...

Many cctld require a legal person that is located in the country. In practice this mean a lot of domain names are written in the name of local lawyer firm that becomes the local presence.

I find this a bit backward actually but I suppose it exists to be able to serve legal notices to those domains.

There's a lot of issues when you operate across jurisdictions that probably won't be solved until some international treaty comes along.

Why that? To ease political persecution maybe? The system is good as is.

Well, it's a two-edged sword.

If you happen to live in a part of the world where freedom of speech is actively persecuted then I agree it's better the way it is. However, if you live in a world where democracy and due process is well established and you are not intent on doing illegal things then it can only help law enforcement and private citizens/organizations to seek justice under those laws.

Law enforcement can reach out to the registrar with a warrant.

The whole idea of having personal details in domain WHOIS information is a design from a different age. It does not work in the internet of 2020.

That's exactly my thoughts, if the DNS system was designed today, it would probably be decentralized, automated & anonymous, whois information comes from another era.

> democracy and due process is well established

Democracy and due process are only well established to the extent that the values that underpin them are supported and taken to heart by the people.

These values aren't self evident on a collective level. Social-economic, political, ecological, technological, cultural climates are either favourable or make upholding them rather difficult.

> you are not intent on doing illegal things

This is the exact crux of the matter. What is legal or illegal is subject to change and hinges entirely on who's in power.

> it can only help law enforcement

You could be happily giving up your personal data to authorities in a stable, peaceful context where law enforcement policies are genuinely geared towards protecting individual civilians and upholding basic human rights.

It's far harder to retract that when context shift and that same data is used to actively enforce policies that pull away from those same human rights.

A functional representative democracy consists of a separation of judicial, executive and legal branches consisting of elected mandates that can and should be held accountable at all times. Justice implies that any and all citizens are treated equally and impartial within the confines of that system.

Facebook feeling that they aren't treated equally because they can't enforce their trademark? That's entirely valid. But those feelings don't justify a demand that society should compromise on fundamental principles of judicial or legal equality or impartiality in order to enable Facebook to crack down on trademark infringement at their own discretion (not to mention the blatant violation of privacy attached to that).

All in all, the main difference between Facebook and a small time forum administrator is scale. Facebook has 70 billion dollars a year in revenue whereas the latter my earn pennies on Google ads. The size of that revenue can never be an argument to compromise on basic human rights for billions or change how legal systems favour particular private actors because they pushed for relentless economic growth on their own accord.

Of course, while it's obviously hard to enforce such principles in all cases, the trouble with adding exceptions is that they gradually erode those same principles and values until they become meaningless.

There's a reason why Lady Justice wears a blindfold, after all.


> then it can only help law enforcement and private citizens/organizations to seek justice under those laws.

In what way is law enforcement prevented from seeking justice in this case?

Private citizens need to use the legal system to get that data, but that prevents all of those nefarious actors from getting your information without due process.

Like you said, due process is well established, so why would you want to do away with due process?

well, warrants work when you have sufficient evidence but what if you need to perform network-analysis to build sufficient evidence.

Case in point is usage of stolen identity: Criminals probably already use identity theft to buy those domains, but given that the data is obscured by default it would be hard for police organizations to track systemic use of stolen identities.

The ability to detect newly registered domains from known stolen identities would enable

1/ automatic blocking/warning in browsers

2/ Organizations like FB can gain valuable time in sending takedown requests of phishing sites

3/ establish enough evidence of use of stolen identities to get the warrants to obtain more information from the registrars/hosts like IP's used to connect...

Just something I came up with brainstorming, I am sure there's more value to it

> but what if you need to perform network-analysis to build sufficient evidence.

In that case you need to do it another way. There are a tremendous number of things we could do if law enforcement wasn't "hindered." It's along the lines of "argument from lack of imagination" to state that they HAVE to have access to that data to prevent x, y, z.

I don't doubt that it would be useful to have that data, but that doesn't override privacy concerns. You already know the IP address of the server using that domain -- follow up that chain of responsibility.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact