While GoDaddy has a point about the opt-in component being important for deciding whether spamming took place, they certainly didn't need to release her personal information to the spammer. That's a terrible, serious breach of privacy.
A naive approach that might work without either party needing to divulge emails:
GoDaddy: "We have received complaints that you've been spamming. Give us a list of SHA-1 hashes of addresses of the people that opted in and show us how they opted in."
Customer: "Here's the list."
GoDaddy: "At least one complaint email we received does not match the SHA-1s on this list."
While GoDaddy has a point about the opt-in component being important for deciding whether spamming took place
I don't think they do have a point. If someone is spamming, why the hell aren't they just going to lie to GoDaddy about who opted in?
Even if they're not outright lying, lots of businesses have a very sketchy idea of what "opting in" means. I had my email address posted on a website once as a public contact. You would be surprised how many people consider that "opting in." When I used that email address to make sales enquirers, plenty of sales departments considered that an "opt-in" too.
The spam filters we had were fine for the outright trash, but the the flavor of spam that doesn't fall under the legal definition of spam was a nightmare.
I eventually had Constant Contact blacklist every single email alias I had at the organization because of how often I was "opting in" to email.
Whether someone is intentionally spamming or not, if they want to keep the registrar happy and stop getting complaints, they remove the email address of the complainant from the database if they receive a complaint. Unless there's a sufficiently large body of spam reports to automatically take action against the account of the alleged spammer - which may have happened after the OP's complaint - that's actually the best way to resolve the problem. 99.9999% of mailing list owners and blatant spammers alike are in it for the money rather than trolling complainants
I'm really struggling to see how GoDaddy could have a policy that fixes the issue of a person complaining about unwanted emails without disclosing the email of the person who doesn't want to receive the email any more.
"When I used that email address to make sales enquirers, plenty of sales departments considered that an "opt-in" too."
This seems like more of a gray area to me. Sending sales material to people who have actually sent queries to your sales department doesn't seem nearly as bad as spamming random people (as long as there's a clear, and working, way to turn the sales emails off if you don't want them).
Sending sales material to people who have actually sent queries to your sales department doesn't seem nearly as bad as spamming random people
And it's all not nearly as bad as sending me spam for horse pron websites. You can rationalize it however you want. Still doesn't make any of it cool. Why didn't the person I'm already in an email conversation with ask if I wanted to be on the list? Because they know I'd say no (especially when the conversation turns to the fact their company can't do anything for us). That's what makes it opt-out bullshit.
It's not something that gets me hot under the collar, even at it's worst it was a minor nuisance I dealt with over coffee. But after a year having a published address and 4 years of fallout afterwards, I've heard all the bad rationalizations for spam and they don't stand up. I have a polite and friendly "fuckoff" form letter for people without unsubscribe links. The second time I have to send it I CC the technical contacts in the domain's whois record. When someone gets upset or angry at me for doing so, I know damn well that they know they're lying when they try to justify their spam.
Dude, you're emailing the domain's technical contacts, who likely have no say whatsoever in company sales policy. That sounds pretty hot under the collar to me.
Eh, I never thought of it as that big of a deal, just another task at work where something needs to happen or stop happening, and I only have a handful of routes to take. If asking the sales contact to stop didn't work, it turns out that most people don't make public the contact info for the sales managers' boss.
I'm not going to play cooperate politics somewhere I A) don't work B) have no ability to contact anybody with control over any policy and C) even if they were publicly accessible, don't understand why spamming isn't cool. It easy enough just to contact the dudes running the infrastructure used to spam me. And because they're techies and not salesmen they're actually nice people and already know this kind of behavior is unacceptable emailing. They might not have control over the policy, but they have something I don't: access to the people who can fix the policy or at least get me off the list.
It was actually the nice alternative to calling my netadmin. He was a very good admin, the emails would disappear from my inbox instantaneously, but when he checked the spam filter and marked true positives, his scripts made people wind up on email blackhole lists.
I read this as GoDaddy releasing her email address only. In theory, isn't an email address only personally identifiable if the address owner has done some action linking it to a real world identity? I assume that's the argument GoDaddy would make.
However, it should have been made abundantly clear to someone reporting spam that their email address may be disclosed to the accused party.
So hypothetically speaking you'd be OK with receiving a message from a hosting provider you did business with accusing you of spamming an unspecified person at an unspecified e-mail address and threatening to terminate your account, leaving you with no way of knowing what actually happened?
The opt-in argument is useless since there is no way to verify that the user subscribed in the first place, giving them the address or not. All you do is providing value to the spammer since they have now verified that the email is indeed real and read by a person. When reporting abuse you can already forge any email out of nothing, and you cannot prove that the email was forged unless they have a trace of the email being sent by their server (logs), and if they have that trace they can see easily see a pattern of mass distribution and start an investigation by contacting the other recipients on that list, or just wait for more reports to come in. Guess it's been a while since I worked at an ISP, but I have never heard of a spam abuse investigation strategy that involves forwarding the address to the suspected spammer.
If I am innocent, I will tell the ISP that firstname.lastname@example.org opted in, and I will be telling the truth. If I am a spammer, I will say the same, and I will be lying. So what difference does it make?
If GoDaddy released the email address, then all the person had to do was go Google that email address and most likely they would have found it. Or, they could find it using DomainTools whois lookup (if they didn't use whois privay on ALL domains they own at all times), or use Gmail or Google Plus to find out who is associated with that email address.
Once the email address is given out, then it's just as if someone had all their personally identifiable details.
> they certainly didn't need to release her personal information to the spammer
At that point in the process, your premise that they are a spammer is flawed. They are an accused spammer. Even though Godaddy's customer service process isn't a courtroom, the principle of innocent before before proven guilty should apply when penalties could be applied.
A small business, individual, big company, anybody should have the right to have full information to adequately defend themselves from false claims.
You don't think there are unscrupulous small businesses out there that file false spamming claims on their competitors? That does happen.
Or you don't think that people actually do opt into email lists, forget it about, and then accuse a company of spamming a few months later? It also happens.
Small businesses making false claims are pathological and completely identifiable cases by a hosting company themselves, they don't need to give the 'accused spammer' _anything_ to verify that sort of thing.
If you even want to go with the 'courtroom' analogy, accused only get the chance to 'confront' their accuser in court, they don't get a dossier on them outside of court so they can do whatever they want. You know why? Because this type of thing would happen.
This is nothing short of harassment and defamation/libel
GoDaddy: "We have received complaints that you've been spamming. Give us a list of SHA-1 hashes of addresses of the people that opted in and show us how they opted in."
Considering that the spammer has the email addresses already, it would be as simple as forging a letter. Even fake a handwritten sign up form should "prove" it. No one is going to do a handwriting check to make sure it's actually correct.
In general, the search space even for email addresses is probably too large for me to crack in a few days, but in the context above, where the author's email was already available online (on her website, in SPAM databases, in leaked credential datasets, ...), there is hardly any difference. In any case, if you consider my email address "personally identifiable information", I consider its checksum such information as well.
> In any case, if you consider my email address "personally identifiable information", I consider its checksum such information as well.
I wonder what the odds are on a hash collision from another email address (including abusing + addressing) that genuinely belongs to another person (rather than just exists) and therefore the resulting hash does not uniquely identify a single person.
The 'birthday attack' article covers this pretty well, but if we take the output size of a SHA-1 hash as 160 bits, and assume it's outputs are equally distributed, a brute-force approach (equivalent to a non-maliciously generated accidental collision across all addresses ever)
sqrt(2**160 * PI/2) ~= 1.5 x10**24
for there to be a 50% probability of a collision occurring.
(if I understood/got the maths right)
Assume you have 1 billion (10^9) computers, each computer can do 1 billion hashing operations per second. That is 10^18 operations per second combined.
Rounding up, one day has 1 million seconds (10^6), and one year has 1000 (10^3) days. So, we have 10^27 ~= 2^90 operations per year.
100 million years is 10^8 ~= 2^27. So, you have 2^117 operations in 100 million years. Geologically, there was an Extinction Event  about every 100 million years (e.g. 66, 200 and 251 million years ago). So, having an (unintentional) hash collision in more than 128 bits (assuming a good hash function that has uniformly distributed hash) is less likely than an event happening within the next second that kills 50% of the Earth's species.
I'm not willing to answer the challenge, but I definitely believe it could be done. If someone was willing to purchase a large list of harvested e-mail addresses and sha1sum them all, it is very likely a commonly used address would show up in it. Now, if the address you used above is actually some single-purpose address similar to what I use for all my online accounts, that would not work, but I believe that very few people use dynamic partial addresses in that way. Not even the simple ones that gmail provides.
If you have the original list of addresses, and you are given a shasum, you can easily determine to which address the sum belongs. The proposals above do not indicate that GoDaddy should provide the sum to the e-mail sender though.
Umm. Just leaving this here for anyone who doesn't know - the whole point of hashing things like emails or passwords is that reversing the hash is very difficult (read: near impossible). Indeed, once it becomes feasible to do, the hash is no longer considered useful (for this purpose).
So no, given a hash you can't get the email easily. If this were the case, there would be no point in hashing passwords - might as well store them as plain text.
Password hashing algorithms make it a bit harder to guess passwords by doing thousands of iterations ("rounds") of hashing, in addition to adding a random salt to prevent creating a dictionary for common passwords.
However, e-mail addresses are generally short, human readable, and have a high probability of being at one of a handful of common domains. It would be easy to brute force your way through common e-mail address patterns at common domain names fairly quickly, if they were only protected by a single round of SHA1.
OpenSSL's benchmarking tool claims that one of my servers can do 30 million SHA1s per second given 64 bytes of input each. And we know from Bitcoin that GPUs and FPGAs can do many orders of magnitude faster than that.
How long would it take to get an arbitrary "email@example.com" given only its SHA1? The US Census reports that there are about 5,200 common first names and 89,000 common last names, for a total of around 460 million pairs or 15 seconds on my server to try all of them.
I suspect that with some heuristics to favor common e-mail address patterns, guessing at least half of a list of arbitrary e-mail addresses really wouldn't take that long.
I'm loathe to defend GoDaddy, but I don't know if they can be "blamed" in this case, if only because what happened here was not the typical spam scenario.
If I'm understanding the situation correctly (and if I'm not, please let me know), a crazy person with an agenda sent a mass-mailing to about hundreds atheists/bloggers in an attempt to push his POV. Skepchick reports him to his email host (in this case, GoDaddy), under their spam terms.
GoDaddy does their standard process, which includes asking for opt-in proof, and revealing the email. Crazy guy goes crazy and makes a website dedicated to trying to defame Skepchick, using info he found about her online.
The problem is, this wasn't typical spam. Meaning, this wasn't some bot sending out Viagra sales pitches or the "great investment leads" people that send me 30 messages a day. This was unsolicited mail, yes, but it was with an agenda. Basically, I'd classify it more as harassment.
I'd imagine the situation would have been handled differently if it was flagged/seen/filed as harassing messages, rather than spam. I don't know, but I have to assume GoDaddy has an abuse team and that their methods of handling this sort of thing would be different.
Please understand, I'm not putting the onus on Skepchick to correctly know how to classify the message. It stands to reason she thought this was spam. But at the same time, I don't know if this sort of edge case is common enough to require a more complex method such as SHA-1 hashes.
Shitty situation all the way around, but I think the biggest problem was this was treated as a normal case of spam, when really it was a case of abuse/crazy.
It's pretty much the law of businesses this days. If you pump enough money to market your product/company, then your sales will be orthogonal to the product itself. You can sell any crap, as long as your marketing team is good enough.
Why? GoDaddy is merely popular. They do not provide a service that is not fulfilled as competently or as featurefully by a competitor. If GoDaddy ended as a business overnight, there would be a transition cost while people figured out which competitor to go with and moved their things, but nothing would actually be lost.
The only reason they can ignore internet rage is because their market share is gigantic, and it's gigantic only because they're really good at marketing.
TL;DR: User got spam from a website hosted by GoDaddy. User reports spam. GoDaddy wants to be good guy and asks spammer if user opted in (by providing spammer with the user's email). Spammer stops spamming, but harasses user by posting her photo online, which s/he probably got using the email address GoDaddy provided.
In retrospect, I'm sure there are better ways for GoDaddy to investigate such complaints, but I think they didn't do something very evil - an email address is hardly "personally identifiable information". On the other hand, if you don't want your photo to be posted online, don't post your photo online.
You wouldn't in common cases because as an individual you are not required to care.
However if you are an owner of a database containing personal information (where database means collection, not a particular technology), then rules are different. You then are required to collect only what you need for purposes granted by their owners and have to take care of not disseminating it without approval to others.
Google wasn't allowed to collect Street View data until they could conform to our privacy laws which mostly meant not making photographed people easily identifiable. This requirement is in no way specific to Slovenia (e.g. I think Germany has the same one) and Google complied which is why you can use street view in Slovenia now.
I would not describe our computer-related laws crazy. They are lacking as laws everywhere are and certainly sometimes in uniquely our way. However it is often the enforcement (or lack of) that is the problem, not laws themselves.
Is an e-mail address really any different from a phone number? I can't imagine anyone arguing that it would be okay for an intermediary in a dispute to disclose one party's phone number to the other, regardless of the reason. It is simply not GoDaddy's place to expose such information.
And I don't think her problem was with the photo being on the internet. It was more that her photo was sandwiched between blatantly defamatory content.
To contrast this with a real world example, if your neighbor is having a party and you call in a noise compliant to the police, I don't think they tell the party host "we got a noise complaint from your neighbor at 123 My Street".
Despite all my hate towards GoDaddy, I cannot see the happening being their fault.
As tomp pointed out, disclosing email address is part of the process, probably not clearly stated, but GoDaddy handled it well. They issued a fine to a spammer, resolving the initial spamming case.
Worse would be if they have not carried out any actions at all.
Now, concerned the harrassment, how come GoDaddy is responsible for trolls being trolls? As Company pointed out, report him to law enforcement. Sue him, or anything, victim has got the spammer's domain, thus all the private information needed to escalate the problem further.
It shouldn't be godaddy handing the abuser the email for verification, it should be the abuser handing godaddy it's opt-in-list for verification. This way the reporters identity is never in danger... Of cource it's their fault.
The sender obviously had my name on his list, they used that list to send the e-mail. The dispute is that this list isn't really opt-in, and it's hard to imagine any reasonable verification (instead of, say, detailed audit of the sender's internal processes) that could prove otherwise.
Imagine yourself being a highly respected business owner, where your main product is sending personalized newsletters to privacy concerned customers paying you much for their data to stay safe.
Will your argument still stay the same? Are you going to hand in millions of your precious customers email addresses each time to your domain registrant when one of them marks your email as a spam? How are you going to explain later to your customer why he is receiving spam on email address firstname.lastname@example.org? That you had to send everyone's address lists each time a spam was reported?
I think all this just goes to reinforce the complete brokenness of e-mail to date.
While the proposals for requesting proof of opt-in via SHA hashes and such seem technically feasable, I think it pretty quickly breaks down when you think about how much cost and overhead that would put on GoDaddy (or law enforcement) to manage.
Think about the volume of spam out there. Then imagine a very tiny fraction of that being reported. Each one of those would require validation. While you could automate all the SHA sum comparison stuff, I don't think you could easily automate the validation of whether the opt-in mechanism was appropriate. If the sender indicates there was an opt-in, the validator must still confirm with the complainant whether that is a true claim. Without that, the system is useless because the spammer just keeps a SHA sum for each of the addresses they've purchased and supplies them along with an "Yes they opted in!" claim.
Manually validating the opt-in mechanism would require lots of manpower, and more importantly, a common and universally agreed upon set of rules for how opt-in should work. There are all sorts of nuance in the way there. Should it be a double confirmation? Does existing business relationship count? If so, what are all the rules regarding what constitutes such a relationship? What about unsubscribing afterward?
Edit: Removing the pessimistic and un-useful concluding paragraph on the hunch that was what warranted downvotes.
Forwarding a complaint onto the end user is standard practice these days. It seems that every few months there is a story like this where someone sends an abuse complaint then is surprised when the hosting company sends it to the end user. For any large enough company it's unlikely a person will even read your complaint before it gets forwarded on. Most complaints are designed to be sent to the end user so it's no surprise companies automate this process.
Anonymous complaints are an ethical issue. If you have no recourse then complaints become pernicious.
Also, they forwarded some pretty basic details, an email and a name. They weren't sent her SSN, mailing address, or anything like that, so it's no more identity than she associates already with her email address, as far as I can tell.
You need to be able to contact a complainant, otherwise there is no resolution, only a complaint.
> Anonymous complaints are an ethical issue. If you have no recourse then complaints become pernicious.
The complaint itself is not anonymous, there is an intercessor which knows the identities of both parties, and who is the recourse.
> Also, they forwarded some pretty basic details, an email and a name. They weren't sent her SSN, mailing address, or anything like that, so it's no more identity than she associates already with her email address, as far as I can tell.
Oh great, they didn't send enough for a complete identity takeover so I guess everything's… wait what?
They sent personal information to somebody who might — if the complaint was well founded (which it clearly was) — take retributive action. That does not strike me as an ethical or sensible move.
> You need to be able to contact a complainant, otherwise there is no resolution, only a complaint.
No, not necessarily and definitely not if the complaint is simply a well-founded one where the resolution is to fix your shit. And if it turns out you do actually genuinely need to directly contact the complainant, contact information can be asked of the intercessor.
Yes, that's also normal. We send out a ton of abuse complaints daily, and we get responses directly from the end user in most cases. It's fairly rare that the provider acts as a middleman (and even then, it's generally just automated prodding of the user if they don't respond quickly).
There is a similar, perhaps more significant problem with Twitter's abuse reporting tool. To submit the form, users are required to tick the box that notes they accept the following:
"I understand that Twitter may provide third parties, for example the reported user, with details of this report, such as the reported Tweet. Your contact information, like your email address, will not be disclosed."
I think it highly likely that would encourage further abuse. This has prevented me using the tool in the past, and makes me think Twitter doesn't quite understand the issue.
What's wrong with this? they say "Your contact information, like your email address, will not be disclosed". They just tell the person who's twitter account it is something like, "By the way, it's this tweet that was reported as abusive and they said it was abusive in this way" am I misunderstanding this?
That's also my reading. They warn that they may share the report itself, such as the reported tweet and the comments (e.g. the "further description of the problem" field) to the reported, but will not share contact/identifying reporter information. That seems fine to me, one needs to know what he's being accused of to mount a defense.
I am not hating on Go Daddy but I will say that articles like these do not come out of left field. There was the incident about two months ago with the @N twitter name that involved them and I have heard other grumblings about them. Then when you have other registrars that offer competitive services and do not have those grumblings, you switch. I did. (namecheap.com) Just sayin'...
Not surprising. GoDaddy does not have a good reputation among anyone I know, and I've been involved with domain names since the mid 1990s. I recommend you research other registrars and consider taking your business to them. I know Namecheap has good prices, 2FA, low prices, and discount codes for people leaving GoDaddy. Best wishes.
I've been using Dynadot lately and have been pretty happy. My only complaint is that their 2 factor authorization is not Google Authenticator compatible and doesn't work at all if you have 2 accounts on the system (like work and personal).
Clearly, the answer is yes. In a commodity business, where your customer does not necessarily know much about your product, brand name recognition, price competition, and other-people's-money buyers are your bread and butter.
GoDaddy advertises heavily. NetSol relies on the fact that they were the first and no one ever gets fired for recommending them.
The people who are still their customers obviously do not realize they can get better value--though not necessarily a lower price--from other companies.
And, apparently, there are also the buttmunches out there that are customers because the customer service (and self-policing in particular) is awful.
If I just want to pretend to be a volunteer junior deputy for the Sheriff of the Internet for two minutes, I'll do it.
Spammers would not have their accounts suspended as often or as quickly if no one ever reported them to email@example.com . There's always the possibility that my iota of caring generated the lead that sparked the investigation that allowed the actual network security guard to take down the spammer kingpin or a portion of his botnet.
Mostly, it's when I just want to kick the spammer squar in the danglies, for annoying me when I'm bored.
I'm not going to spend today defending GoDaddy, as they've been a fair fly in the ointment to me. However I would not suggest burning them at the stake because of somebody on this particular blog posted an inconclusive statement about a breach which was, as far as we can tell, dealt with already.
As a customer of theirs, I'll probably be contacting them about this to make sure I don't have any similar issues, and suggesting a remedy (probably something like the cryptographic hash based verification method suggested elsewhere on this page) for the future.
I don't trust the source though. /she/ included "an email" "from godaddy". But Skepchick has been host to such golden, contributing members of society as Rebecca Watson, so excuse me if I don't feel compelled to believe incriminating claims from people who ruin blood cancer research donation drives with inappropriate and divisive humour, then criticize others for being confused or offended rather than apologizing.
From reading the article alone, sure, I wouldn't be quite as skeptical, but I'm going to hold out until GoDaddy has a say in this case, because I don't really trust either of them.
Who on earth reports spam to originating server administrators? It might seem contrary to general sentiments here, but really, why not handle your own problem (and adjust your spam filters) instead of troubling GoDaddy?
Then, instead of whining around on the internet writing blogposts and making money off those banner ads, the poster should have contacted local law enforcement authorities.
I don't see why she should defame GoDaddy. If I had a server there, and I was accused of sending spam, I would have the right to know which address considered my email as spam (and determine for myself whether the user subscribed to my services or not).
> Then, instead of whining around on the internet writing blogposts and making money off those banner ads, the poster should have contacted local law enforcement authorities.
This and that are not exclusive.
> I don't see why she should defame GoDaddy.
Because they shared personal information with a complainee? If you go to the cops and make a complaint, would you find it normal that the cops go to that person and immediately give them your name and address?
> I would have the right to know which address considered my email as spam
Now consider that from the POV that your are a spammer and acting in bad faith, you've just been handed the keys to retribution, that sounds absolutely wonderful does it not?
No. You could send them the sha1 checksums of those who had opted in, and godaddy could confirm if it matched or not. You have no right to their personal information, but you do have a right to be heard.
GoDaddy deserved every last ounce of negative coverage for this they can get.
So, every time someone receives an abuse complaint, they should have to send checksums of every email on their list? What if it's a massive mailing list by a large company? What if it's a fraudulent abuse complaint, just designed to get the company to waste resources?
What if the company just lies that someone's not on their lists - they'll have to turn the information over one way or the other if it's to be checked, and it may as well be in a checksum as anything else.
> I've never heard of any provider making someone turn over their mailing lists. Do you have any further information about when this has occurred?
I didn't mean to imply that was what happened. I said that they'd have to if it's to be checked.
My thoughts were that you're either going to have to trust the accused spammer - in which case you can turn over the SHA of the complaining email address, and the provider can compare it to the SHA hashes of their own. Or... they're going to have to turn the list (again, preferably with the entries hashed) over to you - and then, I suppose, you'll have to trust that they're giving you a truthful list.
But, either way, I don't see how the mere act of hashing the list is going to significantly alter the problems of nuisance complaints or of dealing with large lists. Hashing is a very cheap thing to do after all.
There's not really anything you can do about an individual spam complaint, aside from telling the end user and having them remove the email from their list (aside from things that are quite obviously spam).
The problem is the 'Report Spam' button is also the 'I no longer wish to receive this email' button to non-technical users. Just because you've received a spam complaint, doesn't mean that it wasn't an opt-in email.
Providers never attempt to verify your email list. If you generate too many spam complaints, you get terminated. It's not feasible for a third party to get a copy of your mailing list, then somehow evaluate how legitimate it is.
It seemed to be a comment drawing an analogy to the criminal legal process. And in the US, that process guarantees you the right to know what you're accused of, why you're accused of it, and to confront the people accusing you.