MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources, because a list of thousands of MySpace usernames and passwords was archived on the site. GoDaddy claims its customers own about 18 million domains.
GoDaddy complied. In a move that Seclists.org owner Fyodor Vaskovich said happened with no prior notice, the company deleted his domain name--causing his site to be effectively unreachable for about seven hours on Wednesday until he found out what was happening and removed the password list.
"They didn't tell me why they removed the site," Vaskovich, creator of the popular Nmap security auditing utility, said in a phone interview. "At a very minimum, we should get warning."
Vaskovich said he spent "hours and hours" on the phone with GoDaddy on Wednesday before he finally got through to someone who was willing to listen. As a result of this experience, he said in an e-mail announcement, "I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks."
For her part, GoDaddy general counsel Christine Jones defended the abrupt deletion, saying: "We tried to contact the registrant, but they were not available at the time. To protect the MySpace users from potentially having private information revealed, we removed the site."
Jones pointed out that GoDaddy's terms of service say the company "reserves the right to terminate your access to the services at any time, without notice, for any reason whatsoever."
Jones and Vaskovich, however, tell substantially different versions of exactly what happened. Jones characterized the episode as lasting only about an hour, saying her abuse department unsuccessfully "tried to contact" Vaskovich and "he actually contacted us about an hour" later after the removal occurred.
But Vaskovich provided CNET News.com with a log of correspondence from GoDaddy that corroborates his version of the story. It indicated that only 52 seconds elapsed from an initial voice mail notification to the time the domain was marked as "suspended." GoDaddy did not immediately respond to follow-up questions.
Vaskovich says MySpace did not contact him directly. MySpace declined to respond to repeated inquiries on Thursday.
Michael Froomkin, a law professor at the University of Miami who has written about domain name regulation, says this is the first time he's heard of a registrar abruptly taking a customer offline without a court order.
"Some people might feel safer with a registrar that's a little more pro-customer," Froomkin said.
Froomkin said this week's incident raises novel free speech questions--not legal ones, as long as GoDaddy's terms of service are broad enough. Rather, he said, the issue is "the quality of their review" of complaints received from firms like MySpace.
GoDaddy's Jones said that "we're not knee-jerk--we try to be responsible about verifying complaints." There's a broad spectrum of policies among domain name registrars, she acknowledged, with GoDaddy "probably the most aggressive."
But, Jones said, GoDaddy has a 24-hour abuse department that deletes domain names used for spam or child pornography on a daily basis. "We're not here to allow people to put illegal content on the Internet," she said. "We take this safety and the security of the Internet very seriously...We take our responsibility pretty seriously. We're the largest registrar in the world."
When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: "I don't know...It's a case-by-case basis."