Survey: Are domain registrars free-speech friendly?
MySpace successfully pressured one registrar into pulling the plug on a domain after a password list appeared. Would others follow suit?
It also prompted owners of domain names to wonder about the reliability of their own registrars--and whether the domains they own are safe from suspension in the absence of a court order.
In response to requests from readers, CNET News.com conducted the following survey of 12 leading registrars: DirectNIC; Dotster; eNom; Gandi.net; Go Daddy; Melbourne IT; Moniker.com; NameKing; Network Solutions; OnlineNIC; Register.com; and Tucows.
We found that the French registrar Gandi.net and New Orleans-based DirectNIC offered the most extensive guarantees against unnecessary domain name suspension.
DirectNIC said it would suspend a domain in the absence of a court order only if the content is "clearly focused on child porn or a phishing site." Gandi.net said it would take extensive steps to contact the owner of a domain name in advance.
Go Daddy, on the other hand, gave Seclists.org owner Fyodor Vaskovich only 52 seconds from the time the initial voicemail notification was left to the time the domain was marked as "suspended." That's according to a log of correspondence with Go Daddy that Vaskovich made public. Go Daddy made the request on behalf of MySpace, which said a list of usernames and passwords had been posted by a user to Seclists.org.
Gandi.net's Stephan Ramoin said someone claiming to be from MySpace also made the same request of his registrar last week. But because Gandi.net could not get in touch with MySpace, and "as we were not provided with any justification for the complaint, no action was taken," he said. (Meanwhile, Vaskovich has obtained the domain NoDaddy.com and is using it to publicize the situation.)
Following are verbatim responses to the 10-question survey from registrars that were contacted. Not all chose to answer the questions, however.
DirectNIC
completed survey DirectNIC is operated by Intercosmos Media Group, and is based in New Orleans. It offers Web hosting, POP e-mail accounts, and SSL certificates in addition to domain name registration. Domains are $15, with quantity discounts available if you're buying hundreds or thousands of domains.1. Under what circumstances will you suspend a customer's domain name based on the content of his or her Web site, in the absence of a court order?
In the absence of a court order we will suspend a domain name based on the content if the domain name is clearly focused on child porn or a phishing site. As an example, we would not shut down CNET.com if someone posted in a comment section a link to child porn hosted elsewhere. However, we would likely report the issue to CNET's abuse department so that they could take action.
2. How many times a month, on average, do you suspend a customer's domain name based on the content of his or her Web site?
Generally 20 to 50 domain names a month.
3. What are the most common reasons for suspension?
Child porn. Phishing. Credit card fraud. Often when we find illegal content like child porn or phishing (or that) the domain name was also registered using a stolen credit card. This provides an additional justification for suspending the domain name.
4. How many domain names do your customers currently have registered through you?
1.3 million.
5. Go Daddy last week suspended its customer's domain, Seclists.org, because of a complaint from MySpace. Would you have done the same thing in the same way if Seclists.org happened to be your customer?
No. Of course often a domain name will be "suspended" and it is not the fault of the registrar at all. We had a rash of complaints after we shut down MySpace.cn a week ago. The site was shut down due to their failure to renew the domain name. This happened right as MySpace was announcing to the world that they would be making a big push into China. So the sword cuts both ways. MySpace can complain and convince Go Daddy to suspend domain names. But, they need to watch their domain registrations a little closer as well. Last Friday night I talked on the phone to someone from MySpace and we renewed the domain name for them. The domain name MySpace.cn now resolves.
6. If you do suspend domain names in the absence of a court order, what procedures do you have in place to ensure that the customer is notified beforehand and given adequate opportunity to respond?
We have procedures for contacting individuals, but they are not mandatory because we reserve the right to take immediate action when warranted--e.g., obvious child porn or phishing. Other procedures are initiated when the customer is committing illegal activities, but we do not disclose those procedures publicly.7. Do you believe that your most important responsibility is to provide technical services to paying customers--or is it to police the content of their Web sites, FTP sites, and so on?
We are willing to take action to remove obviously illegal content such as child porn and phishing sites from the Internet. We also believe that we have an important responsibility to work with government agencies in policing the Internet.
8. Are you attempting to recruit Go Daddy customers as a result of last week's news about Seclists.org?
No. Other companies have actively recruited our customers due to us shutting down child porn websites. We feel that it is unfortunate for companies to spread fear and uncertainty because of the good intentioned actions of a domain registrar.
9. If you do suspend domain names in the absence of a court order, how do your customers go about getting their sites restored?
When shut down for child porn, the owners almost never request to have the domain restored. Any restoration would be on a case by case basis.
10. Do you have a dedicated department or person who handles issues related to domain name suspensions?
Yes. We have two full time attorneys (in addition to myself) and two individuals who handle abuse complaints.
Dotster
did not participate We first spoke to Darcy Enyeart in Vancouver, Wash.-based Dotster's legal department on Monday afternoon, and she told us to e-mail our survey responses to legal@dotster.com. Since then, we have received no word directly from the company, despite follow-up phone calls and e-mail messages. On Thursday, we had a conversation with Lois Whitman at Dotster's outside PR agency, HWH Public Relations, who contacted us to send us an unrelated press release. When asked, Whitman told us that "no one at Dotster knows" anything about the request and did not provide us with a response to the survey.eNom
did not participate We began leaving voicemail and e-mail messages with Bellevue, Wash.-based eNom's public relations department on Monday afternoon and continued that process on Tuesday. John Kane, the company's vice president of business development, called us back that afternoon, apologized for the delay in responding, and invited us to send our survey questions his way. We have not received any response from eNom since then, despite multiple follow-ups.Gandi.net
completed survey Gandi.net takes a different approach to domain name registration: its home page, for instance, talks about "enlightenment." It's based in France and registers suffixes including .com, .net, .org, .biz, .info, .name, .be, .fr and .eu. The company sent us a statement explaining its philosophy as: "On our Web site, you will not find empty promises, sneaky advertisements or unwelcome surprises hidden up our sleeves. We simply strive to provide a decent and honest service. Our wish is to provide you with the best product and service at the most reasonable price."1. Under what circumstances will you suspend a customer's domain name based on the content of his or her Web site, in the absence of a court order?
Gandi, as you know, specializes in domain name registration, and as such we pay close attention to the validity of the registration information of the domain (Whois data). We therefore are allowed to suspend domain names if the Whois data is false.
In some instances, Gandi has suspended domain names where we have found that the Web site that uses the domain is clearly used for blatant illicit activity, and which has been recognized as doing so by other respected and identified sources. A clear example of this is when a domain is used to point to a well-known spam scheme such as "My Canadian Pharmacy."
To pick up on the point about the "court order," we have found that such a process may be very slow in certain cases and circumstances, given the nature of the Internet, which is why action is sometimes taken in the absence of a court order. But this is always done after having contacted the owner of the domain name in question, and in respect of laws and our terms and conditions.
2. How many times a month, on average, do you suspend a customer's domain name based on the content of his or her Web site?
Gandi almost never takes action against a domain name based exclusively on the content of the Web site, largely because we do not provide Web hosting.
Behind each Web site is a company or an individual, and we need to understand who that is and what they are doing before we act. For example we would not suspend a domain name of a hosting company just because of one Web page of a Web site of one of their customers; in such a case it is more effective to collaborate with the host to pull the offending content.
When we make the decision to suspend a domain name, it is often due to a combination of several factors, rather than just the content itself (for example: multiple spam complaints, fake Whois data, and illicit Web site content).
For that kind of abuses, and after warnings, we have an average of 200 domain names suspended--not deleted--a month. Illicit Web site content represents a very small percentage of complaints we receive.
3. What are the most common reasons for suspension?
Other than the crime itself, perhaps the most stupid thing a criminal could do is to leave his or her real address and telephone number at the scene of a crime!
Consequently, in nearly every instance where a domain is being used as part of an illegal scheme, the contact information of the owner is false or deliberately misleading.
Whether the personal contact information used has been stolen from some random person, or simply pulled out of thin air, we most frequently take action against a domain if the complaint for illegal activity is justified, well-documented by multiple respectable sources, and when we have proof that the registration data is incorrect.
We would love to have an official court order each time, but it simply doesn't work like that as you know: courts are reacting to evolution, not anticipating it.
4. How many domain names do your customers currently have registered through you?
Despite the fact that we have chosen to not have a marketing budget, to not publish ads in magazines, to not air commercials on TV during certain football games, and to rely exclusively on word-of-mouth for getting our name out, we are proud to say that we currently manage over 550,000 domain names, with an acceleration last year and a half and our "new start." (The company was acquired 1.5 years ago by a team of managers to build an alternative and "historical" registrar and hoster.)
5. Go Daddy last week suspended its customer's domain, Seclists.org, because of a complaint from MySpace. Would you have done the same thing in the same way if Seclists.org happened to be your customer?
Funny you should ask that question, because it just so happens that Gandi was indeed contacted last week by someone claiming to be from MySpace!
Upon the reception of the complaint (made on our answering machine), we immediately opened a case to examine its merit, which begins by looking into the person making the complaint, and requesting additional information, if necessary. In this case, as we were unable to contact the person who made the complaint, either by telephone or e-mail, and as we were not provided with any justification for the complaint, no action was taken.
We can tell the difference between a mailing list, an offensive post in a forum, and spam. Our investigative process would have told us what action to take, and we would have been able to justify our action with confidence to all of CNET's readers.
6. If you do suspend domain names in the absence of a court order, what procedures do you have in place to ensure that the customer is notified beforehand and given adequate opportunity to respond?
With very few exceptions, when we are forced to suspend a domain name, it is for the very reason that the owner has neither replied to our numerous attempts to contact them, nor was it possible for us to contact them through the information that they provided to us.
In certain rare cases, such as a denial-of-service attack, or a massive attack of spam, we must suspend the offending domain name at the same time we contact the owner.
In the majority of cases, however, we send an e-mail to the domain's owner, giving them the opportunity to correct the problem. We even go so far as to call the telephone number provided in the Whois data for the domain, in order to speak with the domain name owner in person.
When we find that a site is hacked or hosting illegal content that the administrators appear to be unaware of, we take the extra step of contacting the Web host, the Web master of the site, or in some cases, even the forum administrator.
As stated in Gandi's blog, gandibar.net, we are not "trigger-happy" in our fight against domain abuse.
7. Do you believe that your most important responsibility is to provide technical services to paying customers--or is it to police the content of their Web sites, FTP sites, and so on?
Who watches the watcher? The global community of course! Our role is not to police the Internet. For that there are anti-spam forums, special blacklists, and concerned citizens, all of which I commend for their vigilance and dedication, and contribution.
This lets us focus on our specialty, which is managing domain names for our customers in an ethical and transparent manner. And to participate in supporting an alternative and responsible Internet community.
While we do pro-actively investigate domain abuse at Gandi, this activity goes hand-in-hand with the complaints that we receive. We have been given the trust of our customers to manage their domains, and we are proud to do so.
In short words, it's technically impossible to watch the content of all Web sites, but we will always be very reactive and efficient if we are aware (thanks to our investigations and protective measures or to a complaint) of an issue somewhere.
8. Are you attempting to recruit Go Daddy customers as a result of last week's news about Seclists.org?
It is not in Gandi's nature to go after potential customers in such a way. Part of what makes Gandi so unique is that people come to us because they share our values and want an alternative to the tactics and practices of mainstream companies. We do care both about our customers and Internet. For example, we do fight spam actively (we strongly support spamhaus.org among other things) and we assume the risk to lose customers because of this ethic positioning (spammers are large ones).
9. If you do suspend domain names in the absence of a court order, how do your customers go about getting their sites restored?
After we suspend a domain name, we send out a final e-mail to the address of the domain's owner in which we explain what steps the registrant must take to reactivate the domain.
Each case is treated individually, and so we tailor our demands to meet the severity and nature of the offence.
10. Do you have a dedicated department or person who handles issues related to domain name suspensions?
Our entire Customer Care Department receives abuse complaints, though we have special e-mail addresses and online forms on our Web site that we also invite concerned citizens to use.
Complaints that we receive are then centralized by dedicated staff members (Ryan and Francoise), who investigate the validity of the complaints, enter into contact with the parties involved, and if necessary, take action. If there is a particularly complex case, a meeting is held by Gandi management together with our legal team, to discuss the complaint, and what action may be appropriate.
The advantage of this approach is that Gandi can tell the difference between domain name abuse, and the posting of an isolated user of a mailing list.
Go Daddy
completed survey Go Daddy is one of the largest registrars in the world and enjoys the rare distinction of being the original cause of the survey. It's probably best known for its racy (by broadcast standards) Super Bowl ads, which have spoofed Janet Jackson's "wardrobe malfunction" during the 2004 game. Registration for .com domains is $9 a year. Go Daddy's director of network abuse, Ben Butler, sent us a statement in addition to the survey response, which we've included as well:"Go Daddy appreciates the opportunity to address the situation with SecList.org.
"As you know, we have already provided CNET an interview with Go Daddy General Counsel Christine Jones. We also have provided responses to inquiries about this to customers and others who contacted us.
"We think you should know, after explaining the situation, we are receiving positive feedback--not only from those just questioning what happened, but also from those who originally complained.
"Once these people understand thousands of MySpace user names and passwords were exposed on the Internet and that we immediately contacted the customer and resolved the issue--re-enabling the site within one hour--they are not only satisfied with our response, but they THANKED us for what we did.
"One of the customer responses of which we are especially proud came from the Founder & Director of ProjectCare.com, Kevin Caruso. Kevin Caruso said this in his e-mail to Go Daddy: "My work is EXTREMELY important and is literally a matter of life or death for many people EVERY DAY. And I can tell you without hesitation that Go Daddy is THE ONLY registrar and host that I trust. Period."
"Numerous customers echoed Mr. Caruso's sentiment, telling us they were glad to know Go Daddy has procedures in place to handle "network misuse." Many e-mailed us to say they appreciated our speedy response and some actually found fault with how other parties involved handled the situation."Let us now address the questions you are posing to registrars in general on this issue."
1. Under what circumstances will you suspend a customer's domain name based on the content of his or her Web site, in the absence of a court order?
Go Daddy takes action to suspend a domain name in cases where the domain name is being used for, or in association with, illegal activities. Our most common instances involve phishing sites, child pornography Web sites, terrorist sites and the like.
As an established partner with the National Center for Missing and Exploited Children, we also take action based on sites that pose a significant threat to or exploitation of childrem--as was the case in this instance.
2. How many times a month, on average, do you suspend a customer's domain name based on the content of his or her Web site?
An extremely small number of domains registered at Go Daddy.com ever have any need to interact with our Abuse Department.
3. What are the most common reasons for suspension?
Phishing sites and child pornography/child endangerment sites are the most common type of content-related suspensions.
4. How many domain names do your customers currently have registered through you?
The Go Daddy Group currently has more than 18.1 million domain names under management.
5. Go Daddy last week suspended its customer's domain, Seclists.org, because of a complaint from MySpace. Would you have done the same thing in the same way if Seclists.org happened to be your customer? (Editors' note: We did not ask Go Daddy this question.)
6. If you do suspend domain names in the absence of a court order, what procedures do you have in place to ensure that the customer is notified beforehand and given adequate opportunity to respond?
We have a dedicated abuse department that thoroughly investigates each potential situation individually. The customer with the offending material will be contacted using information we have through the public Whois database and/or our customer records. Once contact is made, generally we're able to quickly resolve the issue with the customer. However, in some cases, if we are not able to contact the customer or to resolve it AND the content is illegal, threatening, or in association with an illegal activity, we remove the site and continue to try and contact the customer ore resolve it.
Additionally, we strive to make every instance an educational opportunity because so few people truly understand the importance of keeping contact information updated or why a registrar may have to take swift action.
Of course, our ability to contact the customer is dependent upon their providing valid contact information in either their customer account, or as contact information in the Whois database.
7. Do you believe that your most important responsibility is to provide technical services to paying customers--or is it to police the content of their Web sites, FTP sites, and so on?
Ensuring the proper functioning of all Go Daddy products and services is of paramount importance to us. Our industry-leading products and customer care show our commitment to our customers. Considering those commitments to our customers and our commitment to keeping the Internet safe for everyone, we will not sit idle while Web sites under our management are used for potentially criminal purposes.
8. Are you attempting to recruit Go Daddy customers as a result of last week's news about Seclists.org? (Editors' note: We did not ask Go Daddy this question.)
9. If you do suspend domain names in the absence of a court order, how do your customers go about getting their sites restored?
Our Abuse Department is available 24 hours a day, 365 days per year to help quickly resolve the situation. They are available by email or telephone.
10. Do you have a dedicated department or person who handles issues related to domain name suspensions?
We have a team of dedicated team of administrators whose sole focus is to handle all aspects of abuse-related situations. Our Abuse Department is available 24 hours a day, 365 days per year to help quickly resolve the situation. They are available by email or telephone.
Melbourne IT
did not participate We first left phone and e-mail messages with the Australia-based company and its San Francisco outpost on Monday afternoon. Since then, we have received no response from the company, despite a number of follow-up phone calls and e-mails.Moniker.com
partial response Moniker.com would not answer our survey. Instead, a public relations representative for Moniker.com sent us a statement that answered some -- but not all -- of our questions. The representative said the statement "can be attributed to" Monte Cahn, the chief executive and founder of Moniker.com. The company is based in Pompano Beach, Fla."Our mission is to support our customers while abiding by ICANN policies. We have very clear Terms of Service that define actions that will warrant termination or suspension of an account. We investigate any and all claims that are brought to our attention. If the claims are substantiated, we have the right to terminate the account. Our customer base is primarily large corporations and domain portfolio owners - people who run big businesses and treat their domains as assets, so this happens very infrequently. We have nearly 2 million domains under management."
NameKing
did not participate We first submitted a request for Los Angeles-based NameKing to fill out our survey at around 4 p.m. on Monday afternoon. We repeated that process again in the days that followed, sent e-mails to multiple accounts, and left a message on the company's answering machine. But the only response we received was a series of boilerplate help-desk tickets. One said: "There is no need to reply to this message right now. Your ticket has been assigned an ID of [nameking.com #10715]."Network Solutions
refused to participate We first spoke with Susan Wade in the Virginia-headquartered registrar's corporate communications department on Monday afternoon, and she agreed to take a look at our survey questions. Hearing no response, we sent reminder e-mails on Tuesday afternoon and Wednesday morning. Just after 9 a.m. on Wednesday morning, Wade informed us by e-mail: "We're going to pass on this opportunity to participate."OnlineNIC
completed survey OnlineNIC is based in San Francisco and bills itself as one of the oldest accredited registrars. It offers .CN domains for between $14 and $26, and .COM and other generic top-level domains for $6.69 to $8.1. Under what circumstances will you suspend a customer's domain name based on the content of his or her Web site, in the absence of a court order?
We only suspend a customer's domain name as we get the order from the court or some authorizations.
2. How many times a month, on average, do you suspend a customer's domain name based on the content of his or her Web site?
Sorry, there is no exact number.
3. What are the most common reasons for suspension?
Spam, phishing, tortious.
4. How many domain names do your customers currently have registered through you?
More than 1,063,000 domain names.
5. Go Daddy last week suspended its customer's domain, Seclists.org, because of a complaint from MySpace. Would you have done the same thing in the same way if Seclists.org happened to be your customer?
Not sure.
6. If you do suspend domain names in the absence of a court order, what procedures do you have in place to ensure that the customer is notified beforehand and given adequate opportunity to respond?
Before we suspend the domain name, we will notice the customer first, and offer the concerned evidence and policy to the customer.
7. Do you believe that your most important responsibility is to provide technical services to paying customers--or is it to police the content of their Web sites, FTP sites, and so on?
Yes, we only provide the domain registration service, and the customer should agree to the registration policy.
8. Are you attempting to recruit Go Daddy customers as a result of last week's news about Seclists.org?
Not sure.
9. If you do suspend domain names in the absence of a court order, how do your customers go about getting their sites restored?
The customer should promise that he/she will not do the illegal activities again.
10. Do you have a dedicated department or person who handles issues related to domain name suspensions?
Yes, we have such department.