A third lawsuit has been filed late Friday in a federal district court in California against VeriSign, Inc. over its controversial DNS wildcard redirection service known as SiteFinder. It was filed by the longtime Internet litigator Ira Rothken. In addition, while two other lawsuits have been filed by Go Daddy Software, Inc. and Popular Enterprises, LLC. in Arizona and Florida, this is the first lawsuit to seek class-action status. Here is an excerpt from the "Introduction" section... [CircleID]
Optima Technology Corporation has filed a lawsuit against Network Solutions alleging that the registrar gave away its domain name without its permission causing damage to its business. The suit alleges that Network Solutions transferred ownership of its domain name "optimatech.com" to a former Optima employee Michael DeCorte, which has allowed him to redirect Optima's revenue to his possession. Optima claims that DeCorte along with another former employee Raymond Martin, used a... [CircleID]
It is unfortunate that the predicted assaults on civil liberties and the First Amendment due to the poorly written and overly broad Patriot Act are coming true. The following example of government overstepping its bounds should give pause to anyone who uses the Internet as a forum for communication - ed.
The Subpoenas are Coming!
By Mark Rasch Sep 29 2003 05:00AM PT
Frequent readers of this space know that I am no apologist for hackers like Adrian Lamo, who, in the guise of protection, access others' computer systems without authorization, and then publicize these vulnerabilities.
When Lamo did this to the New York Times, he violated two of my cardinal rules: Don't make enemies with people appointed for life by the President of the United States; and don't make enemies of people who buy their ink by the gallon.
Now, in the scope of prosecuting Lamo, the FBI is doing the hacker one better by violating both of these precepts in one fell swoop.
The Bureau recently sent letters to a handful of reporters who have written stories about the Lamo case -- whether or not they have actually interviewed Lamo. The letters warn them to expect subpoenas for all documents relating to the hacker, including, apparently, their own notes, e-mails, impressions, interviews with third parties, independent investigations, privileged conversations and communications, off the record statements, and expense and travel reports related to stories about Lamo.
In short, everything.
The company is facing a class-action lawsuit over its controversial "SiteFinder" search page. Critics say the redirect service interferes with other Net applications. [CNET News.com]
From Dan Gilmor's eJournal
The Internet has become a grossly commercialized Wild West in so many ways. But the community spirit on which it was founded is alive and well. The Net depends on the same spirit that motivates volunteers in the physical world: a commitment to solve problems and make life better for those who might otherwise not have the resources or expertise. [Dan Gillmor's eJournal]
From Karl Auerbach
Versign's SiteFinder appears to be based on the idea that anything on the internet that is not explicitly prohibited is thereby permissible.
For the moment let's put aside Verisign's monopoly position and the special responsibilities and limitations on behavior that derive from that position. And let's also put aside any patents that may be lurking out there that might cover SiteFinder.
If we assume, for the sake of discussion, that Versign's has correctly asserted that there are few bounds on what it can do on the internet, then where could Verisign go with something that I'll call SiteFinder II?
It would be quite easy for Versign to modify its existing SiteFinder service
so that instead of returning the true and unmodified URL's that lead directly to
the web sites that a user selects, SiteFinder II could return URL's that lead to
Verisign operated proxy servers that themselves obtain the desired materials and
then present them to the user.
This is arguably similar to explicit proxying through tools such as Squid or
implicit proxying through any number of so-called "transparent" web
caches. However it would be of a much greater scope - once a user made a
typo in name, all subsequent web access could be mediated this still
hypothetical SiteFinder II.
With that mechanism, Verisign could then do even more intensive data mining
of user's web activities than it does in SiteFinder I with its simple web-bug
and activity logs. SiteFinder II could read every word presented to
millions of unsuspecting users and view every picture seen by those users.
The revenue that SiteFinder II could produce could dwarf the already significant
potential revenues of SiteFinder I. And such a system would deserve to be
named BigBrother rather than SiteFinder.
The technology for this hypothetical SiteFinder II is easy to create, or buy,
using already existing commercial off-the-shelf products. If Verisign is
right in its assertion that it has the free right to deploy SiteFinder I, there
is really nothing to prevent it from going further with even more invasive
"products" such as the hypothetical SiteFinder II that I have
described.
It seems that our T1 line into DNRC headquarters has decided it is time to give up the ghost after over 10 years of service. The doomed cable is scheduled to be replaced "sometime soon." We are now back up for the foreseeable future, and are hoping that the replacement is sooner, rather than later, and goes smoothly.
From Karl Auerbach
Several times over the last few years I have referred to a formulation that I call "The First Law of the Internet".
I believe that this First Law represents the proper balance between public and private effects of internet activity. This First Law is in need of significant refinement, but is there anyone out there who believes that this First Law does not point the proper direction? If so, I encourage the articulation of that view.
Given the recent private acts on the net by Verisign, acts that have a broad public impact, I believe that it is worthwhile to visit the most basic questions regarding what the internet is and how we accommodate competing and conflicting uses.
The First Law of the Internet
Every person shall be free to
use the Internet in any way that is privately beneficial without being publicly
detrimental.
The burden of demonstrating
public detriment shall be on those who wish to prevent the private use.
Such a demonstration shall
require clear and convincing evidence of public detriment.
The public detriment must be of
such degree and extent as to justify the suppression of the private activity.
More from Karl Auerbach
I see that ICANN's GNSO issued a resolution regarding the Verisign Registry Site Finder "service".
Verisign's action is very serious. Verisign's act repudiates the end-to-end principle, the foundation upon which the Internet is constructed. Verisign's act implies the end of coherent governance of the Internet and the abandonment of the net to monopolistic manipulation.
In contrast to the seriousness of Verisign's action, the GNSO's resolution is weak, equivocal, and timid.
In an article today, Verisign's CEO asserted that what Verisign has done is benign and that only a noisy few are concerned.
With timid and euphemistic resolutions such as the one passed by the GNSO, no one ought to be surprised if people begin to believe Verisign's words and "Site Finder" becomes the established status quo.
[CaveBear Blog]DNRC Board Member Karl Auerbach gives his views on the Verisign DNS hijacking - ed.
As pretty much everyone now knows, Verisign recently used its monopoly registry position over .com and .net to impose a revenue-producing mechanism, which they call "SiteFinder", onto all users of the internet who are human and thus who make mistakes.
I think that it has now been pretty well established that Verisign's "SiteFinder"
has damaged the technical stability of the Internet, that it represents a major
abuse of Verisign's monopoly position, and that it amounts to a mass harvesting
of web user's browsing habits.
ICANN has requested that Verisign voluntarily roll-back "SiteFinder".
Verisign has, so far, refused to do so.
I believe that what ICANN is requesting is entirely appropriate and that a
due respect for the stability of the internet should compel Verisign to comply
with that request. However, there are signs that greed will prevail over
reason and that Verisign will withdraw "SiteFinder" only in the face
of an unambiguous, unequivocal, and incontrovertible order to do so. This
may mean that either ICANN or the US Department of Commerce may have to pull out the legal guns.
And if they do, I hope that ICANN or the DoC wins.
However, prudence obligates us to examine whether ICANN or the US Department of Commerce have the strength to win.
It is not at all clear to me that ICANN has the power to compel Verisign to
rescind Verisign's "SiteFinder". Nor is it clear to me that the
US Department of Commerce, even if it might have the authority, has the will.
The relationship between ICANN, the DoC, and Verisign is one governed by
agreements that have the look and smell of contracts. This means that many
of the rights and duties of these players are governed by contract
principles. Clearly the relationship between the DoC and Verisign is a
child of US Federal law. However, since both Verisign and ICANN are
incorporated in the State of California, many of those principles governing the
contracts between Verisign and ICANN will be found in the laws of
California. And California, perhaps more so than other states, tends to
allow contract obligations to be interpreted in the light of the history of the
contractual relationship.
More than ten years ago - on January 1, 1993, Network Solutions received a five year grant of monopoly authority over .com, .net, .edu, and .org from the US Government. That grant was supposed to expire after 5 years, on September 30, 1998. This note is being written on September 22, 2003 - nearly five full years after NSI's original contract was to have expired.
The circumstances of that initial contract might raise a few eyebrows - NSI won even though there were others in the running who had significantly greater and proven competence (think "founders of UUnet"), who bid much lower fees.
That original has been amended by the US Department of Commerce no less than 25 times. Those amendments collectively amount to The Great Internet Giveaway, in which control over the core assets of the internet has been abandoned into the hands of NSI/Verisign. As a result, Verisign today has come to effectively control those internet assets that it was originally hired to simply administer.
The amazing largess of the US Department of Commerce towards Verisign has been matched by ICANN.
ICANN has given NSI/Verisign gift after gift after gift. ICANN spent several years not allocating new top level domains (TLDs), thus continuing NSI/Verisign's monopoly, much to the benefit of Verisign's financial bottom line. And when new TLD's were finally allocated, the restrictions that ICANN imposed on the newcomers did nothing but confirm NSI/Verisign's dominance for several additional years. ICANN's division of the DNS name business into "registries" and "registrars" came with a nice prize for NSI/Verisign - that company was allowed to double dip into the system as both a "registrar" and the monopoly "registry" of the largest TLDs. And we ought to
never forget that ICANN, on the private initiative of its outside "counsel" gifted the .com TLD unto NSI/Verisign in perpetuity. And ever since, ICANN has continuously assumed "the position", even over the objections of ICANN's own DNS policy bodies, whenever NSI/Verisign came knocking - one has only to look at the history of the Wait Listing Service to how easily ICANN succumbs to NSI/Verisign's siren song.
Verisign has demonstrated an amazingly ability to negotiate the pants off of the US Government and ICANN.
However, Verisign's ability to wag ICANN and the Department of Commerce has
met with a bit more friction as of late. For example, ICANN showed a bit of backbone when Verisign wanted to race into the early, and arguably reckless,
deployment of internationalized domain names. ICANN and Verisign went head-to-head over a system that was remarkably similar to "SiteFinder" but in the context of internationalized domain names. In that instance, Verisign backed down.
Verisign's "SiteFinder" represents a repudiation of the entire structure of governance of the internet as conceived by the IFWP, the NTIA Green and White Papers, and ICANN itself.
But is there anything that either ICANN or the US Department of Commerce can
do about it?
The authority of both the US DoC and ICANN is made confusing and weak by the maze of cooperative agreements, memorandums of understanding, CRADAs, and purchase orders that exist between ICANN, the DoC, and Verisign/NSI. Rather than mutually reinforcing one another, these documents create a fabric of plausible excuses that allows Verisign to dance this way and that to whatever tune it decides to play - it will take a major legal effort, one that ICANN might not be able to afford, to unravel the mess. And the outcome is
hardly certain. For example, because the DoC and ICANN have chosen to use
weak and ambiguous legal forms such as "memorandums of understanding",
instead of firmly and clearly enforceable "contracts", Verisign might successfully
argue that ICANN and the DoC never intended to establish rights and duties that
can be enforced in a court of law.
And ICANN, by virtue of its grant of permission to .museum to use the same wildcard mechanism that underlies "SiteFinder", has created a
situation in which Verisign can argue that what's good enough for .museum is
good enough for .com - and that if there is a difference, it was ICANN's job to define the boundaries, something that ICANN has not done.
ICANN's authority is further weakened by ICANN's historical failure to exercise controlling oversight over technical operations of DNS and by ICANN's tunnel-vision focus on non-technical matters (such as whether the lack of felicity of the sound of "iii" when spoken made that string inappropriate for use as a top level domain.) Because ICANN has exercised only the most tenuous oversight of important technical matters, such as the operation of root servers, service level obligations of TLD servers, DNS security, data escrow, etc, ICANN is not in a good position to suddenly prohibit Verisign's use of a practice that is not in express violation of any Internet Standard. (Verisign's practice may be in violation of some implied "penumbras" of the Internet Standards, but that is a difficult argument for ICANN to make.)
If one needs a concrete example consider that over the course of the last year the root server operators have established anycast-based replica servers. (I personally consider what they have done to be a very good thing.) However, by any metric this deployment represents a significant change to the critical infrastructure of DNS. This change was made with neither notice to nor approval from ICANN. Verisign has as a consequence been given an opportunity to make equally significant changes and, if ICANN questions them, to ask why Verisign is being singled out?
ICANN is now the victim of its own past behavior - because ICANN has never
dealt with issues of internet technology but has instead focused its attention on economic and business matters with no real link to internet technical concerns, ICANN has squandered its ability to speak with authority when someone stretches a technical standard.
Because of this history, ICANN is going to have an uphill effort to argue that ICANN has the moral or contractual authority to require that Verisign's SiteFinder be curtailed on technical grounds. And because of our legal and economic preference for regulation by competition rather than regulation by fiat, ICANN's arguments based on the economic and business repercussions or SiteFinder can me countered by Verisign saying that the marketplace, rather than ICANN, ought to resolve those issues.
Therefore, it seems to me that ICANN may not possess a sufficiently strong lever to force Verisign to discontinue "SiteFinder".
But what about the US Department of Commerce?
The US Department of Commerce has never clearly established how or why it has authority over DNS. Two reports by the General Accounting Office of the US Congress have suggested that the DoC is floating in the air without any clear
foundation of authority.
Archimedes said he could move the world if if had the right place to stand. By analogy, the US Department of Commerce may find itself powerless because it has never been able to demonstrate why, in our US Constitutional system of delegated and limited powers, it has any power to act. (The lack of power in the DoC does not mean that there may not be power in some other part of the US Federal government, but in the absence of any such body picking up the
sword in these matters, it may be premature at this time to to burn a lot of
pixels on that question.)
To make matters worse, ever since it first became involved in the internet, the US Department of Commerce has intentionally divested itself of authority by adopting the astoundingly stupid Reagan/Thatcher notion that government functions are best done by unaccountable private bodies.
This creates a situation in which Verisign might be able to defend itself against the DoC by confounding the issues with the question whether the DoC has any authority in these matters at all. We ought to remember that time is on Verisign's side - with every tick of the clock and every delay caused by distracting maneuvers, Verisign's income increases.
Despite these questions of authority, there still exists the Cooperative Agreement - the one created more than a decade ago - through which Verisign
derives its role over .com and .net. The DoC, even if there
are questions about its ultimate source of authority, is holding the contract
and has several rights that it could exercise to direct the behavior of Verisign
or even to terminate the contract and transfer .com and .net to
another body.
But does the DoC have the guts to do this? I'm not sure. The DoC has always retreated when faced with acts that in some way could affect the stability of the internet - and there is no doubt that an involuntary transfer of .com and .net to another operator could have non-trivial repercussions.
The DoC has been operating largely through the intermediary of ICANN; it's
going to take a strong and brave person in authority within the DoC to turn around that well established practice and to take firm grasp of the reins that the DoC has over Verisign by virtue of that oft-amended 1995 Cooperative Agreement. Is there anyone in the DoC who is that strong? I believe that there are such people at the DoC. However, those who I know are not necessarily in NTIA's management chain. [CaveBear Blog]
Power to DNRC Headquarters was restored yesterday at approximately 3pm. A big Thank You to Dominion Virginia Power. May everyone else come back online quickly as well.
You may have noticed that the DNRC website has been up and down quite a bit over the past four days. Hurricane Isabel has knocked out power to DNRC headquarters, and our only power is a small generator that we can only keep on intermittently. The Dominion Power crews are in the area, and we are hopeful to have power soon. Please excuse our absence.
After quite a delay, the company charged with managing the DNS system, spoke about Verisign's hijacking of all unused domain names. In a quite interesting move, ICANN politely asked Verisign to voluntarily suspend its "project" until an "objective expert report" is created.
Who would this "objective expert" be? Kent Crispin, perhaps? We shall soon see. Meantime, the ICANN release exists here
The Verisign SiteFinder "typosquat"rhubarb continues.
John Berryhill makes the point on the INTA list that SiteFinder re-activates every domain name ever cancelled by UDRP or other decision.
The Registrars Consitutency of ICANN is considering moving to ask ICANN to ask Verisign to suspend the service.
The domain name VERISGIN.COM is for sale.
A search engine provider, Netster, has sued Verisign over the service.
The point has been made that the .MUSEUM TLD apparently utlizes the 'wildcard' technique utilized by SiteFinder and that ICANN had approved the technique.
My IT guy says "It's as if Avis modified its GPS so everytime you entered a wrong address, it gave you directions to a Sears store."
No comment from ICANN as of yet. SiteFinder returns this for www.whereisicann.com.
[The Trademark Blog]Popular Enterprises LLC, the parent company of Netster.com, has filed a $100 million dollar lawsuit against VeriSign, Inc. The Complaint alleges antitrust violations, unfair competition and violations of the Deceptive and Unfair Trade Practices Act based upon VeriSign's release of the Site Finder product. The suit requests injunctive relief to prevent VeriSign from operating Sitefinder, and to otherwise cease what Popular Enterprises believes to be its monopolistic practices. [CircleID]
It is openly admitted , in the same Implementation PDF file, that all accesses to the Site Finder service are monitored and archived. A further worry for users is the privacy policy and terms of service posted on the Site Finder service. Not only does the simple act of mistyping a URL implicitly cause you, the end user, to accept VeriSign's Terms of Service and Privacy Policy without the chance to review and accept or decline either, but critical information as described above is not... [CircleID]
Yet another country beats the US to spam legislation.
Spammers could incur up to $733,000 in penalties per day for sending junk e-mail--and one lawmaker calls on the United States to follow suit with similar legislation. [CNET News.com]
As the U.S. Senate explores the privacy problems with the DMCA's subpoena process, one senator introduces a bill to repeal that section of the law. [CNET News.com]
The UK has made spam a criminal offence to try to stop the flood of unsolicited messages. [BBC News | TECHNOLOGY]
And the plot thickens. Check this out from CircleID
----------
Here's another interesting angle on the Verisign Site Finder Web site. VeriSign has hired a company called Omniture to snoop on people who make domain name typos. I found this Omniture Web bug on a VeriSign Site Finder Web page... [CircleID]
VeriSign's Site Finder service apparently breaks some ISPs' spam filters, so the makers of a popular DNS package are developing a patch to bypass it. By Leander Kahney. [Wired News]
We Internet users, who either own domain names or have an interest in the domain name system, wish to object to the VeriSign's Site Finder system. We believe that the system: 1) Breaks technical standards, by rewriting the expected error codes to instead point to VeriSign's pay-per-click web directory, and threatens the security and stability of the Internet; 2) Breaks technical standards affecting email services, and other Internet systems... [CircleID]
As a domain holder myself (of vix.com), I would not have chosen ".com" for my parent domain name back in 1988 had there been a wildcard domain name [that activates Site Finder service] under ".com". The risk of someone attempting to reach me but ending up talking to someone else instead would have been seen as "too great". I am now searching for a new parent domain whose publisher will guarantee me, in perpetuity, that there will be no wildcard name as there... [CircleID]
A harmful, highly unilateral and capricious action. Tons of software out there depended on the ability to tell the difference between a domain name which exists and does not. They use that to give a meaningful, locally defined error to the user, or to identify if an E-mail address will work or not before sending the mail. Many used it as a way to tag spam (which came from domains that did not exist). It is the local software that best knows how to deal with the error. [CircleID]
This CNET article features our own Karl Auerbach.
Criticism is growing over the company's surprise decision to take control of all unassigned .com and .net domain names, a move that's wreaking havoc on some filtering tools. [CNET News.com]
The Internet Architecture Board has roundly condemned the Verisign action to hijack the Domain Name System. Here is a short excerpt:
The IAB feels that the system VeriSign had deployed for .com and .net contains significant DNS protocol errors, risks the further development of secure DNS, and confuses the resolution mechanisms of the DNS with application-based search systems. The IAB understands the efforts that VeriSign has made to limit the applicability of this system to queries which would normally not correspond to registered domains, and it recognizes the importance of the distribution of IDN-capable systems to end users. While the IAB agrees with VeriSign that rapid adoption of IDN-capable systems is desirable, the IAB feels that the very limited gain in distribution cannot balance the shortcomings of this deployment strategy.
Full information available Right Here
Yesterday, September 15, 2003, Verisign hijacked the Domain Name System by essentially making a sales tool out of every combination of letters or numbers that is NOT currently registered in the .com or .net heirarchies. Essentially, they are the world's largest "typosquatters."
This hijacking also affects email, or any other service that formerly used "domain not found" messages to process information. For example, if your anti spam software was set to reject any bogus domain names, it will no longer work, and all of that spam will now get through as a "valid" domain. Further, any mistyped email address will divert the mail to Verisign. What they currently do with it is send an error, but in future, they could send you yet more ads for Verisign services.
So how did Verisign get the power to do this? They run the master DNS servers for .com and .net. We have yet to hear from ICANN on this important issue.
The Pennsylvania Attorney General agreed today to stop issuing secret censorship orders to Internet Service Providers (ISPs) in response to a lawsuit filed by the Center for Democracy and Technology (CDT) challenging the constitutionality of a controversial Pennsylvania child pornography statute. September 9, 2003 [Center for Democracy and Technology]
A California man has filed a legal challenge to the music industry's amnesty program. The complaint says the plan will not protect file traders from lawsuits, contrary to what the RIAA promises. By Katie Dean. [Wired News]
The Church of Scientology loses a courtroom battle to compel a Dutch writer and her ISP to remove postings from a Web site, in a ruling that addresses copyrighted material. [CNET News.com]
CDT has written to the House Subcommittee on Courts, the Internet, and Intellectual Property urging it to consider the privacy concerns raised by the "Whois" database of personal contact information for domain name registrants. At the Subcommittee's hearing Thursday, witnesses called for new measures to force accuracy in the database. CDT has argued for some time that privacy protections can be added to Whois without compromising its valuable uses. September 4, 2003 [Center for Democracy and Technology]
In a very scary move, Google has complied with the demands made by Kazaa's parent company and pulled links to sites that it has deemed "infringing."
Declan McCullagh reports further in this CNet Article.
Trademark interests declare war on an innocent African country. We knew it was only a matter of time before those evil trademark interests gained enough power to threaten the very fabric of the world's structure. Trademark interests will become another world power, declaring war at will, stripping countries of their names.
Perhaps we can persuade them to take over Iraq.
See the horrendously horrible seriously scary details here
As if the "Anti Cybersquatting Consumer Protection Act" and the UDRP weren't enough, now they are using the DMCA in order to chill speech by preventing anyone from FINDING it. And who is doing this? Surprize! It's Kazaa, itself a target of overzealous copyright infringement lawyers.
The cease and desist letter is being published on the Chilling Effects website at the link. It demands that Google suspend showing the following domains on their search engine:
a. http://www.kazaagold.com
b. http://mp3download.com
c. http://www.kazaalite.tk
d. http://www.kaaza.com
e. http://doa2.host.sk
f. http://www.k-lite.tk
g. http://www.kazaa-file-sharing-downloads.com
h. http://www.kazaalite.nl
i. http://home/hccnet.nl/h.edskes/mirror.htm
j. http://www.kazaa-download.de
k. http://www.zeropaid.com
l. http//www.kazaalite.nl/downloads.htm
m. http://kazaa.infos-du-net.com
n. http://www.kazaa-lite.tk
o. http://www.kazaa-lite.info
Although it's quite difficult to figure out why, for example, mp3download.com would be infringing kazaa, now the owners of that domain are put in the defensive position of having to explain why they aren't infinging or they MAY be pulled off Google. How Google, as a mere sarch engine displaying content that others have put up, is expected to filter for these domain names and sites to remove things is completely beyond my comprehension.
This is yet another blatent attempt at chilling speech by strongarming domain name holders, NOT directly in court the way they should, but by indirect means of asking a third party to do their dirty work for them.
EPIC, CDT and other privacy groups filed a "friend of the court" brief in the US Supreme Court arguing that the federal Privacy Act authorizes citizens to collect minimum monetary awards when the government has breached their privacy, without having to quantify their damages. The brief argues that this concept of liquidated damages is crucial to the enforcement regimes of many federal privacy laws. The case, involving improper disclosure of Social Security Numbers, will be decided later this year or next year. August 25, 2003 [Center for Democracy and Technology]
Once again, in a blinding display of openness and transparency, ICANN decides to overrun users and possibly even national interests (we don't know because they haven't told us....) in a secret plan to redelegate dot MD.
Read more from ICANNWatch.
Bankrupt .MD Operator Protests ICANN Action on .MD Redelegation [ICANNWatch]
Bruce Young tells a story of an Internet user who gets into trouble because "his" domain name was registered in the name of a web hosting provider that went bankrupt later on...As far as registrars are concerned, ICANN is currently doing its homework on domain name portability. As far as web hosting companies are concerned, though, these suggestions only look appealing at first sight. Upon... [CircleID]