"[W]e are ready to cooperate fully [and are] ready to shutdown any form they request and provide any information we have about the user."
Does anyone else see the irony in Jotform making this statement to the Secret Service? Isn't this exactly what GoDaddy did to Jotform that is prompting the outrage?
Due process has its place in a commercial context, and it seems that both Go Daddy and Jotform might be well served to think about how to handle alleged misbehavior by their users when they receive a request from a government official.
I see it, but I also see one man's answer to that ages old philosophy question, "Would you kill one child to save the majority?"
In his eyes, his entire business was marooned with little hope of recovery due to the limited amount of information he was working with. He was fully in bargaining mode at that point, and if they could just identify to him what the problem was, he would resolve it -- by any means necessary -- for the sake of the rest of his users and revenue.
I'm not saying that makes it different, or if it's wrong or right. I am saying I understand.
Does anyone else see the irony in Jotform making this
statement to the Secret Service?
There's a difference in making this statement in a specific case and making a blanket statement saying "we will do this anytime the SS contacts us, without asking for, or verifying, the evidence".
Everyone cracks under torture and for a business owner that has spent years building something this comes fairly close.
It depends on their terms of service. Jotforms can pull any form that didn't adhere to their ToS. I suspect GoDaddy thought they were doing the same. Unfortunately, GoDaddy is horrible at dealing with things like this and likes to take a shoot first, ask questions later approach. However, the difference between the two is that GoDaddy will carpet bomb the entire site with huge. Ollateral damage while Jotforms can use a sniper rifle to take out the offending form with minimal collateral damage.
I think any PCI or other auditor who doesn't flag "domains registered with GoDaddy" during an audit is doing clients a disservice, given all the bad stuff that's happened. I'm not sure how exactly you could flag it for a client, though.
True, but what other registrar has publicly stated that they won't do what GoDaddy is currently doing? Because until I can find the registrar that makes that promise (all the alternatives I've found are just customers making that claim on behalf of the company), this seems more like a demonstration of the problem of all .com registrars and GoDaddy is just the biggest so they get all the spotlight.
As far as I'm aware, Tucows follows the ICANN dispute policy pretty closely. I've been a reseller with them forever (11-12 years?), and had a bunch of domains registered for clients which almost certainly would have drawn GoDaddy's ire, and never a problem.
http://www.tucowsdomains.com/tucows-domain-promise/
"A thoughtful, “registrant-first” approach to dispute resolution.
Tucows’ approach to any domain name dispute begins with the firm belief that your domain name is your own. We also have a full-time, dedicated Compliance Team to make sure these matters get the attention they deserve. We will not allow your domain name to be used as leverage in a dispute. We will not readily “seize” your domain name under public pressure as other registrars have done."
eNom is the other one where I know some of their management. They have killed some domains in the treasury table of deny orders, rather than going through the full ICANN process, but are nowhere near as arbitrary as GoDaddy.
You could go with a foreign registrar. I used to like gandi.net because it was based in France, so it had to observe EU privacy laws (you'd still be subject to the US with respect to .com domains though). However, Gandi.net now also hosts in the US, so I don't know what that would mean. Plus, hosting in a different country could expose you to their local laws.
It also subjects you to Gandi's personal code of ethics, which they require you to agree to and may take your domain if you violate. It's a little strange and I wouldn't register a domain for an adult site there, at least.
I don't know how many people know of this registrar, but nearlyfreespeech.net is one I really do trust. Stuff like monthly donations to the EFF and detailed technical explanations of patched security flaws give them credability in my eyes.
I think a lot of people feel actions speak louder than words. Nobody says they won't do this, some companies demonstrably do and some demonstrably don't do this.
Not sure how a site-takedown, without a court order, doesn't represent breach of contract. If you're providing services under contract, you can't stop just because you're afraid to ask a government official for appropriate documentation of the authority for their request.
Nor is it clear to me how such a request doesn't represent an undue taking. How can an official take property in such a manner without professional or / and personal consequences?
We have 2 millions user generated forms. It is not possible for us to manually review all forms
It's certainly possible. You could get reliable Mechanical Turk reviews of forms for $0.03 each, so $60k total. Or you could hire people to look at 500 forms / hour (phishing forms are instantly obvious) at $15 /hr, also $60k total.
Compared to the cost of a site seizure, it might be a good investment.
Why is it everyone keeps making excuses for the secret service and godaddy? It DOESN'T MATTER whether it was possible or even financially viable for JotForm to review each and every form. The government shut down a legitimate business with no warning, court order or apparent process whatsoever. This is very, very wrong. Period.
It matters if your goal is simply to correct a statement that was stated as if it were a hard fact. That's all tlb seems to be doing in my reading of the comment.
If your goal is only to figure out who's in the right I agree it doesn't matter.
IMHO this isn't a good task for the Turks. If it's reasonable that a Turk might click 'Looks good to me!' most of the time, you'll gather a hoard of them that just click/script that same response 100% of the time and not look at the question.
Of course you can include decoy questions to try and detect this behavior, but I just don't see the whole MTurk review process being terribly reliable overall. I just don't think the worker quality is that great, and they will do whatever possible to just churn through HITs (because they get paid zero for them).
Apparently a tremendous number of times... even though HN both likes to upvote "GoDaddy ate my dog" posts and downvote "Yeah, and you're still surprised? How many times do you have to hear it" comments.
I'm always curious, are people who downvote this in denial? Somehow downvoting me will keep the bad things from coming true to your domains? Funny, most of these stories also start out "I'd always heard bad things about GoDaddy, but..."
65,000 phishing accounts shut down in the past year, and they have a total of 700,000 accounts.
Nearly 10% (and that just assumes that all the accounts were made in the last year) of their users were using the site for phishing. That seems like a lot, and even if they were shut down, I wonder if they weren't doing enough to tackle misuse of their own site.
It seems much more likely that users creating accounts for phishing purposes created multiple accounts. In that case, nearly 10% of accounts ≠ nearly 10% of users.
We run several short URL websites and they get flooded by phishers and spammers. Thanks to URL blacklists they don't get far with it. But those guys are pros. They don't create accounts or content manually. They have software that's doing that.
JotForm today moved its domains away from GoDaddy to registrars NameCheap and Hover.
I'm glad JotForm is back up, but I'm curious how they transferred the domains so quickly. I would have expected GoDaddy to lock the domains and prevent them from being transferred away, either due to their own policies or because the Secret Service ordered them to. In my experience, it's always taken at least a few days to transfer registrars, even with an EPP code in hand and instantly responding to confirmation emails. Was NameCheap able to pull some strings to transfer the domains outside of the normal process?
> In my experience, it's always taken at least a few days to transfer registrars, even with an EPP code in hand and instantly responding to confirmation emails
It should take no more than an hour, usually less. If it's taking more than that something's gone wrong or your registrar is manually processing what everyone else does automatically.
I moved a couple dozen domains from GoDaddy in December... all were at their new registrar less than an hour after I confirmed the transfers.
One thing for people to check when choosing a new registrar is whether they have a way to "ack" a request to transfer out (in case you want to leave at some later date). Some registrars don't and that can mean either trying to get customer service to do this or waiting the default period.
Note that there can also be a delay with the new registrar that you choose putting the domain into whois as well.
Well, first the jotform.com domain is still at godaddy as of 11:07 EST.
Domain Name: JOTFORM.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: JAY.NS.CLOUDFLARE.COM
Name Server: LEAH.NS.CLOUDFLARE.COM
Status: ok
Updated Date: 16-feb-2012
Creation Date: 09-nov-2005
Expiration Date: 09-nov-2020
>>> Last update of whois database: Fri, 17 Feb 2012 04:03:43 UTC <<<
Second, as a registrar, we can transfer a domain same day if we have the Auth code and the other registrar provides a way to "ack" the request.
On transfer away, if we give someone an auth code we can have the domain released as soon as we are notified that the other registrar has input the auth code. Even if we aren't notified we can check manually and see if the code was entered.
So, in general it can be done pretty quickly depending on the two registrars involved. Quicker than it took me to write this reply.
I wouldnt have called whoever it was the guy in the article was quoted as callin multiple times until she sounded irritated. Yeah the government appears to be at fault but regardless this is not the time to be irritating in such a way. Having a lawyer who is golf buddies with that lady's boss would probably make a bigger impression, not that the jotform guy would have known that at the time, but nonetheless. Reminds me of the old maxim "keep your friends close and your enemies closer." anywayz this whole debacle is frustrating but hopefully it will illuminate some of the gov't's tactics to those of us who were still in the dark
Did you RTFA? The entire point is that GoDaddy does this without being legally required to do so. It wouldn't make a difference if you used a non-American TLD if you pick a registrar who will go out of their way to help "law enforcement".
It strikes me that one fallout from the US Government becoming aggressive in taking down legitimate sites (in one way or another), is that it's going to massively drive up the cost of what services charge.
One way to deter phishing forms, for example, is to charge enough for your service that it makes it very unlikely someone would use you for that. Jot mentions having taken down 65,000 phishing forms in the past year; charge $10 or $20 (or whatever, enough to wipe out the issue) upfront for each of those and that problem disappears instantly.
It's the difference between MegaUpload and DropBox fundamentally in how they deter piracy (or don't); applied to every web service.
Most of the time, when the government gets involved, the cost of a service or product skyrockets. They generate inflated costs either through monetization (eg education costs), or through regulation & compliance nightmares.
The government might just force a transition from the so called free web, to a nearly all paid services web. It would form a 'cost wall' that keeps a lot of the abuse users out.
If JotForms charged $10 to $20 no one would use them. A competitor with more thoughtful plans for discouraging phishing would wipe them out. I imagine most of these forms could be automatically detected.
We are talking about phishing here. Don't you think they have access to a lot of recently-phished credit cards they could use to buy the forms? They would probably choose for a free competitor most likely since that is easier to automate and you don't need the hassle to try out the credit cards. I'm pretty sure web hosting companies already get a lot of phishers paying for an account with a phished credit card, though.
By the way, the scammers on dating sites use a lot of paid accounts (and pay for them themselves most likely) considering they get a lot more money out of it and a paid account seems more legitimate. Just to say that making something paid does not necessarily remove all the abuse.
Methods of abuse never stop evolving so long as there's a free product available to attempt to hijack. The problem won't stop being persistent, and the government is only going to get more frequent in their take-downs. Switching from innocent until proven guilty, to guilty until lucky if you can even defend yourself, will eventually make it very dangerous to open yourself up via free services.
Worse, if the government keeps lowering the bar on qualification for shutdown, the margin for mistake will be so small that the best effort possible won't be good enough. There will be mistakes, fraud will slip through, and boom you're toast.
If the Feds keep going in this direction, at some point the risk of a free system will not outweigh the benefit. Before 2012 is over, there will be enough of these examples to start scaring the hell out of the average web service - if we're not there already.
Government enforcement of policies like this rely on scaring large numbers of operators through a small number of intense persecutions. It works unfortunately.
It's also likely that businesses will reconsider outsourcing essential parts of their web infrastructure, such as forms, to third party providers. They'll be more likely to hire a web developer to implement data collection on their own servers, which would ensure that their business won't be impacted by someone else's domain being taken down (for valid or invalid reasons). Bad news for JotForm, but maybe good news for independent web developers.
And really bad news for the economy overall as we now invest our time and money in building 1000 crappy, redundant, bespoke copies instead of using one of a few really good ones like Wufoo and spending our time on building new things that improve the state of things. Feudalism might keep everyone employed, but it's generally not good for much else.
The downside being a "drive-by" comment, user posting, legitimate download (and one that later turns out to have some subtly questionable copyright parentage) or other detail that triggers a take-down your primary domain.
Does anyone else see the irony in Jotform making this statement to the Secret Service? Isn't this exactly what GoDaddy did to Jotform that is prompting the outrage?
Due process has its place in a commercial context, and it seems that both Go Daddy and Jotform might be well served to think about how to handle alleged misbehavior by their users when they receive a request from a government official.