By Declan McCullagh
Staff Writer, CNET News.com
January 25, 2007
update - A popular computer security Web site was abruptly yanked
offline this week by MySpace.com and GoDaddy, the world's largest domain
name registrar, raising questions about free speech and Internet
MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts
some 250,000 pages of mailing list archives and other resources, because
a list of thousands of MySpace usernames and passwords was archived on
the site. GoDaddy claims its customers own about 18 million domains.
GoDaddy complied. In a move that Seclists.org owner Fyodor Vaskovich
said happened with no prior notice, the company deleted his domain
name--causing his site to be effectively unreachable for about seven
hours on Wednesday until he found out what was happening and removed the
"They didn't tell me why they removed the site," Vaskovich, creator of
the popular Nmap security auditing utility, said in a phone interview.
"At a very minimum, we should get warning."
Vaskovich said he spent "hours and hours" on the phone with GoDaddy on
Wednesday before he finally got through to someone who was willing to
listen. As a result of this experience, he said in an e-mail
announcement , "I'm in the market for a new registrar. One who
doesn't immediately bend over for any large corporation who asks."
For her part, GoDaddy general counsel Christine Jones defended the
abrupt deletion, saying: "We tried to contact the registrant, but they
were not available at the time. To protect the MySpace users from
potentially having private information revealed, we removed the site."
Jones pointed out that GoDaddy's terms of service say the company
"reserves the right to terminate your access to the services at any
time, without notice, for any reason whatsoever."
Jones and Vaskovich, however, tell substantially different versions of
exactly what happened. Jones characterized the episode as lasting only
about an hour, saying her abuse department unsuccessfully "tried to
contact" Vaskovich and "he actually contacted us about an hour" later
after the removal occurred.
But Vaskovich provided CNET News.com with a log of correspondence from
GoDaddy that corroborates his version of the story. It indicated that
only 52 seconds elapsed from an initial voice mail notification to the
time the domain was marked as "suspended." GoDaddy did not immediately
respond to follow-up questions.
Vaskovich says MySpace did not contact him directly. MySpace declined to
respond to repeated inquiries on Thursday.
Michael Froomkin, a law professor at the University of Miami who has
written about domain name regulation, says this is the first time he's
heard of a registrar abruptly taking a customer offline without a court
"Some people might feel safer with a registrar that's a little more
pro-customer," Froomkin said.
Froomkin said this week's incident raises novel free speech
questions--not legal ones, as long as GoDaddy's terms of service are
broad enough. Rather, he said, the issue is "the quality of their
review" of complaints received from firms like MySpace.
GoDaddy's Jones said that "we're not knee-jerk--we try to be responsible
about verifying complaints." There's a broad spectrum of policies among
domain name registrars, she acknowledged, with GoDaddy "probably the
But, Jones said, GoDaddy has a 24-hour abuse department that deletes
domain names used for spam or child pornography on a daily basis. "We're
not here to allow people to put illegal content on the Internet," she
said. "We take this safety and the security of the Internet very
seriously...We take our responsibility pretty seriously. We're the
largest registrar in the world."
When asked if GoDaddy would remove the registration for a news site like
CNET News.com, if a reader posted illegal information in a discussion
forum and editors could not be immediately reached over a holiday, Jones
replied: "I don't know...It's a case-by-case basis."
Subscribe to InfoSec News