News.com reports:
A popular computer security Web site was abruptly yanked offline this week by MySpace.com and GoDaddy, the world's largest domain name registrar, raising questions about free speech and Internet governance.
MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources, because a list of thousands of MySpace usernames and passwords was archived on the site....
In a move that Seclists.org owner Fyodor Vaskovich said happened with no prior notice, the company [GoDaddy] deleted his domain name--causing his site to be effectively unreachable for about seven hours on Wednesday until he found out what was happening and removed the password list.
"They didn't tell me why they removed the site," Vaskovich, creator of the popular Nmap security auditing utility, said in a phone interview. "At a very minimum, we should get warning." ...
For her part, GoDaddy general counsel Christine Jones defended the abrupt deletion, saying: "We tried to contact the registrant, but they were not available at the time. To protect the MySpace users from potentially having private information revealed, we removed the site." ...
Jones and Vaskovich, however, tell substantially different versions of exactly what happened.... Vaskovich provided CNET News.com with a log of correspondence from GoDaddy that corroborates his version of the story.... GoDaddy did not immediately respond to follow-up questions....
"Some people might feel safer with a registrar that's a little more pro-customer," [Miami lawprof Michael] Froomkin said.
There's certainly an important customer service question here; but I should also note that there's an interesting underlying First Amendment question that could have arisen in another context. Several states expressly outlaw the disclosure of computer passwords, even if the disclosure is done without the intention of helping criminals (and here it seems that Vaskovich didn't intend to help criminals, though when he learned of the post he probably realized that it may have the effect of helping some criminals):
Ark. Code § 5-41-206(a). A person commits computer password disclosure [generally a misdemeanor] if the person purposely and without authorization discloses a number, code, password, or other means of access to a computer or computer network that is subsequently used to access a computer or computer network.
Ga. Code § 16-9-93(e). Any person who discloses a number, code, password, or other means of access to a computer or computer network knowing that such disclosure is without authority and which results in damages (including the fair market value of any services used and victim expenditure) to the owner of the computer or computer network in excess of $500.00 shall be guilty of the [misdemeanor] crime of computer password disclosure [and shall be civilly liable to injured parties].
Kan. Stat. § 21-3755(c)(1). Computer password disclosure [a misdemeanor] is the unauthorized and intentional disclosure of a number, code, password or other means of access to a computer or computer network.
Minn. Stat. 609.8913. A person is guilty of a gross misdemeanor if the person knows or has reason to know that by facilitating access to a computer security system the person is aiding another who intends to commit a crime and in fact commits a crime. For purposes of this section, "facilitating access" includes the intentional disclosure of a computer password, identifying code, personal information number, or other confidential information about a computer security system which provides a person with the means or opportunity for the commission of a crime.Miss. Code § 97-45-5 (1). An offense against computer users [a misdemeanor] is the intentional ... (b) Use or disclosure to another, without consent, of the numbers, codes, passwords or other means of access to a computer, a computer system, a computer network or computer services.
Penn. Cons. Stat. § 7611(a). A person commits the offense of unlawful use of a computer if he ... (3) intentionally or knowingly and without authorization gives or publishes a password, identifying code, personal identification number or other confidential information about a computer, computer system, computer network, computer database, World Wide Web site or telecommunication device.
S.D. Codified Laws § 43-43B-1. A person is guilty of unlawful use of a computer system, software, or data if the person ... (3) Knowingly ... uses or discloses to another, or attempts to use or disclose to another, the numbers, codes, passwords, or other means of access to a computer system without the consent of the owner....
W. Va. Code § 61-3C-10. Any person who knowingly, willfully and without authorization discloses a password, identifying code, personal identification number or other confidential information about a computer security system to another person shall be guilty of a misdemeanor ....
If one of the states had jurisdiction over Seclists.org, and Vaskovich had kept the password list on the computer even after he knew it was there, would he be guilty under the relevant statute? Would the First Amendment protect his continued retention of the data on his computer? (I tend to think that the First Amendment would not protect this, for reasons discussed in Crime-Facilitating Speech, 57 Stanford Law Review 1095 (2005), but courts have not yet confronted the question.)
Thanks to BNA's Internet Law News for the pointer.
I see the basic question as "is it ok for them to take erase one of their customer's entire internet presence."
I'm not a lawyer but it seems to me that the question comes down to ... can godaddy defend it's action given the nature of their service contract with their customer say against a lawsuite for violating service.
Again, what does the First Amendment have to do with this? If you're protesting on the street corner and I smash your signs and steal your megaphone, I haven't violated your First Amendment rights unless I'm part of the government.
I also don't see how a private company could violate the first amendment. Surely they could violate some statute; but can an individual violate the first amendment? Wouldn't this be like the 4th amendment where it only protects people from the state?
Disclosure of the passwords is (presumably) authorized by the account creators, but is probably not authorized in most cases by the websites themselves...
Nick
What I don't get is why the domain-name registrar was contacted, instead of either the hosting company (it's not necessarily the same), or the site owner directly.
SD and WV say "computer system"; the password-protected parts of MySpace are definitely a computer system. PA statutes say "database", which is even clearer.
MN requires "means or opportunity for commission of a crime"; that's arguable, but likely to be provable.
Everyone is assuming a very bright line in the responsibilities of the registrar to the registrant without recognizing responsibilities of the registrant to the registrar. There are any number of reasons why the owner of a domain name is expected to be quickly available and responsive to inquiries. These include “Why are computers in your domain attacking other computers?” and requirements for contacts to notify about spam generation. The most basic of these is the inclusion of the RNAME in the DNS entry. The RFC defines RNAME as specifying the mailbox of the person responsible for this zone.
From the registration:
Registrant:
Insecure.Com LLC
370 Altair Way PMB 113
Sunnyvale, California 94086-6161
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: SECLISTS.ORG
Created on: 02-Oct-03
Expires on: 02-Oct-10
Last Updated on: 30-Dec-06
Administrative Contact:
Hostmaster, Seclists hostmaster-seclists@insecure.org
Insecure.Com LLC
370 Altair Way PMB 113
Sunnyvale, California 94086-6161
United States
6509894206
Technical Contact:
Hostmaster, Seclists hostmaster-seclists@insecure.org
Insecure.Com LLC
370 Altair Way PMB 113
Sunnyvale, California 94086-6161
United States
6509894206
Notice that the in this case, the addresses are not personal, but generic. All inquiries, requests, security should be answered promptly by one of these addresses. There are response time defined in most registration agreements. Were they met?
Note that because spammers were harvesting registration addresses, more and more people hide or occlude these addresses, so this part of the domain registration is breaking down. It is not clear if, in the absence of answers to emails sent to the addresses of record, GoDaddy has any responsibility to SecLists.
You're suggesting these laws were designed to protect the computer hardware owner against the possibility of someone using the hardware without his permission. Like protecting a car owner against someone else driving the car without the owner's permission.
I doubt that. I think these laws were designed to protect the computer account owner against someone gaining access to his personal information without his permission. The value of personal information stored on a computer typically hugely exceeds the value of the hardware itself, or its rental, and people -- even legislators -- typically feel quite strongly about protecting their privacy by limiting who can gain access to what's on their "particular account".
Indeed, the fact that they resumed his service at all, after he'd taken off the offending material, is mighty generous of them. Most DNS servers would have told him to take his business elsewhere in the future, after such a crass violation of the terms of service, not mention common sense.
You don't seem to understand how the internet works... in this case, Vaskovich didn't post the list.
As the cited article says :
... Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources... a list of thousands of MySpace usernames and passwords was archived on the site. ...
until he found out what was happening and removed the password list.
In other words, one of the *users* of the "mailing lists" or "other resources" posted the list on his site, which is a public forum. While Vaskovich is certainly liable for all uses of his site, it is hardly "obnoxious" or "crass" for him to provide a service which others might misuse... unless you feel anyone who provides a forum on the internet should be monitoring all of its content 24/7/365 while strictly evaluating it for illegality.
Crass and obnoxious, indeed..
=darwin
I'm trying really hard to find the section of the GoDaddy domain registration contract that states that a website that archives security-based mailing lists like fulldisclosure can have its DNS entries changed because of the content of a post on a mailing list that the site archives, but does not control. I just got finished reading the ToS and I can't find anything outside of the "morally objectionable activities" clause (below) that implies that GoDaddy considers it a breach of contract to archive a public mailing list.
The "morally objectionable activities" clause (as part of Section 7, "Restriction of Services; Right of Refusal") reads:
In order for this clause to be correct to its verbiage, doesn't GoDaddy need to be able to show (even under the "sole discretion" wording) that Vaskovich himself intended for MySpace passwords to be leaked on his site? I guess they could always argue that "archiving the fulldisclosure mailing list" was an "activity designed to encourage unlawful behavior by others", even though his site is devoted to the discussion of hacking as a method of learning about security vulnerabilities and fixing them.
Mr. Volokh:
I'm wondering if my question on the matter is the same as yours - does "knowingly having/archiving/retaining the already-disclosed data publicly" equate to "disclosing the data"?
In nulling out the DNS record for seclists.org, GoDaddy did not "pull[ the offending data] offline." As far as I can see, what they did was simply mess with the authoritative DNS records, meaning that
1) plenty of people out in the world could still access seclists.org for a time, thanks to DNS caching, and
2) the data was still publicly available, even to users for whom the domain name would not resolve. (Hint: I can access a website if I know its IP address regardless of whether it has a working domain name.)
Don't forget that SecLists.org only had the data because of their archiving of the fulldisclosure list, which is run by grok.org.uk. The only people affected by the DNS shunt were those who rely on SecLists.org for fulldisclosure postings.