As a Namecheap customer, I am glad that they aren't giving up their customers privacy. Facebook claims they have an obligation to do so- but they don't provide any citation for such an obligation.
This should be namecheaps argument and its 100% true. The only reason facebook are doing this is to cut the courts out of the process and give that power to themselves.
If namecheap can make this case there isn't a judge in the country that would side with facebook. In my opinion judges tend to get pretty pissy when you try and cut them out of the process, I really hope this happens and it comes back to haunt facebook.
same. this is exactly the kind of process I want in our courts whether the requestor is private or governmental.
sadly at least in Australia we keep passing stupid new laws that erode the judicial oversight giving various authorities (and many more than just the "police") ability to do all sorts of things with no warrant or judge oversight and I don't like it.
Facebook can't get a warrant (just like you or I can't get a warrant either), only law enforcement can get a warrant. I'm not sure if you're suggesting Facebook go to the police and file a criminal complaint under some law, and try to convince the police to get a warrant. Or maybe Facebook's lawyers could subpoena for discovery or something. I'm not sure. I'm not a lawyer.
It would be good to have a legal overview from someone that is actually familiar with relevant law.
Do you think that would make Namecheap change their ways at all? Won't it mean Facebook have to keep taking Namecheap to court; and other domain registrars?
I totally agree. Namecheap probably had to tell Facebook, "get a warrant". If they DIDN'T do this, they would then be responsible for policing EVERY site they provide WhoisGuard for, and that would be ridiculous.
Facebook is trying to use this as a way to show they are concerned about privacy and security, but they're coming across as bullies that didn't get what they wanted and now they have to use the necessary legal methods to do so.
Yeah, Facebook's trying to strong-arm registrars, but the fundamental premise comes off to me as entitled. It's like they're asserting they're too important and they don't want to go after these domain holders one-by-one, so the registrars should do their bidding.
Standard Oil was concerned about Oil. Resource companies generally are concerned about the resource they exploit, and especially about keeping all access to it for themselves and none for others.
Doing something once does not, contrary to popular (on the internet) theory, create an obligation to do so perpetually and in all situation. That’s the whole point of Section 230 of the DMCA, for example.
Judging by this thread, this faulty logic has been embraced wholeheartedly, and it leads to the strange position that is actually immoral, apparently, to make any judgement calls in the cause of your everyday life or business. When you are asked to work for a scammer, you are supposed to throw up your hands, say “who am I to judge”, and take their money.
Courts are, apparently, the only unfailing entities that can tell right from wrong. Even when something is universally agreed to be wrong, you are supposed to ignore it lest you feel tempted or required to then make decisions in more nuanced cases.
It’s a rather convoluted scheme to abdicate all moral responsibility.
Who are they advertising to though? They might look like bullies to people in the industry but that's probably not who they're trying to market themselves as privacy/security concerned towards. Combined with how dire the state of mainstream tech 'news' is, I'd be surprised if this actually backfired regardless of which way the lawsuit goes.
Sort of related: one time a scammer conned my grandma out of thousands of dollars by calling her and pretending to be me in distress. She wired the money to my name (I think it was Western Union or something), in a foreign country, and somebody "showed ID" as me.
We reported it to the police, of course, but I don't think it was ever really pursued. I wanted to dig in myself but whoever the company was said they wouldn't give up the records without a subpoena. Very frustrating as I am the person who was being impersonated.
It seems like there are times where you should have standing as an individual to get a subpoena for information directly related to you.
Thanks for reminding me about this. One thing I've established with my siblings was that none of us should transfer any money via a service like Paypal, Venmo, etc to each other without an explicit casual phone call first. It can't just be a text or a phone call asking for money, you have to have a casual conversation first. How is work? How's blah blah, what are you getting for dinner tonight, etc. For the case of elderly parents, I'm lucky that they would immediately hand that off as busy-work to siblings. Like they would never go to Western Union, they would call a child and say hey your sibling requested such and such can you go do that which would then raise all of the alarms.
If they impersonated you, aren't you technically requesting information about your self ?
Under European law, "you can request access to the personal data a company or organisation has about you, and you have the right to get a copy of your data, free of charge, in an accessible format." [1]
Im sorry that sucks, but we should not give up rights because some customers are easily fooled. This is a slippery slope you do not want to start on, because where does it end?
But that's more an issue of identity confirmation.
I believe there has to be a reasonably high bar that a person has to clear before a company should be even allowed to assume they are who they're claiming to be, but once that bar is cleared no information regarding or directly linked to the person in question should be withheld from them.
But then, hasn't the company already shown that it's bad at identity confirmation? Why would you expect them to be better at it in the other direction?
Isn't this problem solvable by looking at it differently? To me, the problem is that it's easy for scammers to impersonate someone. What if there was a way to reasonably check a person's identity in a standard way accessible to everyone without going through hoops?
That ideal won’t come true for a very long while. I appreciate your idealism, but for better or worse, we need a reasonable and attainable solution in the interim.
That's frightening. When we drew up our household information for babysitters, we put in codewords to identify ourselves and for the babysitter to identify him/herself to us in case of an emergency.
We felt more than a little paranoid (and the babysitters probably thought we were nuts) but anecdotes like yours reinforce the need to be careful when relying on easily-spoofed caller ID for identity protection.
This is a great reason for why modern data laws like GDPR and CCPA enshrine right of access so highly, I believe. I think it would be interesting to persue civil cases against fraudsters whose data you manage to collect out of PayPal audit logs or whatever, but you'd probably be contending with international courts and it would be an expensive and time consuming affair.
> If they can't make sure that their clients are legit, they shouldn't be in the business at all.
Banks are required to have Know Your Customer systems. Domain registrars, hardware stores, and grocery stores are not. Do you really want to extend this additional expense to all the businesses from which you buy?
I personally would want it see extended in areas where fraud is common. I don't think grocery store fraud is very common, misleading domain names however are exceedingly common and a huge problem so I don't really see what the issue is with extending those expenses.
Mind you someone always has to pay these expenses when fraud occurs, they don't vanish and I would like to see it allocated in such a way that it gives an incentive to prevent fraud, not protecting it.
KYC laws in banking, to the extent that they even do anything anymore, were always for investigations of organized crime. They only work for large, high value targets. They discover that the mortgage on a mob restaurant is getting paid by some "Tony Johnson" so they freeze the account and see if "Tony Johnson" shows up to complain. If there is no such person or it's a stolen identity, you lose all the money in your account because there is nobody to show up and claim it. If there is such a person, now they're building a racketeering case and have somebody they can try to flip. It was never really useful for fraud.
The same thing in most other contexts is useless. There is no equivalent to "money in the account" to worry about losing so people will just use made up names or stolen identities with impunity, and the legal process for proving it's a stolen identity wouldn't reasonably be any easier than the existing legal process for having the domain seized whether or not you know who registered it.
Also, arbitrary foreign nationals can have domains. What do you even expect to do with the information that the domain was registered by Sergei from ScrewYouistan which has no extradition treaty?
Most registries have requirements that domain registrars must know their customers identity.
Such requirements are not always enforced, especially by ICANN, and the punishment for failure is pretty rare. That could however change at any moment, and the consequences (beyond possible legal ones) would be that the registrar would loose accreditation.
By design, contact information is registered along with domains. One function of this is to allow people to report abuse of that domain to a webmaster, and ultimately to pursue action against the registrant if abuse continues. By allowing people to frustrate this resolution process Namecheap are serialising the abuse process through themselves, as they are now the only party with that formerly public information. So yes, I do think it would be appropriate in this case to extend the expense of policing domain abuse to Namecheap and other registrars who provide WHOIS privacy
Companies aren't anonymous in the US. Corporations must have registered agents in each state in which the corporation is registered, the name and address of whom is public in order to facilitate service of process. LLCs in most states must include at least one member, manager, organizer, or authorized individual in the public filing, and even in states that don't require this, a bank will want it in the public paperwork before opening an account in the LLC's name.
Ownership of land, legal entities, and domain names should be public information because that would be better for society.
EDIT (HN won't let me reply or post any more):
> Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.
Sure there are edge-cases where anonymity would be desirable, but they pale in comparison to the real harm done every day to regular people through anonymously registered domain names.
I can think of many legitimate reason that a site owner might want to be anonymous. Maybe they're exposing corruption or sharing information that powerful people don't want to have exposed.
Maybe they have weird sex fetishes or are flat earthers etc. One has the right to be weird in certain contexts (swing clubs, flat earth rallies) and still have a public persona that’s professionally, politically etc valuable.
I totally agree that in some cases anonymity is good, useful, etc.
But creating phishing sites for Facebook is not that. There is no good reason to register the domain "facebo0k-login.com"
I get that it's difficult to work out if the domain is going to be used for a legit purpose, but surely that's easier to do at the point of registration than it is to police afterwards?
It takes a human about 2s to work out that "fuck-facebook.com" is a legit protest domain, while "facebo0k-support.com" is a phishing domain. It's not even about trademarks or ownership of the word "facebook", it's about the intent of the domain.
I think insisting on ownership information for a domain that looks like it could be used for phishing, while allowing "furries-r-us.com" to be anonymous would be a better system than we have now.
> I get that it's difficult to work out if the domain is going to be used for a legit purpose, but surely that's easier to do at the point of registration than it is to police afterwards?
How could it be easier? I could always start legitimate[1] and then switch later. Now, if you think about the context of "faceb00k.com is probably not legitimate" you get in all sort of discussions about what is okay, what is not okay, what is an edge case.
All these proposals bring us further into a domain where private persons/companies are deputized to rule what is okay under the law, because court processes take so long and are so complicated. It ignores that there is a reason they are long and complicated. We've learned the hard way what happens if they are not.
[1] For the sake of this post let's assume legitimate means 'okay under the law' and split away the question of morality
Yes, this is complex. I agree; so far we've been pretending it's not complicated, and that's not really working any more.
The law is based on moral decisions, so I think "splitting that away" is probably circular - eventually a law will be made to deal with an immoral situation. We might as well consider the morality now and save some time.
I think we should get into all sorts of discussions about what's OK, what's not OK, and what is an edge case. People should be held responsible for what happens on their domain. There should be a discussion about whether the potential registration of "faceb00k.com" is legitimate or not.
What if there was a jury of 12 random people who had to approve every domain registration, and also decide whether that domain registrant should be anonymous or not? Would that lead to better results than we have now?
And to be honest, the actual cause of the harm to these people done every day, is not in fact the result of the lack of transparency in domain registration, but in fact the unwillingness of police in their local jurisdictions to go after criminals. A good example of this would be Jim Browning, who has offered information to police departments operating within India relating to scammers and... he has never got a response.
With all due respect, that's not an answer, that's just reiteration of the same statement with a "because it would be better". The answer to "why" is a rationale and yours so far is "bad people doing bad things so better somehow force business to make sure their clients are legit and make things transparent", which is a perfectly fine opinion, but devoid of any actual analysis. That's my interpretation, though, and my apologies if it's incorrect and not what you've meant - I don't intend to introduce a strawman here.
I would recommend actually analyzing the pros and cons. What are the benefits for the society, why they're real (not a snake oil/security theatre, where bad actors would be easily able to work around), and why they overweigh the harm from the negatives (e.g. the obvious privacy concerns).
This idea conflicts heavily with GDPR first of all. Secondly, why should that information be public? Does car ownership need to be publicly disclosed even though tons of car crashes happen every day? No, because the driver is liable, not the manufacturer, and the driver carries insurance to reduce cost of liability.
The real issue is enforcement. Namecheap should not be there as an arm of the law. Instead, the people BUYING the domains should be held accountable for their fraud.
This gets messy quick. How does Namecheap verify the validity of an individual? What constitutes a valid individual? What evidence is required to prove this to a registrar? How does Namecheap verify the legitimacy of intent for that domain? How does Namecheap keep up with every possible brand that may be subject to abuse? At what point does a brand become protected in a way that restricts the selling of similar domains?
For KYC in the financial world, answers exist to ALL of these questions. There is some inherent level of identity tied to your personal finances. These systems are built around a real identity that can be validated, so it's easy to apply. The same is not true for any internet service.
> For KYC in the financial world, answers exist to ALL of these questions
This might offend us IT types, but I'm not sure there's always just one answer.
Anecdote #1: I can walk into the local branch of my bank - where all the staff know me - and withdraw money from my account without showing any form of ID, telling them my account number, or even stating my name. They know me, I just have to sign the form.
Is that in the KYC regulations, or even the bank's SOPs?
> Anecdote #1: I can walk into the local branch of my bank - where all the staff know me - and withdraw money from my account without showing any form of ID, telling them my account number, or even stating my name. They know me, I just have to sign the form.
They shouldn't do that. I am not saying they don't but they shouldn't. And in this scenario, you've already established your real identity over time in order to open the account and regularly withdraw or deposit funds.
You didn't build this relationship in a day without any evidence of who you are. And then you are physically showing up, which is proof that you are the person they have been dealing with over the course of the relationship. You could have lied initially and established a lie over time, but that stuff happens in the KYC process as well. KYC isn't a perfect system and it's completely possible to 'lie'.
> Is that in the KYC regulations, or even the bank's SOPs?
I would bet that it is in the Bank SOPs to NOT do what you described. But, as a person that does a lot of compliance, it's inevitable that people will ignore SOPs or policy to some extent.
> (in the same way that land ownership isn't private)
You can make land ownership private by holding it in certain entities. I personally don't think land ownership should be public anyway. Nor do I think home ownership should be public.
Maybe in your country, where corporations make the laws.
In most of the world, the ownership of "entities" is also public data. The privilege of being an entity is bestowed by the public through the state, and any status or license granted by the the collective (the state) is and ought to be public information.
> In most of the world, the ownership of "entities" is also public data. The privilege of being an entity is bestowed by the public through the state, and any status or license granted by the the collective (the state) is and ought to be public information.
Under that theory, bestowing the privilege of privacy doesn't seem any difference to bestowing the privilege of being an entity.
So why should we do one but not the other? What are the trade-offs?
That seems like an attempted insult on the US but your comment is dishonest. There are a lot of layers to laws (Constitution, Congress, state's rights and their laws, local laws, etc).
What country are you from? I'd be interested to read up on any country that doesn't have corporate lobbyists or special interests involved in lawmaking.
Anyway for future reference, unless specified, most readers are going to assume you are referring the US.
Facebook wants information on the registrants. A quick skim of the link you provided suggests that the process only results in the domain being taken down, not information revealed.
>Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name.
If that is all Facebook is seeking in their suit, then I am fine with their lawsuit- and I am glad that Namecheap is holding out for a final, legal court order in a court of competent jurisdiction. Facebooks PR piece trying to paint Namecheap in a bad light is something I am not okay with. Namecheap is right not to give up this information without legal due process.
Would the registrar normally be sued here? I would have thought it'd be against a fictitious defendant, with a Doe subpoena used to find out their actual identity.
ICANN's process for taking down domains works, if sometimes slowly. It's not always great for preventing the next phishing domain from popping up three minutes later from the same attackers.
I can see both sides of this one. Namecheap is doing the right thing by protecting customer privacy, and Facebook reasonably wants to stop what is probably a well-organized and persistent phishing campaign aimed at their own customers.
Facebook could pay NameCheap a few bucks to attach an observer pattern to some registration watch filter and get real-time notification from some narrow scope of name patterns.
In the olden days one would make a 20 line Perl script w/a nasty regex that's forked off for every registration -- and bill on the value not time to code.
Is a more modern pattern to egregious? FB just send NC a filter table.
You can apply directly to the registry to get zone file access. There are also services which already do this and provide APIs, etc. No need to set up special relationships with registrars.
You file what's colloquially known as a "John Doe lawsuit", then serve a subpoena to a third party (such as Namecheap) to obtain that information. You then have the information to amend the pleading and proceed against that party.
"Agreement, court action and arbitration" - all three of those require knowing the identity or at least directly communicating with the other party to start the process.
3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.
I don't think that applies here. What this is saying is if Bob registers joe.com from Namecheap, and then licenses joe.com to Joe to use, then Bob is required to provide his own contact information to Namecheap, and Joe must provide contact information to Bob. Then if Bob is informed of wrongful use of the joe.com, he must hand over Joe's contact information, or be liable for the harm done. It says nothing about Namecheap's obligations.
But maybe it does apply. Isn't the registrant listed as WhoisGuard? So, shouldn't WhoisGuard be responsible for providing the contact information? Hence Facebook sued Namecheap. I think Namecheap is doing right, and I think Facebook is technically doing right, but they are talking up the action as Namecheap is evil and Facebook is good, which is nonsense. Honestly, what corporation puts up public notice they are suing someone? Anyone worth their salt waits until the outcome to talk about a court case.
That’s exactly how tools like WhoisGuard operate. They are registering the domain name and then subleasing (licensing) it to the entity who doesn’t want their information out there. By not sharing their client’s information upon a reasonable suspicion they have accepted contractual liability.
One applicable section is the requirements for registers that provide privacy proxies, and that has no specific requirements for when a registrar must hand over contact information.
Is it not enough that Facebook and Zuck tread all over their customers privacy on their own platform? Now they want other companies to do it for them with their own customers as well.
This is just another attack on privacy and due process in order to strong arm companies that have services like WhoisGuard which is intended to protect millions of customer’s privacy.
I agree with everything you said, just a minor comment... Facebook users are not Facebook customers, they are the product. Facebook customers are all the companies which pay Facebook for advertisement.
This tired cliché is annoying enough when people use it in situation where it arguably has some explanatory power—a complaint about FB’s customer service, say.
It adds absolutely nothing to this discussion. Facebook has an interest in retaining users that is indistinguishable here from an interest to retain customers.
I struggle to come up with reasons that motivate the incessant regurgitation of memes such as this in online discussions. Sure, I chuckled the first time I saw it because it was novel and somewhat contrarian. But after the hundredth time it feels more like bad ML picking up on the wrong keywords.
Facebook customers are companies that pay for advertising. Billions of sheep,who signed up for the chance to see endless streams of cat pictures, are the product.
Same here. Shifted all my domains to Namecheap from GoDaddy. It was a breath of fresh air not being upsold to all the time, and not dealing with ridiculous renewal fees.
I did the exact same. I used to be a Godaddy customer and had a bunch of domains with them. One day I cancelled some of them, but when I did this it didn't auto-cancel the associated services, as I expected, so they continued to charge me for whois guard, and some other services for domains I no longer owned after they expired.
As much as I like Namecheap, you can't really say they don't upsell. At least not anymore. Every domain purchase comes with the chance to register premium DNS, hosting, all sorts of guff
Registrars normally have terms of service that allow them to cancel domains at their own discretion.
Now here's a registrar that's made aware that the domains are used for a crime.
While I agree that registrars should not be tasked to proactively check and police domain content, it's a bit different to receive proof that a customer is doing criminal activities and to say you need a court order to do anything?
The handing out of personal data is a bit more sensitive, but I would assume FB is already involving the police in the process. Not to hand data to FB seems fine, not to hand data to the involved police force seems like you might be actively helping them to hide/keep the crime going (again, assuming that the scam/crime is obvious).
Effective strategy on the part of facebook. Namecheap can either decide to spend untold sums and fight this (and let's see the amount and how that goes) or they can turn over the info and move on. No legitimate customer of namecheap that isn't fishing is going to take this as anything important to them and importantly even if they even know it's happening.
I don't get all of this rah rah.
My question for you (the OP) is how many domains do you have with namecheap? And how many customers like you do you think make up their business?
Nobody is filing a lawsuit to uncover whois privacy info trivially unless the reason makes sense (on the end of the person wanting the info).
I have several, but not as many as I have had registered either for myself or customers in the past. I will probably have more in the future.
I am fine with Facebook filing a suit in a court of competent jurisdiction to get this information. However, they don't state what they are seeking in their post. Further, they attack Namecheap as if Namecheap were doing something wrong.
I don't expect Namecheap to spend a fortune fighting this- but I would like to see due process followed. If a proper court of competent jurisdiction rules that Namecheap has to reveal the identity of the domain owners, and their are no bounds for appeal, and Namecheap does, that is an acceptable legal outcome.
The problem is Facebook trying to paint Namecheap as being in the wrong here, when it appears that they are doing the right thing.
They do not have any obligation. Facebook is not an authority and they can only request that information via normal means. The fact that they claim that the other company has any obligation just point out how obnoxious and entitled they have become.
In my experience, namecheap takes care of issues when you report them but the do not prevent on-going issues. They let you play a game of whack-mole, where scammers can buy domains faster than those domains can be taken down.
You're not their customer. You're actually trying to harm some of their customers, so it's difficult to imagine why they'd do anything to help you, absent some sort of legal obligation.
I guess ethics and good faith do not matter then. If your business is selling mostly to scammers then what does that make you?
I'm saying that namecheap is unethical. You are right, I'm not their customer and never will be. If it was easy to spam block every single domain ever sold by namecheap then I would do that.
If your business is selling mostly to scammers then what does that make you?
Not even Facebook claims that Namecheap sells "mostly to scammers".
There isn't even a question over which of these two firms helps scammers more or harms society more. Facebook wins all of those contests. They're, like, Vladimir Putin's favorite! If any online service should have to follow the law and actually litigate each instance of such allegations of "cyber-squatting" in court, it is certainly Facebook.
I just registered a domain with namecheap a few weeks ago and it definitely came up as something they didn't want to give me. It was close to another trademark name. I had to agree to accept the risk. I looked it up, and they are in a different business (and the names are really that close to a human, just to an algorithm). So I accepted the risk.
So FB can't claim they ignore this stuff. They seem to be making a good-faith effort to prevent this kind of fraud.
>As a Namecheap customer, I am glad that they aren't giving up their customers privacy.
Namecheap has been on the good side for most part, at least comparing to GoDaddy. I find it unfortunate that they had "Cheap" in their name that sort of give a slight negative impression in terms of quality.
Facebook press release is a classical PR whitewash to rebrand Facebook through POSITIONING it as the FIRST brand that is fighting for users privacy.
>>As a Namecheap customer, I'm glad that they aren't giving up their customers privacy.
This is how we at the community of HN and engineers see it, but not how average non-technical person sees it.
I'm a hacker who worked in PR and advertising; I worked on media monitoring; I drafted many press releases like this and worked on PR campaigns for P&G, LG and Unilever and other global brands.
Here is what I learned: every time I read a stupid press release like this, I ask which audience is this company targeting? And why?
To read this differently, think of the target audience. Who is Facebook targeting with this press release?
Clearly, Facebook is not targeting the community of HN, or tech, evident by the number of people saying Facebook shouldn't sue Namecheap.
Facebook is targeting the average person.
Facebook is whitewashing/managing its PR crisis of privacy invasion by establishing itself as the FIRST tech leader who is fighting for people privacy.
Like it or not, Facebook is the only one in the tech industry who is doing it and is being loud..underscore being loud.
No other tech giant is fighting to be the leader in protecting users privacy and is being loud, I'm not talking about non-profit. I'm talking about Apple, Google, Amazon, Facebook.
Just read these poetic lines from the press release:
"We don't want people to be deceived by these web addresses, so we've taken legal action. We filed a similar lawsuit in October 2019 against OnlineNIC, another domain registrar, and its proxy service. Our goal is to create consequences for those who seek to do harm and we will continue to take legal action to protect people from domain name fraud and abuse."
Facebook is taking the initiative of fighting for users privacy, and it doesn't matter whether they are truthful or deceptive. What matters is that they are the first.
We only remember the first.
"The easy way to get into a person’s mind is to be first. If you can’t be first, then you must find a way to position yourself against the product, the politician, the person who did get there first
What’s the name of the first person to fly solo across the North Atlantic? Charles Lindbergh, right? Now, what’s the name of the second person to fly solo across the North Atlantic? Not so easy to answer, is it? What’s the name of the first person to walk on the moon? Neil Armstrong, of course. What’s the name of the second? What’s the name of the highest mountain in the world? Mount Everest in the Himalayas, right? What’s the name of the second highest mountain in the world? What’s the name of the first person you ever made love with? What’s the name of the second? The first person, the first mountain, the first company to occupy the position in the mind is going to be awfully hard to dislodge. Kodak in photography, Kleenex in tissue, Xerox in plainpaper copiers, Hertz in rent-a-cars, Coca in cola, General in electric. The first thing you need to “fix your message indelibly in the mind” is not a message at all.
They're glad that Facebook isn't being handed information just because they're a big company. Want private registrant info? Get a subpoena. It should be very easy if you have a legit reason.
In cases like the example mentioned, this is clearly a malicious entity. I don't agree that "get a subpoena" is the right response, some judgement should be applied to cases where someone is clearly using your service to do harm.
> some judgement should be applied to cases where someone is clearly using your service to do harm
This is Facebook's argument essentially. But who decides that it is "clearly" doing harm? Should Facebook have the power to just tear domains away from their owners at their sole discretion? Should Namecheap be deciding if they break their privacy contract (the entire WHOISGUARD product that they offer) because a domain sounds too close to another company's product? Why should Facebook (or Namecheap) have the power to soley make decisions on this manner? Why do they get to "play god"?
These types of Copyright or Trademark issues have a proper and appropriate channel for handling these disputes. Facebook should be using the APPROPRIATE channels (ie the Judicial system) to handle this. The courts could issue a subpoena to Namecheap and Namecheap can take it down or hand over the information or whatever a judge decides should be done. But a sworn judge is the one that should be making these decisions, not a private company. This is where Namecheap is right in its stance and Facebook is wrong. Facebook is big and has lots of money, but that doesn't allow them to circumvent the Justice system. We swear in Judges to handle things like this. The judge can decide if this is "clearly" a violation or not. The judge will also help decide on the gray cases as well. The Judge will look at the facts of each case individually and help to protect Facebook's copyrights and trademarks while also protecting the rights of the citizen that owns the domain in question. He is the impartial authority that is trained and authorized to make these decisions.
Namecheap is doing it right, and this makes me very happy to be registering domains through them. I am happy that they don't buckle to the pressure of a big scary corporation. Facebook is once again proving that they are not a good internet citizen. Another reason the world would be better if they disappeared. Facebook isn't above the rest of us, or our governmental processes. The fact that they think they are is reason enough to never trust them with your data.
And in cases that aren't so clear? One of the three cited in the press release was instagrambusinesshelp.com - that doesn't sound remotely malicious to me.
Yes. I'm fine with Namecheap taking the domain down. Handing information like that just because they ask for it? That's a huge no. Let them proceed through the legal channels to get that information.
Facebook is suing Namecheap because Namecheap is not handing over the information just because Facebook asked them to. Facebook decided that the domain should be taken down and expected Namecheap to just do what Facebook said. Namecheap refused. That is why Facebook is suing them.
What Facebook should do is file a trademark dispute against the domain owner. Then a judge will look at the case, decide if Facebook has been wronged, and if so, the judge will ask Namecheap for the domain owner's information, at which point Namecheap would then be expected to (and not wrong for doing so) hand over the information to the judge. The court system will handle the rest. That is why we have these court systems. I know Facebook is confused and thinks they are above the government, but that is why it is good for Namecheap to remind them of that.
Traditionally site owners are either public or can be requested in a 7 day span by showing clear harm.
Otherwise the liability falls to Namecheap. Presumably Facebooks motivation for actually suing is to prevent name registrar's from protecting obvious scammers for profit.
Not sure how I feel about this, site owners who act in good faith clearly should be able to stay private. On the other hand, scammers can open sites much more quickly than they can be reasonably be sued. Most businesses try to keep scammers from obtaining similar domains, having to sue each time to take a page down could make this infeasible for smaller ones.
The court order is that a judge rules there has been trademark infringement and asks namecheap to take it down. If facebook would like to pursue suing for infringement then, they get another injunction with a court order, and the judge asks namecheap for the name associated with the infringement.
I worked for a European domain registrar a few years ago.
An obviously malicious site like "whatsappdownload.site" would be taken offline very quickly, but under no circumstances could we give non-public subscriber information to a third party without a warrant.
> You're glad Namecheap is protecting the registrant of "whatsappdownload.site"?
In most cases I've seen, registrant data would either be fake, the result of identity theft, or an innocent customer's whose account got hacked.
Yes. I don't want Namecheap stepping in to judge how I use my domains- I want a court of competent jurisdiction to make those determinations. There is an appropriate process for these issues.
It seems that the appropriate process for this issue would be suing the registered owner of these domains (Whoisguard), which is what they're doing now - and a court of competent jurisdiction will be ruling on it.
Facebook doesn't say exactly what they are seeking, but that is one possibility. However, this PR piece seems to be accusing Namecheap of doing wrong- and it appears that Namecheap is entirely in the right. If all Facebook was doing was seeking control of the domain name, and they didn't make this accusatory post, I would agree that they were following the proper process.
Yes. I want Namecheap to protect my privacy. When they show they're even willing to protect the privacy of a low-reputation actor, it proves to me that they are likely to protect my privacy as well.
It's the same reason I'm glad that HTTPS and SSL protect the registrant of whatsappdownload.site.
For what it's worth, the problem with that process is that it creates an uneven burden. Any scammer with 10 bucks can create a misleading domain. This happened to us when some scammers created "autostempest.com" to mimic our car search site, autotempest.com. They put fake listings up and scammed many people out of tens of thousands of dollars. Our only legal recourse was a UDRP claim (short of suing namecheap, which would have been even more expensive), but that would have cost about $2000 because you need to go through a registered provider—and these are private companies, which take advantage of this regulatory oligopoly.
Now, $2000 would be worth it to shut down a scammer like that, except nothing stops them from simply ignoring the UDRP claim and once their domain is shut down, they can register autotempests.com or something for another 10 bucks. (They actually did end up registering autostempestgroup.com and several others.)
On the other hand, if you could simply go to the registrar, show clear evidence of the very obvious infringement, and have them shut down the domain, perhaps it would actually be feasible to put a dent in that kind of scam.
I do understand the concern of having a private company like Namecheap be the judge in these matters, but I'm not sure it's as black and white as that. I could see a system working where they do take unilateral action on obvious cases (autostempest, whatsappdownload.com, faceb00k, etc.), but require the formal process for less clear cases.
I understand this complaint. But Facebook attacking Namecheap in a public post for doing the right thing is the wrong way to go about changing the system. They should instead petition ICANN and/or their political rulers to change the process.
"Slütsof In Stagram", naturally, what did you expect? See also "Whöresof In Stagrâm" at similar URL.
Yes, someone tried to register SlutsOfInstagram.com and WhoresOfInstagram.com and when Facebook/Instagram objected, they turned the sites into something else entirely.
The point being that you can't really tell anything from the name.
But then you can't really tell anything from the content either, because if there is phishing content the first thing the registrant will claim is that they've been hacked. Which is hardly uncommon in that context. So then you need someone to make a judgement call. Which is what courts are for.
If there's a combination, it's very obvious. To use my personal example again, the domain was autostempest.com, and they had copied our logo directly, and created a car listings site. It would be trivial to see that we were using the name and logo first.
Going to court just wasn't an option. For one thing, we couldn't even identify the people behind these sites without first going to court against namecheap. And after all that effort and expense, it's entirely possible they'd registered the domain with fake info and the effort would have been wasted. Even the UDRP option was not cost effective, because nothing would stop the scammers from opening a new fake domain. What we eventually did that worked was found a "CSIRT" company that would use its private connections to hosting providers to, for a fee, get offending content taken down. So, that's the kind of thing the status quo is incentivizing. Hardly better than if there was a takedown process available through namecheap it seems.
That said, you'd certainly want to avoid the situation with Youtube, where the power is swung all the way in the other direction, so creators have almost no recourse when purported rights holders issue a claim.
I used to work for a company that offered brand-protection services. The customer would grant my old employer power of attorney to send C&D letters and file takedown lawsuits on their behalf, and we would do all the monitoring and brand-defense work, then send a report to the customer justifying the exorbitant fees.
Maintaining a trademark costs time and money. You can save money by doing the work yourself, or by using backchannels, as you mentioned. You can save time by hiring someone to do the tedious work for you. Even a single-partner specialist law firm should have boilerplate templates on hand for taking down an infringing website fast, using regular channels. I imagine that most of the cases result in no answer from the main defendant and default judgment that orders the registrar to transfer the domain to the plaintiff, who can then blackhole it or redirect to the genuine site.
A higher-service firm will also proactively scour the Internet for threats to your brand--at a higher price, of course.
I would not recommend my former employer for this, as they got bought out, and the new owner arbitrarily fired the entire development team.
> To use my personal example again, the domain was autostempest.com
So then they claim their company is called Auto Stem Pest in the business of selling automatic pest control devices, and their website had your logo on it "temporarily" because it had been compromised by third party malicious hackers.
Somebody has to decide whether that story is a load of BS. But it's a thing that could realistically have happened, and Namecheap has neither the resources nor the qualifications to stand in judgement.
> Going to court just wasn't an option. For one thing, we couldn't even identify the people behind these sites without first going to court against namecheap. And after all that effort and expense, it's entirely possible they'd registered the domain with fake info and the effort would have been wasted.
The thing is, that's what happens anyway. Most of the people doing this are in countries that just don't care. Having their names generally won't do you any good.
> Even the UDRP option was not cost effective, because nothing would stop the scammers from opening a new fake domain.
Which points to domains being a bad point of attack to go after them. It's like trying to catch cat burglars by maligning department stores that sell gloves. It's just not a useful place to apply pressure.
For fraudsters in a friendly jurisdiction, courts work, because the process is a pain in the butt but at the end of it they go to jail which is a large enough deterrent that it mostly stops them to begin with.
When they're in an antagonistic jurisdiction (which is most common), the law can't help you, because it isn't your law that applies. At that point you're down to technical and market solutions, like the one you found.
Yup, more so with GDPR. It is nobodies business who's behind a domain. Authorities can of course figure it out (with subpoena, as it should be) should the need arise.
Yes. Do you know what content was on there? Scam/malware? Critical reporting on facebook's business processes? A parody site making fun of whatsapp? A redirect to Signal?
At least two of the 4 examples I gave are perfectly legal even under trademark and/or copyright law. And 3 are non-malicious
> Our goal is to create consequences for those who seek to do harm
Rich coming from FB.
On the one hand, scam sites should be stopped, on the other, I am not sure we should let companies wantonly decide which domains other people register are bad.
I can't even tell what the legality of this is. What does facebook even sue for, trademark infringement? Or is it fraud related which I would assume they'd go to the courts for. If namecheap is breaking the law, then the justice system should be involved, otherwise it's namecheap rolling over anytime facebook decides to sue them for anything they want.
And yet they are happy to keep running ads for obvious Shopify scam sites that offer insane spec computers for $199 (where the GPU offered alone costs twice that) or an entire electric branded toolkit for $89.
People selling dropshipped items for 500percent markup are the bane of e-commerce for me right now.
i always end up finding the same item on aliexpress and then just dropping the item entirely coz it's gonna be low quality and have no customer support
I've made a game out of it, anytime I see an ad (and have some free time) for a "revolutionary" product or one that is obviously too good to be true I go searching for it on Amazon/Aliexpress. Often I can find a handful of versions on Amazon alone for half the price and/or terrible reviews.
Honestly I've been happy with 90% of what I get on AliExpress and it's rare to spend more than $10 on whatever it is anyway. I've saved many hundreds of dollars over buying from Amazon (often anyway from twice to ten times as expensive).
For the stuff the sucks, I throw it in the trash and move on with my life. It's usually only a few dollars
that is indeed partly impossible to do, one thing they should improve is checking that the one buying ads is actually affiliated with the politician/party in the ad.
Seems like a lawsuit is the exact legal method that should be used to uncover the names that Facebook is seeking. As a Namecheap user who also sometimes uses whoisguard, I would expect Namecheap NOT to turn over any information until required to do so buy a subpoena signed by a judge. There is probably no other way to get one than to file a suit and ask a judge for it.
I am fine with Facebook petitioning a court of competent jurisdiction and following legal due process to stop phishing activity. I am glad that Namecheap is not giving up this information without a proper court order. I am not happy with Facebook making this PR release trying to paint Namecheap in a bad light because they are standing up for privacy. This PR release is completely unnecessary if Facebooks intentions were simply to stop the phishing attacks.
While I'm happy that Namecheap won't reveal the names,I'm not happy that these kind of website names can not just be registered but also kept running for years.
Again, that's how it's supposed work though. If I pay for 10 years for my domain name, I don't want it to stop working because evilCorp makes a request to take it over (for whatever reason). If I am ruining the internet with a nefarious use of my domain, then it should be easy enough to prove to a valid court, and then there should be a legit way to take over control. It shouldn't be impossible, but it shouldn't be a cake walk either.
Absolutely, especially in terms of copyright and liability (of open computer systems, e.g. Germany's open WiFi nonsense).
But in some cases good enough proof of unauthorised compromise of computer systems can be collected, in those cases, why isn't there any cooperation? E.g. botnet makers.
What type of heuristic can capture "these kind of website names"? There are too many possibilities.
Some companies have registered misspellings and openly hostile domain names similar to their trademark, but it's hard to consider all permutations e.g. https://bankofamericasucks.com redirects to Coin Wallet.
Trademark law, as far as I understand, is to prevent customer confusion. Customers should be able to trust their intuition on who made a given product.
Misspellings should be covered. But hostile uses should not.
Please define "hostile uses" in a way that can be interpreted by law enforcement and the courts.
If I register "facebook-sucks.com" and put a disclaimer that facebook is a registered trademark of Facebook Inc etc etc then I'm not attempting to confuse customers of facebook (btw, do "users" of facebook = "customers" of facebook?).
Therefore there is no trademark infringement and no cause for me to cease and desist.
That's different to registering "faceb00k.com" and trying to pass my site off as being facebook. That's exactly what trademark rights are there to protect. It's not the registering of the domain that is the infringement, it's the attempt to pass off my site as being facebook's. In that case, a court can order me to take down my content, and if "me" is not identifiable, then they can order my hosting provider to do the same.
Facebook itself has numerous different domains registered and its not known that some of them are facebook's registrations.
What goes under “hostile uses”? Would people be confused if I made “facebook-sucks.com”? Because if you let something like this through, Facebook has an incentive to go after things like that…
I did a bit of research on this when I started killedbygoogle.com . It’s fine to use a trademark when it is being used for criticism, parody, or other creative work. It’s not okay to use for impersonation, fraud, or other commercial purposes that mislead consumers to believe an endorsement or association with the trademark’s owner.
Trademark law is to prevent "damage" to brands, not protect customers. If a system was in place to protect the customers, it would be the customers who were deceived that sue and receive compensation, not the company owning the trademark.
> This PR release is completely unnecessary if Facebooks intentions were simply to stop the phishing attacks.
That's not their goal at all (obviously).
This is at best tangentially related, but I once had a business model where I asked people to send me a friend request on Facebook. Rather than give them the FB URL directly, I registered [name]onfacebook.com and just had that on the card they received. All the domain did was redirect to my profile. No interstitial, the URL was replaced on redirect, literally just so I could say "[name] on facebook dot com" and have be easy to remember.
Less than a week later I received a nastygram from FB legal about protecting their copyright and that they expected me to shut the domain down immediately.
Judging by the comments here, they are doing good publicity for Namecheap.
I expect the people who post on HN to be representative of people who buy domain names. So while it may be bad publicity for the general public, it doesn't really matter if potential customers see it as a good thing.
Question: If what the domain name holders are doing is illegal (presumably phishing for secrets; which is probably against some sort of misdirection or scam laws) why is Facebook doing the suing? Why aren’t police departments or federal investigation units the once asking judges for subpoenas and going after the actual criminals?
It feels like an unessisary and possibly harmful step for a non-victim private company to suing another non-criminal private company so they can get these criminals to justice.
It sounds like the fraudulent domains are foremost a trademark infringement.
The fact that the domains are used for phishing or to perpetrate criminal acts is a secondary matter that adds gravitas to Facebook's public presentation of why they are suing Namecheap.
The infringing parties are those that register the domains using Whoisguard, and Namecheap is a non-party witness to the infringement.
So, serving Namecheap a subpoena, and then suing them for compliance after they neglect to respond to the subpoena is apparently a normal method for getting information from an uncooperative non-party witness in a civil legal proceeding.
Presumably, once they are successful in their lawsuit and have the names of the individuals responsible for the domain names, they will hand the evidence over to the police for investigation of criminal acts such as wire-fraud etc.
Quite typical that the crime being investigated is a petty trademark infringement, while there are real victims who’s privacy and dignity is violated by these scammers.
It indeed disgusts me that as a society of laws we go after violent criminals, not because they violate real victims, but because they infringe on a trademark of a multi-billion dollar company.
I'm no expert, but as I understand things the cops don't give a shit. Like if you witness someone speeding, or if someone steals your bicycle.
They'll take a report if you want, but there are only so many detectives. And these internet crimes need so many special skills and cross jurisdictional lines so easily...
We could establish a specialist police unit with the skills and funding levels needed to go after crimes against Facebook. Facebook might even be willing to help with funding and training, and doubtless big copyright holders would also be interested. Personally I don't think that would be a step in the right direction though.
But violent crime is down over the last 30-years, seems to be more cops employed and less petty crime laws being enforced. Doesn’t quite make sense but I often hear this excuse.
I think we need to start thinking about scammers as violent criminals. Victims of scammers do feel extremely violated after the fact. They loose not only valuables, but also their dignity and their sense of security. Scamming is indeed a violent crime that causes significant harm to the victim.
I also get the sense that there is still a lot of victim blaming when it comes to scamming. This also has to change. Victims of scams have not done anything wrong. The criminals that scam other people are of full blame for their crimes, and they need to be brought to justice for their violent behaviour.
Can't just change the definition of violent. Agree that the crime is much more serious than it looks on the surface. There's probably a perfect word. Predatory?
Violence is already really loosely defined (e.g. violence seems to be done up the social hierarchy; e.g. a state is not considered violent if they deport a refugee, while a protestor is considered violent if they block traffic). But even in this loose definition scammers fit perfectly as being violent criminals. They intentionally cause significant harm to their victims with their actions.
A lot of definitions put a physical qualifier, but that is not how the term is used by English speakers, e.g. bullying or psychological tormenting, is violent even though it is only verbal.
> behavior involving physical force intended to hurt, damage, or kill someone or something.
In every definition, violence requires physical force. Nobody calls psychological abuse violence, they call it "gaslighting" or "bullying" or "emotional trauma".
Sure, but that is different from physical violence or threat of physical violence. Not to mean it is inherently less serious, but I would argue that they need to be treated as part of different categories.
I would also argue that emotional and psychological abuse should be considered a serious crime, but I am not convinced that conflating it with violence is appropriate.
I realize that my categories leave a blind spot for more subtle method of bullying, especially in intrinsically violence-free cases like cyber-bullying or "intense-gossiping" which can be seriously damaging.
Still I do not think that classifying that as violence in and of itself is an appropriate solution.
I don’t personally think it is helpful to make a distinction between physical and non-physical violence. Harm is severe in either case, and there is an obvious victim and and obvious perpetrator that needs to be brought to justice in either case.
Sure different forms of violence do vary in severity, but finding a new name for a type of violence that is done remotely and causes a different kind of harm both undermines and complicates the term “violence” and gives discount to some forms of violence by not labeling them as such.
> an obvious victim and and obvious perpetrator that needs to be brought to justice in either case.
Here I don't agree.
> Sure different forms of violence do vary in severity,
Also this is not the point. Emotional violence can be definitely worse than physical violence, I am not ranking them.
I am often bad at analogies, but I will try making one anyway.
When driving you are held to a concept of strict liability; if you cause an accident it is your fault; every time you sit in a vehicle you silently agree that every damage caused by your car will be (by default, but can be proven otherwise) your responsibility.
This is not the case when walking; if you push someone down the stairs because of a sneeze it is not manslaughter, it is manslaughter if you drive over a passerby because of that same sneeze.
Quite few things are considered in the context of strict liability, in general to be responsible of a damage the burden of proof is much higher.
Similarly physical and non-physical violence are held to different contexts; if I punch you then I am at fault a priori (there can be enough context to subvert this) and the reason is that I am expected to understand that punching you will cause damage (this is why accidental deaths in a fight can incur in manslaughter charges).
threats of psychological violence should be a crime, the same as other kinds of threats.
On the other hand, with psychological violence there is not bright red line that can be as clearly crossed or not. It is much harder to argue that the abuser was conscious of the damage, or that the damage was done maliciously, or that the abuser should be held responsible for it.
It is not a matter of severity, it is just that one case of violence is significantly harder to judge fairly.
PS: > if there can be violent threats, then there can be emotional violence.
Both local police and the FBI rarely care about fraud or scams. Most local fraud seems to be caught by individuals hiring private investigators that are former law enforcement. And even then, the punishment to the con-artist is often 1-2 years.
It’s even worse if you use a credit card, get skimmed, have money stolen from you then your credit card company tries to deny your claim. No where in this situation are there police going to the ATM to view the video surveillance of who stole your money.
Most law enforcement seems to rely on identity fraudsters being high on drugs in cheap hotels and being caught with hardware / stolen cards etc etc.
Are more cops employed? In the UK at least police numbers were cut drastically. One of the many hilarious pledges of the newly elected Tory government of the UK is that they'd hire lots of extra police to fix problems that some might argue were caused by the er... Tory government which had cut police numbers...
It should be a lawsuit against the unnamed clients, rather than the hosting provider itself. Namecheap is a third party here imo, but there is plenty of precedent and process in using a lawsuit to compel third parties to provide information via subpoena.
I would agree, but I don't understand why Facebook would file a lawsuit against Namecheap. I would have thought they'd file a lawsuit against John Does (the owners of the domains) and obtain an order from the Judge to compel Namecheap to reveal the names of the John Does.
Then again I haven't seen the court filings so maybe that's exactly what they did and Namecheap is just mentioned as an additional defendant.
Either way, I would also expect Namecheap not to reveal anything unless they are compelled to by court order or another legal obligation.
For what it’s worth, I reported dozens of domains used in phishing scams to Namecheap and their support could not possibly give less of a crap. I reported about 26 domains used in SMS scams in Australia and Namecheap refused to action more than one domain. As far as I’m aware, the remaining 25 or so are still active.
Their chat support is unable to take spam complaints and instead directs you to their “Legal & Abuse Department” based in Eastern Europe. And what you get is basically what you’d expect from an underpaid, disgruntled level one IT support.
You should report illegal activities to the authorities, not companies.
I wouldn't expect Namecheap, a low cost registrar with "cheap" in its name, to have the legal resources to investigate or make a conclusion for each accusation that comes their way for one of their 10 million domain names.
As with everything internet related, I think there's a vast misunderstanding of scale, and difficulty in automation (domains sniping!), for what they're facing.
I also wouldn't expect them to hand out information to anyone that asks for it, especially a large company known for misusing any information they can get their hands on, without a subpoena.
I think the real solution would have to come from a third party group(s) that could collect, monitor, and produce high quality reports, with a high level of accuracy, that all of these registrars could use. Who would fund these groups? Probably whomever gains/loses less from the phishing scams being terminated.
> I wouldn't expect Namecheap, a low cost registrar with "cheap" in its name, to have the legal resources to investigate or make a conclusion for each accusation that comes their way for one of their 10 million domain names.
Exactly. And if they _did_ I'd be just as concerned that they're now allowing a vector to take domains down.
Of course, but how would they know? The vector I refer to is my ability to create "evidence" and report you to their customer service.
Eg, i'd wager the GGP comment who reported 26 domains did so in a manner that would be fairly easy to fake. So what is the requirement of reports? Too loose and it's easy to fake, too strict and it becomes to difficult to report _(or too costly to verify)_.
Every domain had the same content, was styled in the same format (something like a28d92.com, then b28d92.com...) and all were acting as redirection platforms for phishing sites and all were registered on the same day.
It wasn't hard to verify or easy to fake, or loose. Namecheap's legal/abuse department are just completely incompetent/don't care about their own TOS.
There's a lot more regulation and guidance around taking down a phishing site at the domain level, rather than at the provider level. (E.g. Hosting company, CloudFlare and other DNS providers, etc.) If I remember correctly, ICANN requires takedowns to be either compelled by law enforcement, or done through the UDRP[1], whereas the providers themselves are typically more able to quickly respond to abuse. In addition, phishing domains are typically short lived, as once they're flagged by Google Safe Browsing[2] and the like, they're essentially worthless to the ne'er-do-wells that purchase them, regardless of if they're actually taken down.
Not attempting to excuse their lack of action, but there are cases where it's somewhat understandable why a registrar may not take action. For instance, if the only service they're actually providing is registration, the domain belongs to a long time customer, and they aren't hosting the site or dns, they're only left with one very blunt action they can take. It's frustrating for sure, but registrars are very hesitant to take such harsh action on long-standing customers.
In that example the domain is likely compromised though, so you need to be reporting to all the hosting providers involved as well and not just the registrar.
This probably comes down to narrowing the number of people who can take action on these requests, as per the potential abuse that could come from taking action on invalid requests.
Is it not enough that Facebook and Zuck tread all over their customers privacy on their own platform? Now they want other companies to do it for them with their own customers as well.
This is just another attack on privacy and due process in order to strong arm companies that have services like WhoisGuard which is intended to protect millions of customer’s privacy.
Can you explain how using the court system to get what they want is an attack on due process?
(My personal perspective on this, to help you understand the tone I'm using, is that NameCheap is doing the Right Thing by not cooperating without a subpoena, and Facebook is doing the Right Thing by protecting their users from phishing attacks by shutting down the attackers, and the court will do the Right Thing by arbitrating within the context of the laws.)
Can you explain the legal details of what's happening here? Who's responsibility is it to deal with domains that are potentially dangerous, what exactly is facebook suing you for? What rule are they talking about when they say you're supposed to provide the WhoisGuard information (someone else mentioned that's only for government requests)?
I've also seen some complaints by other people here that there are some namecheap domains that are sometimes scammy and namecheap sometimes deals with them and other times they don't (based on user comments here). Can you clarify if namecheap does indeed take action and if so, why they haven't here?
Also in the future, you might want to sign off at the end of the comment since it's really easy to ignore the username as it's grayed out. And FWIW, great job with namecheap, I've had a really good experience with it.
I mean, FB is trying to stop phishing here, and it doesn't seem like your company is cooperating with FB's investigation. A lawsuit seems like what they had to do to get you to take action here.
Why do you want to take money from criminals, in exchange for helping them to do criminal activity? From a risk management perspective, you should very much not want these customers.
Does this mean I can sue Facebook because, despite my (unreasonable) demands they stop showing me fake news and ads for crypto-mining mobile games that pretend to be affiliated with legitimate news sources or the games they're knocking off, they haven't stopped?
I think that's a pretty comparable analogy because in both cases, a party is being unreasonably expected to police third-party content provided through their platform/business, or else be sued for failing to do something completely infeasible.
So Facebook is suing to dispute the business model of whoisguard, because they believe they are "obligated" to work with fb? I'm scratching my head at the implications here, I can guarantee fb doesn't want to be responsible for kyc on their users or ad providers (both can deliver intentionally misleading content on their platform). So what is their goal? My best guess is they think they can scare namecheap into working with them, but this feels like a case of chicken.
It’s ironic how Facebook uses all kinds of lies and dark patterns to steal data from their users but gets pissed off when someone else does it (or provides services for it as it is in this case).
so is wiretapping, but in our household we have a running joke that if we're too lazy to google something, or say "ok google", we can just say "ok facebook bed frame bed frame bed frame" in the direction of our phones, and fb/instagram will start showing us ads for bed frames in a few hours. It works a surprisingly large amount of the time.
This is not actually happening, and I'm sad to see how long this misinformation persists on HackerNews... Not only not technically feasible, it'd also get out in the numerous lawsuits that Facebook is involved in, which get access to internal information like this.
It happened to me and other people I know too. How can people in the comments deny that when a lot of people have empirical evidence?
If you give the permission to Messenger to use the microphone, that is required to make voice calls, then I believe it's possible for it to use it anytime.
Wiretapping is only illegal if you don't give permission for it. By having a device that's always recording audio, you're implicitly giving permission for what you describe.
Everyone worries about google. Google will become part of the public infrastructure after some external challenge forces it to. At what point does facebook turn hostile and start exposing personal secrets to the public unless you pay or at least come back and visit to change settings? You can feel it coming...
2 wrongs don't make a right.
And sure, FB uses "dark patterns", but that's a lot more subtle than registering obvious phishing domains. There's simply no defense for that at all; it's obviously aiding and abetting criminal activity.
I feel like the title "Facebook sues Namecheap for registering phishing domains" is somewhat misleading.
> We found that Namecheap’s proxy service, Whoisguard, registered or used 45 domain names that impersonated Facebook and our services, such as instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate.
Specifically, they're suing Namecheap and their proxy service for not providing information about the true registrants of the allegedly infringing domains.
"This week we filed a lawsuit in Arizona against Namecheap [...] for registering domain names that aim to deceive people by pretending to be affiliated with Facebook apps."
The press release says "for registering domain names" so I think the original title was accurate.
And to be clear, all Namecheap had to do to prevent this lawsuit was identify the owners of or delete the obviously-phishing and obviously-TM-infringing domain names. They didn't, so now Facebook is taking them to court over it.
Facebook listed 3 of the 45, including one that I'd argue does not at all violate TM or phish. In a post like this, they'd likely pick the most egregious examples, so your statement about how obvious this is is entirely baseless. Furthermore, I'm absolutely okay with Namecheap not honoring a demand for information without a subpoena. Those whoisguards protect me from spammers, scammers, and anyone who would want my information from a whois.
Agreed 100%. I'm a huge fan of removing all PII from whois info. Get a subpoena if you want that data. Otherwise next thing you know they'll be demanding registrant info for "facebookisevil.com" because it "infringes on our trademarks!!!"
I thought the point was that they're suing namecheap to get the names of the people who registered the domain, because namecheap was serving as an anonymity service.
"Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name."
Or, alternatively, remove the domain names, since they're blatantly phishing domains.
I think anonymous domain registration is an important property to preserve. Many people need such services for their safety. However, if you're going to serve as an anonymity shield for another party, you're taking on some of that party's liability, and in particular you need to take down malicious domains.
Namecheap is responsible for administrating domain ownership. They are not free to unilaterally change or remove ownership at will.
That doesn't mean it's impossible to deregister infringing domains. It means that there is a process to follow, which is probably what we're seeing right now.
Honestly, I'm glad they didn't. There's not much use in a whois privacy service if they'll give up the info just because a company says "this is infringing".
How is "instagrambusinesshelp.com" impersonating Facebook services? Is the argument here that using "Instagram" in a domain name inherently not allowed?
Edit: Would "instagramsucks.com" or "facebooksucks.com" also be infringing?
I mean, it's alleged they were a phishing operation...
And in terms of trademark law the owners are unlikely to be on stronger grounds if they're not a pure phishing operation as alleged, but have merely chosen to include Facebook's trademark in their website or email marketing name without Facebook's permission to increase the likelihood Facebook's customers will purchase services from them.
You don't have to imply you definitely are the owner of a trademark to fall foul of trademark law, you just have to be trying to profit from using the trademark without permission in their line of trade in a way you can't justify as 'fair use'. I think we can rule out the idea instagrambusinesshelp.com is commentary, comparison, parody or a list of third parties worked with.
But you have to consider your everyday user who has no real understanding of how companies use domains outside of being a name. That domain suggests it's business support for Instagram.
I feel like an everyday person would see that and think “ah a 3rd party consultant to help with my influencer business” (or whatever the professional application of instagram is.)
Almost every windows website in existence is liable under this description. It is confusing, but protecting domain names via trademark law seems undesirable to me in most cases
This seems like a bad knee-jerk reaction, not a real solution.
My company also has a business portal. Can I take down domains that are similar to it as well? Or is this power just reserved for MegaCorp Inc. who can afford large legal teams? At what point does a company become large enough to warrant "protection" of domains similar to their own? Who makes that decision and is there any dispute process? Etc, etc...
So many questions and potential pitfalls surrounding this approach. I don't know if there's any better realistic "solution" than to let users ultimately be responsible for the domains they visit. Not much of a solution but I don't see any better options that are both realistic and helpful.
The big drawback of the process it that it doesn't work well for phishing attacks, where taking down one domain is of limited value. It's designed more for things like nissan.com
But the language on Facebook's press release implies that the names themselves are misleading. They don't mention the content.
I'm not disputing that the sites themselves are scammy/phishing, but what Facebook is saying here sounds like an overreach that amounts to "using Facebook trademarked names in a domain name is misleading and inherently untrustworthy".
So if you started a small consulting company helping people advertise or build a brand on Instagram, and your website was instagrambusinesshelp.com, Facebook has the right to say "not allowed"?
Do I also have the right to impose rules on other businesses naming conventions [1], or no because I'm not a $500B company?
[1] In a fair use context, not blatant copyright/trademark infringement or posing as the company in a phishing context.
There is no fair context for that under the law. The name is trademarked so unless you have approval from Facebook to use their trademark then using it is not legal. It's not that complicated.
Maybe domain names are treated differently from book titles, but I don't see why they should be. There certainly is fair use of trademarks in book titles if the use is descriptive, not likely to lead to confusion about who produced the book, and can't be effectively replaced with a more generic term. E.g. "That Popular Graphics Editor for Dummies" isn't a sensible substitute for "CorelDRAW! for Dummies".
My assumption is that "instagrambusinesshelp.com" was impersonating Instagram to scam people. Instagramsucks.com probably isn't trying to impersonate them, just complaining about them.
Well, their whois proxy services. Namecheap has other proxy services (email for sure, I think also some configurations like parking and redirection use an HTTP proxy), so not specifying whois proxy is pretty confusing.
Is Namecheap obligated to respond as FB claims? Isn't this the proper way it should happen, through the courts? I don't want Namecheap giving my personal info out just because a business claims a domain infringes their trademarks.
> We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate.
Title should be closer to "Facebook sues Namecheap/Whoisguard for not providing information on phishing domain registrants"
The phishing sites should be taken down no questions, but
what's the obligation for WhoisGuard to provide information to an Internet company? Shouldn't they provide information only to legal authorities?
Surely they should provide the information in response to any reasonable request?
(* reasonable request is obviously a bit vague and needs clarification, but I think there really does need to be a proper policy/procedure for this - WHOIS existed for a reason, and that reason hasn't gone away just because access to that data has been abused).
opening paragraph: "This week we filed a lawsuit in Arizona against Namecheap, a domain name registrar, as well as its proxy service, Whoisguard, for registering domain names that aim to deceive people by pretending to be affiliated with Facebook apps"
Who is the registrant who registered the name? Who is the registration service that recorded the registration? Who requested the name be proxied by a registered name holder?
Which of these actors had 'intent' for the letters in the name?
Facebook is very heavy handed when it comes to these things. I’m talking from my own experience with them. I own a free dynamic dns service, and yes scammer sometimes use it to plant familiar sounding subdomains to cheat users. One such subdomain was related to Facebook. So Facebook didn’t even contact me about it. Instead, they banned my whole domain on FB. If now I try to give people my email address with my domain on Messenger or any FB post, it will get blocked with the message that my domain has malicious content.
That’s what you get when dealing with big companies. I guess they cannot just block namecheap like this, since they are much bigger than my small hobby dynamic dns server. So they are suing in this case. But I’m sure there are plenty of cases like mine where they just block the whole domain or IP range without even contacting the owner. Because they can, and we cannot do anything about it.
Very proud about Namecheap!! Great company that doesn't give your infos to anyone without your permission. and the whole story is another reason to stop using anything facebook-related.
Facebook's hypocrisy, as noted, is rich. But phishing impacts innocent users, not Zuckerberg and his cabal of blood-sucking c-suite plutocrats. Namecheap isn't an innocent. See https://krebsonsecurity.com/2018/06/bad-men-at-work-please-d.... They court this demographic through a business model which is entirely their own choice.
Is Facebook targeting Whoisguard directly? I am incredibly thankful for Whoisguard — back when I purchased my first domain, I didn't know about it, and to this day, I get 5-10 spam emails per day regarding my domain. It's so bad that I've had to change my primary email to something else.
There definitely should be a mechanism by which large companies like Facebook can approach Whoisguard and ask for a site to be taken down, though.
A company or individual putting “Facebook” or “Instagram” in their domain name without Facebook’s authorization would constitute trademark infringement.
Pretty sure this lawsuit is just Facebook doing what they’re supposed to do to “protect” their trademarks.
When you have a trademark, you’re obligated — by law — to attempt to protect it in cases of seeming infringement. If you don’t, you lose the power of the trademark.
>A company or individual putting “Facebook” or “Instagram” in their domain name without Facebook’s authorization would constitute trademark infringement.
That is not true in the US.
A trademark consists of both a name and the goods/services which a company provides under that name. If you use the trademarked name in a completely different industry or context from the entity which registered the mark, you aren't infringing on it.
So if you had a business selling...I dunno, physical books made out of faces, then you might be able to use "Facebook" without infringing.
In practice, Facebook could spend enough money to convince the legal system that they are right, but merely having some letters in a domain name does not imply infringement.
Icann provides a method of getting domains that break trademark that doesn't require a warrant or the courts, this is facebook trying to give themselves that power wheater the domain is infringing trademark or not.
Why does Facebook want to know who these people are? That itself seems a bit creepy. Sure, get the domains taken down, get Whoisguard to block them from registering more domains in future. But what does Facebook want, names and addresses? Weird.
Isn't the obligation only to provide registrant info to governments or when the info has been subpoenad? Or should namecheap hand over info to any private entity that thinks their trademark is being infringed upon or that the domain is malicious?
Inb4 FB wants the info of the person begins "facebookisevil.com".
They aren’t even sueing for _allowing_. You can’t expect namecheap to know every possible domain that could be used to impersonate Facebook. They are sueong because namecheap isn’t cooperating in their investigation..
Facebook sues NameCheap for allowing people to register phishing domains, and failing to meet their obligation to provide information about those domains when notified. But it's not near as good a headline.
I'll bet that clause was intended to apply to law enforcement, but as worded (IANAL) it appears to say that literally anyone could send a registrar proof of "reasonable evidence of harm", and they're liable unless they turn it over. Very odd.
3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.
Facebook takes money from people spreading fake news to influence the elections in my country and they refuse to reveal the names of the people funding this fake news.
Haha, imagine a company suing another for the way people use their platform, as if it’s their responsibility to police the people using it for harmful purposes! Ridiculous!
I kind of feel like this could be a perfect opportunity to bring to light some of the weaknesses in the current SSL Cert infrastructure.
It sounds like what we need is for the browser to be capable of displaying a list of "favicons" (or something like this, perhaps a favicon encrypted by the domain's private key) from every domain in a domain's certificate chains. And for certificate authorities to allow domain owners to insert their other verified certs in these certificate chains that end up being used.
So, for example, let the owner of "DOMAIN1.COM" set up a certificate chain where DOMAIN1.COM is its own certificate authority who signs certs owned by DOMAIN1.COM. This way, when the browser sees the certificate chain it will proceed to verify the chain.
So now end users could easily see that DOMAIN2.COM is owned and "vouched for" by DOMAIN1.COM.
I don't think FB's claim SHOULD be valid, but given the current state of the art I think it IS valid.
Going after the registrar is unnecessary to stop this sort of behavior, nothing would stop a scammer from creating www.facebook.route34.com/login
People are getting accustomed to complex URL parameters they don’t understand. I doubt most people are paying attention. In a few years we might start seeing web browsers without the URL bar.
This seems like a waste of time. It's not illegal to register a domain name, no matter how similar it is to your domain name. If you want those domain names, then buy them. My family runs a business and we bought the domain names that we thought were similar. We respect the fact that if someone buys our domain but with ".io" at the end instead, then that's their right. I would be very scared of a world where people can sue over names being "too similar to this large company with lots of money and power". These domain name companies serve one purpose: selling available domain names. It's not complicated. Let's not make it complicated.
> We don’t want people to be deceived by these web addresses, so we’ve taken legal action.
I wonder if they reported the issue first unless it's all for show. I've reported phishing domains before and Namecheap is usually quick on taking them down if the domain belongs to that registrar. I think the last report within 24 hours they plugged it out. So makes me wonder what Facebook is on about with this.
Edit: ok, I missed the "despite their obligation to provide information about these infringing domain names, they declined to cooperate." seems Facebook wanted to go on a witch hunt.
Slippery slope, and I hate Facebook more for doing this. It shouldn't be on Namecheap to police for Facebook. Tomorrow, Facebook could open something like cnn.facebook.com -- would CNN.com be off limits then? It'd be impossible to predict, track, and respond -- also it's fundamentally not Namecheap's responsibility to protect Facebook. Facebook could, and certainly has the money to, register anything they want -- anything that resembles a domain in their apps.
"This week we filed a lawsuit in Arizona against Namecheap, a domain name registrar, as well as its proxy service, Whoisguard, for registering domain names that aim to deceive people by pretending to be affiliated with Facebook apps."
Wasn't Facebook supposed to request for information through the legal system instead of suing the registrar itself? Isn't Facebook publicly and unreasonably flexing muscle? So long justice...
Tangential question: what are the chances that, if namecheap disclosed the identities of registrants, facebook would be able to do anything with it? You'd expect that if the domains were registered with the intention to do Bad Things, that they would be registered with fake information. You can use a throwaway email addresses, fake mailing address (doubt they would validate it), and pay with cryptocurrency.
If the registration information is falsified, + trademark dispute, FB has the inside track on getting ownership of these domains transferred to them. After all, the registered owners don't exist -- doesn't that make them up for grabs?
First time I find myself cheering for FB. Namecheap are notorious for criminal-friendly hosting. Just the other day I contacted Namecheap support about a site that was spamming Usenet groups and which was hosted with Namecheap. The site was offering to sell marijuana. Namecheap gave my contact details to their customer and told me they would do nothing.
Namecheap are happy to profit from criminality and no-one who values their reputation should have anything to do with them.
On one hand, giving big companies the ability to force domain name providers to unmask their customers continues the SV mantra of eroding privacy as much as possible.
On the other hand, a customer was selling weed! How dare they!
This is the same argument that could be leveraged against any privacy focused company. In fact it has been, against Apple and the various privacy focused email companies and WhatsApp and VPN companies, the list goes on.
What did you expect Namecheap to do? Take your word for it and ban one of their customers, just because you said so?
Legal where? It may be legal to sell it where it's hosted, but will they check that it's legal to deliver it to the destination? And the site in question has text on it promising to pack the goods in dog-proof bags and they also promise to refund customers whose orders are seized, indicating they know perfectly well they're breaking the law and are happy to help others do it too.
Namecheap released my information inadvertently a while back by responding to a subpoena for someone else. And in the process just dumped all of my information that was not covered by the subpoena request at all.
Hopefully they go through with defending themselves from this lawsuit otherwise I don't think I could ever use or recommend them again.
As much as I despise Facebook, it's great to have this kind of pressure put on NameCheap. When I first setup my own website many years back, I made the mistake of listing my email in plain text right on the main page. Fast forward years later and I think I've been added to every spam list possible. If it wasn't for exceptionally-aggressive email filters, I'd get 500+ spam emails a day.
In various times throughout the years, I'll run a WHOIS lookup on the last 1000 emails to have (attempted) to send me spam email. In 99% of cases, they resolve to a proxied NameCheap domain. I have submitted somewhere in the ballpark of ~800 domains throughout the years to NameCheap's abuse department. While they are timely in their "investigation", only about half of them are shuttered, and it's not clear to me if NameCheap is actually attempting to solve the problem as I strongly suspect there's a limited number of individuals behind the mass of nonsense domains used to spam me and likely countless others.
My point was moreso that NameCheap appears willfully ignorant to abuses on their platform. As I am a nobody, I don't have the leverage to get them to solve these problems. Whereas Facebook suing them might introduce pressure on NameCheap to address abuse of their domains.
>> We regularly scan for domain names and apps that infringe our trademarks to protect people from abuse.
Yeah, and namecheap is supposed to suspend them until the owners win in court the right to use their $9 domain name, right? Facebooks really has no shame.
I'm not sure how this would work. 'facebook' is after all a generic word which had meaning before Facebook existed and is not only used in the context of the social network named after it. So the judge could reject it.
This is a genuine problem indeed. Someone is in violation of copyrights and is sitting hidden behind a domain name. What practical means do I have to even reach out to the violators, as an individual?
The really interesting thing about namecheap is they are not a registrar for most TLDs, they are simply a very large enom reseller (last I checked a year or two ago)
"We found that Namecheap’s proxy service, Whoisguard, registered or used 45 domain names that impersonated Facebook and our services, such as instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site."
Layperson 2018: "No wonder WhatsApp is bad mouthing Facebook, their competitor!"
Layperson 2019: "I have just absolutely HAD it with Facebook. I am going to delete Facebook and move to INSTAGRAM!"
Layperson 2020: "Oh wait! So WhatsApp and Instagram are actually owned by Facebook?"
thing is we lack a framework for tagging those scam sites as scam and automate the takedown. In this particular case is legitimate for fb to ask for removal, although it may not be up to anyone to ask for removal of any domain without a proper legislative framework in place
According to the facebook post:
> We don’t want people to be deceived by these web addresses, so we’ve taken legal action.
This particularly hypocritical and infuriating given facebook stance on horribly misleading and deceptive political advertisements on their platform. I hope this hypocrisy results in facebook eventually being sued.
Just me, or is the domain “instagram business help” legit and shouldn’t be something that Facebook can take down? If the entity helps people put businesses on Instagram and the site says they are not affiliated what is the harm?
Further, why would names of the parties be required here? I guess they’re seeking damages?
they sent "notices" so unless you know something more....
One cannot just ask for them divulge the names, that's the point of privacy. File a suit or whatever. It's cost of doing business
Filing a lawsuit is the whole point - facebook has grounds to sue the domain owners, so either Namecheap can disclose who they are so they can be sued, or Namecheap can be sued (i.e. what's happening now) to be forced to disclose who they are so they can be sued.
One can just ask for them to divulge the names (FB did that); one can refuse to divulge the names (Namecheap did that); and then a judge can force that privacy to be revoked.
Yes, but you sue John Doe 1-45 under https://en.wikipedia.org/wiki/Anticybersquatting_Consumer_Pr... . NameCheap is then forced by the court to notify them. You shouldn't directly sue the service provider, NameCheap in this case. They were right to refuse to unmask the owners without a court order.
It seems to me that as far as domain registration is concerned, Namecheap's subsidiary Whoisguard is technically the domain owner in this case. Of course, they're doing this with the intent to be a proxy, but technically they are the owner and so it seems that it would be appropriate to sue them for the misuse of that domain.
I.e. "We found that Namecheap’s proxy service, Whoisguard, registered or used 45 domain names" - it's not that 45 John Does have registered these domains and we want their identities, we know who is the official owner of these domains is - it's Whoisguard; and it's up to Whoisguard to either accept full responsibility for the [mis]use of these domains or provide some arguments why someone else should be held responsible instead.
If "internet standard process" is that they should do something else other then sue Namecheap - well, that works as far as that other thing works faster/better/cheaper than suing Namecheap directly. If it does not, then the legal process is that they can sue Namecheap if it feels more effective.
In essence what seems to be happening here is testing in a court whether the current practice of domain "privacy proxies" can be done without the proxy accepting any liability for the domains they're shielding. Such services were implemented in the notion that they don't intend to accept any liability, but as far as I know it has not yet been tested in courts whether they can get away with it.
It's worth noting that in many other similar aspects (e.g. copyright issues for user generated content, etc) the default position was that proxies can be held liable as accomplices, and that changed only when specific laws were passed saying that such proxies are immune from liability if certain conditions are met (e.g. common carrier, dmca, etc, etc). So, depending on how the courts rule, it's plausible that we might get precedent that domain privacy proxies do have to bear some liability if they happend to protect the anonymity of criminals, which would de facto mean that those proxies won't exist, that all such services would shut down.
You miss the point entirely: FB cannot do anything without suing, even if they had their names and addresses. These things are solved either via ICANN procedures or through federal courts. In both cases, NameCheap would be forced to notify owners or divulge their info.
Facebook is free to register as many domains as may please it, paying the fee for each. Those registrations are for exact strings. They do not include any strings visually or phonetically or typographically similar to the registered string. Registering facebook.com does not automatically confer the rights to facebook-cdn.com, or facebook-images.com, or any other nearby string. The remedy for potential phishing domain names is to either register all those text-adjacent names first (unlikely), or to install measures on the registered domains that make it harder for phishers to fool the users, and limit the possible damage when those ruses succeed.
You can't break the whole DNS system to protect one company. Do your own danged phishing defense instead of trying to turf it off onto others as an externality.
>Facebook is free to register as many domains as may please it, paying the fee for each. Those registrations are for exact strings. They do not include any strings visually or phonetically or typographically similar to the registered string.
You seem to be conflating domain name registrations with trademarks. Having the "facebook" trademark does indeed give you rights over similar names (eg. facebook-ads.com), if they're determined by a judge to cause consumer confusion.
Trademarks are restricted to a specific type of business. Any of those sites could operate as anything other than software or computer services, which are the likely trademark classes for Facebook. (I didn't look up their mark.)
If one of those similar names puts up a website mimicking Facebook's sites, Facebook can then sue the operators as an unnamed party, and ask the court to order the registrar to reveal the unnamed party's identity, by convincing the judge that it's the only way to reasonably serve the defendants with the complaint.
They cannot preemptively unmask the domain owner with trademark--not until after the trademark infringement occurs.
Facebook is skipping steps, and somehow requiring registrars to determine or presume the intent for the use of a domain while registering the name. That's not how DNS works. It associates names with numbers, so that the Internet can be made out of words. Making the registrar the defendant is abusing the system, and if the court allows it, we all might as well sue Facebook for anything and everything that any of its users do to us on its platform, arguing that they should have known what evils those people would do back when they created their accounts.
Also, "conflating" is not the correct word for the intent I presumed for your sentence. I am dissociating DNS registration from trademarks. This is valid, as DNS is run by ICANN, not the USPTO, or by any other international trademark registration agency. If ICANN chose, it could create top-level domains that correspond to international trademark categories, and automatically tie registered trademarks to those TLDs. It has not. So for now, there is no implicit connection between DNS and trademark. If I register something like coke.etc, and then put up an informational website about carbon fuel, Coca-Cola can't do anything to that domain on the basis of trademark. I have to infringe first.
ICANN has an established process for handling these types of disputes, and Facebook should avail themsleves of that process. https://www.icann.org/resources/pages/help/dndr/udrp-en
(It isn't clear if Facebook is seeking a financial judgement or just a court order to delete or transfer the domains to Facebook?)