Not many of us actually read all the legal agreements we enter into and this problem has gotten far worse in the era of the Internet. We all agree to licenses and contracts that we dont take seriously.
Fyodor Vaskovich found out the hard way that some terms of service are so arbitrary and capricious that they mean whatever the vendor wants them to mean. Vaskovich operates seclists.org, a mailing list archive site for most of the really important security mailing lists. This means that if someone posts content to those lists, he stores it on that site.
As Vaskovich explains in this e-mail, the day before Christmas he got a voice mail from GoDaddy saying that they were suspending his domain seclists.org. One minute later he received an e-mail from them that the domain “has been suspended for violation of the GoDaddy.com Abuse Policy.”
Normally, GoDaddy doesnt respond to inquiries about why they have suspended a domain for a business day or two, but he was able to prod them into revealing that they had shut down the domain because MySpace had asked them to. A list of 34,000 MySpace user names and passwords was posted to the very popular Full-Disclosure list and therefore archived by seclists.org. Instead of contacting Vaskovich, MySpace approached GoDaddy and had them shut off his domain.
Before I get to GoDaddys behavior, I must wonder what MySpaces goal is here. The list of usernames and passwords went out on a mailing list and thousands of outsiders have it already, irrespective of whether the archived version is available. The cats out of the bag and MySpace, at a minimum, must void the passwords and force those users to reset theirs. What is accomplished by taking the list down? They only reinforce the reasonable conclusion that they dont know what they are doing. And why not go through the site admin? As Vaskovich said himself: “I would cancel my [MySpace] account if I was pathetic enough to have one.”
So whats GoDaddys excuse? I can imagine that posting usernames and passwords is reasonable grounds for taking action, but what exactly does their policy say? GoDaddys Legal Agreements page has a lengthy list of policies, including their “Universal Terms of Service”. Lets review some excerpts:
“Go Daddy reserves the right to terminate Services if Your usage of the Services results in, or is the subject of, legal action or threatened legal action, against Go Daddy or any of its affiliates or partners, without consideration for whether such legal action or threatened legal action is eventually determined to be with or without merit.“
OK, thats pretty clear. All someone (MySpace for example) has to do is threaten GoDaddy and GoDaddy has the right to cancel your service. But the next paragraph is the one that really caught my eye:
“Except as set forth below, Go Daddy may also cancel Your use of the Services, after thirty (30) days, if You are using the Services, as determined by Go Daddy in its sole discretion, in association with spam or morally objectionable activities. Morally objectionable activities will include, but not be limited to: activities designed to defame, embarrass, harm, abuse, threaten, slander or harass third parties; activities prohibited by the laws of the United States and/or foreign territories in which You conduct business; activities designed to encourage unlawful behavior by others, such as hate crimes, terrorism and child pornography; activities that are tortuous, vulgar, obscene, invasive of the privacy of a third party, racially, ethnically, or otherwise objectionable; … [emphasis mine]“
Vulgar? Obscene? Embarrassing? Talk about ThePotCallingTheKettleBlack.com! (Predictably, that name is parked and owned by a domain broker.) GoDaddy practically invented vulgarity. Their Super Bowl ads, worthy of a class of 14-year-old boys for their creativity, embarrass the NFL, not to mention most decent people who watch them. I enjoy a good dirty joke as much as anyone, but GoDaddys softcore attempts at humor just fail.
GoDaddy also claimed to Wired that they gave Vaskovich “close to an hour” to respond to them, but Vaskovich posted the voice mail and e-mail showing that this claim was false. Its a “he said-GoDaddy said” thing, but I believe Vaskovich. Even if they had provided an hour, so what? They didnt provide a phone number, just a generic e-mail address (firstname.lastname@example.org) and they dont claim to respond to it promptly.
GoDaddy CEO Bob Parsons has a popular blog in which he doesnt hesitate to criticize others. Hes been conspicuously silent about the outrage over his companys actions. I cant imagine that many people have respect for GoDaddy they are likely to lose as a result of this and security experts are a small market, so maybe Parsons doesnt care. But were still looking for a credible response.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer