13 February 2007
By Larry Seltzer
February 12, 2007
Opinion: When a vendor says they can cancel your service because they don't like you, it's time to look elsewhere. Consider the capriciousness and hypocrisy of what GoDaddy did to Fyodor Vaskovich
Not many of us actually read all the legal agreements we enter into and this problem has gotten far worse in the era of the Internet. We all agree to licenses and contracts that we don't take seriously.
Fyodor Vaskovich found out the hard way that some terms of service are so arbitrary and capricious that they mean whatever the vendor wants them to mean. Vaskovich operates seclists.org, a mailing list archive site for most of the really important security mailing lists. This means that if someone posts content to those lists, he stores it on that site.
As Vaskovich explains in this e-mail, the day before Christmas he got a voice mail from GoDaddy saying that they were suspending his domain seclists.org. One minute later he received an e-mail from them that the domain "has been suspended for violation of the GoDaddy.com Abuse Policy."
Normally, GoDaddy doesn't respond to inquiries about why they have suspended a domain for a business day or two, but he was able to prod them into revealing that they had shut down the domain because MySpace had asked them to. A list of 34,000 MySpace user names and passwords was posted to the very popular Full-Disclosure list and therefore archived by seclists.org. Instead of contacting Vaskovich, MySpace approached GoDaddy and had them shut off his domain.
Before I get to GoDaddy's behavior, I must wonder what MySpace's goal is here. The list of usernames and passwords went out on a mailing list and thousands of outsiders have it already, irrespective of whether the archived version is available. The cat's out of the bag and MySpace, at a minimum, must void the passwords and force those users to reset theirs. What is accomplished by taking the list down? They only reinforce the reasonable conclusion that they don't know what they are doing. And why not go through the site admin? As Vaskovich said himself: "I would cancel my [MySpace] account if I was pathetic enough to have one."
So what's GoDaddy's excuse? I can imagine that posting usernames and passwords is reasonable grounds for taking action, but what exactly does their policy say? GoDaddy's Legal Agreements page has a lengthy list of policies, including their "Universal Terms of Service". Let's review some excerpts:
Go Daddy reserves the right to terminate Services if Your usage of the Services results in, or is the subject of, legal action or threatened legal action, against Go Daddy or any of its affiliates or partners, without consideration for whether such legal action or threatened legal action is eventually determined to be with or without merit.
OK, that's pretty clear. All someone (MySpace for example) has to do is threaten GoDaddy and GoDaddy has the right to cancel your service. But the next paragraph is the one that really caught my eye:
Except as set forth below, Go Daddy may also cancel Your use of the Services, after thirty (30) days, if You are using the Services, as determined by Go Daddy in its sole discretion, in association with spam or morally objectionable activities. Morally objectionable activities will include, but not be limited to: activities designed to defame, embarrass, harm, abuse, threaten, slander or harass third parties; activities prohibited by the laws of the United States and/or foreign territories in which You conduct business; activities designed to encourage unlawful behavior by others, such as hate crimes, terrorism and child pornography; activities that are tortuous, vulgar, obscene, invasive of the privacy of a third party, racially, ethnically, or otherwise objectionable; ... [emphasis mine]
Vulgar? Obscene? Embarrassing? Talk about ThePotCallingTheKettleBlack.com! (Predictably, that name is parked and owned by a domain broker.) GoDaddy practically invented vulgarity. Their Super Bowl ads, worthy of a class of 14-year-old boys for their creativity, embarrass the NFL, not to mention most decent people who watch them. I enjoy a good dirty joke as much as anyone, but GoDaddy's softcore attempts at humor just fail.
GoDaddy also claimed to Wired that they gave Vaskovich "close to an hour" to respond to them, but Vaskovich posted the voice mail and e-mail showing that this claim was false. It's a "he said-GoDaddy said" thing, but I believe Vaskovich. Even if they had provided an hour, so what? They didn't provide a phone number, just a generic e-mail address (firstname.lastname@example.org) and they don't claim to respond to it promptly.
GoDaddy CEO Bob Parsons has a popular blog in which he doesn't hesitate to criticize others. He's been conspicuously silent about the outrage over his company's actions. I can't imagine that many people have respect for GoDaddy they are likely to lose as a result of this and security experts are a small market, so maybe Parsons doesn't care. But we're still looking for a credible response.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
MyTwo cents: It's pretty bad when the Super Bowl commercials are so risque that I have to worry about the questions my 7 year old son is asking about the girl dancing.