[Infowarrior] - The strange Secret Service/GoDaddy assault on JotForm (updated)
Richard Forno
rforno at infowarrior.org
Fri Feb 17 07:06:00 CST 2012
Takedowns run amok? The strange Secret Service/GoDaddy assault on JotForm (updated)
By Nate Anderson | Published about 14 hours ago
http://arstechnica.com/tech-policy/news/2012/02/secret-service-asks-for-shutdown-of-legit-website-over-user-content-godaddy-complies.ars
Popular site JotForm doesn't host music or movies or child pornography, all of which have led US Immigration and Customs Enforcement (ICE) to seize other Internet domain names without advance warning (sometimes making serious mistakes). JotForm also doesn't create content itself. Instead, it helps customers create online forms that can then be embedded in their websites for easy data collection.
But that didn't spare the site from having its entire business shuttered without warning yesterday as the site's domain name was shut down at the request of the US Secret Service. JotForm's domain name registrar, GoDaddy, redirected the site's nameservers to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM—and with that, JotForm.com became unreachable and the site's two million user-created forms all broke.
And it all may have been done without a court order.
When he saw his site was down, JotForm cofounder Aytekin Tank scrambled. He checked in with GoDaddy, which told him that the site had been suspended as part of an ongoing investigation.
GoDaddy has long supported authorities who have concerns about the websites and domains it hosts. In Congressional testimony last year, the company's general counsel Christine Jones noted that "Our staff routinely works with courts and law enforcement from the local to international level to shut down domain names and websites through which infringers and counterfeiters operate. Any time we are notified by a court or a federal or state prosecutor that there is criminally infringing material on our systems, we work rapidly to disable access to that material."
Note the two criteria: a court order or a notification from a prosecutor. That latter category amounts to an unproven allegation—and it's what Tank believes derailed him here. "No, as far as I know, there is no judge order," he told me. "They sent a request to GoDaddy and GoDaddy complied."
But GoDaddy won't say publicly whether the takedown was voluntary or compulsory. When I asked, the company's Director of Network Abuse, Ben Butler, told me that his office complies with "orders from courts, as well as confirmed official requests from law enforcement agencies," but he wouldn't get into specifics in this case.
"We can tell you in general terms, at the specific request of law enforcement, Go Daddy sometimes takes action to prevent further harm being caused by a website hosted on our servers," he added. "This would include things like sites engaged in phishing, malware installation, securities fraud, and so on."
Butler's office acted on whatever request was received and shut down the site's domain, but he did pass the requesting agent's contact info along to JotForm so that the company could work to resolve the issue. According to a copy of an e-mail seen by Ars Technica, GoDaddy told JotForm that "the domain name was suspended as part of an ongoing law enforcement investigation" and that Tank should contact a special agent at the US Secret Service.
Tank, desperate to find out what had happened, called her.
"The agent told me she is busy and she asked for my phone number, and told me they will get back to me within this week," he wrote in an explanation post on Hacker News. "I told them we are a Web service with hundreds of thousands of users, so this is a matter of urgency, and we are ready to cooperate fully. I was ready to shutdown any form they request and provide any information we have about the user. Unfortunately, she told me she needs to look at the case which she can do in a few days. I called her many times again to check about the case, but she seems to be getting irritated with me."
A Secret Service spokesperson had no public comment when reached by Ars Technica, but he promised to look into the episode. No further information was available by publication time.
JotForm in action
Caught by a phish-hook?
Though unsure of what the case was even about, Tank suspected a phishing form—something that JotForm has dealt with for quite some time. The company says it runs a Bayesian phishing filter to identity and block accounts being used to harvest various kinds of user information, and that it suspended 65,000 such accounts last year alone.
Such phishing attacks have been ongoing in recent weeks. Perusing the JotForm support forums turns up comments such as this one from the RSA Anti-Fraud Command Center. RSA says that it has "been appointed to assist [South Africa's] Standard Bank in preventing or terminating online activity that targets, or may target Standard Bank’s clients as potential fraud victims" and that "it appears the form service you provide is being used in a phishing attack."
The shutdown of his entire domain, without notice, for something a user had done even after protections were in place against it, seemed hugely unfair to Tank; he made his public case in terms that would also apply to other user-generated sites like YouTube. "We have 2 millions user generated forms," he wrote. "It is not possible for us to manually review all forms. This can happen to any Web site that allows user-generated content."
The first priority for JotForm was restoring some kind of access. Tank decided to migrate everything to jotform.net and make that site live instead. This wouldn't fix anything automatically—existing Javascript that pointed to jotform.com would continue to fail—but site operators who needed the forms could manually tweak their embedding code to point to jotform.net instead. For customers with hundreds of forms, this could take a while.
"When they have suspended jotform.com, and told us that it might take a few days to even take a look into the case, we had to do something to keep our users' forms alive," Tank told me.
"We have 700,000 users and 2,000,000 user-generated forms on our site. So, we had to make jotform.net live and email our users so that their forms will keep working. They have not provided any information about the content they would like us to disable, and we cannot keep 2,000,000 forms down for a few days. They don't seem to care about our concerns or about our customers."
The government also didn't seem to care that a new site with the exact same content was also live on the Internet under a different name; jotform.net remains active.
As for the impact on JotForm's business, Tank doesn't yet know what it will be. "Many users were unhappy and lost trust in us," he added. "We might lose many of our customers. It is hard to say at this point."
Customers blasted the site. "Jotform sucks. Always some sort of problem. I will never again use or recommend Jotform. Already cancelled my subscription and will tell my friend to do so as well," one wrote.
"We are a multimillion dollar Canadian company that has used jotform the last year for customer inquires," said another. "They have been very reliable. However because of what has happened now we will have to implement an internally hosted solution to guarantee this will not happen again and ensure we will not loose [sic] our data. I will now have to question purchasing any more services from US internet related providers."
Numerous commenters blamed the company for using GoDaddy as a registrar. "This is what you get for finically [sic] supporting a domain registrar which has a history of extrajudicial and unjustifiable actions like this," wrote another. "Idiots."
JotForm today moved its domains away from GoDaddy to registrars NameCheap and Hover. Tank still doesn't know why his domain was suspended or when it might be returned; however, a WHOIS search this afternoon revealed that GoDaddy has at last removed the domain from its penalty box.
Not that anyone bothered to tell him this.
"Yes, the site seems to be back now. This made us very happy!" he wrote me by e-mail. "We have been working for the last two days to restore our service for our customers. They have not provided any details. I just found it out from you. Thank you for the great news!"
Update: Secret Service spokesman Brian Leary has confirmed to Ars that, after further investigation, his agency is indeed involved in the JotForm case. The Secret Service has also launched an internal review to "make sure all our policies and procedures were followed" in the matter, he added. He could not comment on any other issues surrounding the case, including whether a court order had been obtained.
---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.
More information about the Infowarrior
mailing list