| |
A look into Verisign's Anti-Competitive Past
Last Update: Tuesday, September 16 2003
Please notify me of any corrections or suggested additions
Jonathan A. Zdziarski
jonathan@nuclearelephant.com
Verisign has always been an intriguing topic when sitting at a restauraunt with
fellow geek friends. Until recently, their marketing attempts have seemed
nothing more than foolish, shameless attempts to maintain market share.
Over the past few years, however, Verisign appears to have become far more
aggressive to the point where many believe they have taken on an Anti-Competitive business practice similar to Microsoft. This article will take a glimpse
into Verisign's recent history of Anti-Competitive moves.
It is my belief that the top-level domain servers (GTLD.ROOT-SERVERS.NET)
belong to the Internet community as a whole, and not any single commercial entity. If the community-owned root servers are going to provide service to these
top-level domain servers, they must be forced to play by the community's rules.
The only way to put an end to any future violations is to remove the
monopoly by restoring this system to a noncommercial organization. I will get
into this a bit later.
Sadly, with the blessings the US Government bestowed upon Network Solutions prior to
Verisign's purchase of them, Verisign seems to have evaded any serious
consequences to their actions.
A brief education and history of root servers
A brief tutorial in DNS
Domain Name Service, or DNS for short, is one of the most critical services
on the Internet and is responsible for resolving the information you type
into your browser. Think of web browsing as exchanging written letter of
correspondance. The first step in viewing a web page is to write a letter
saying "I would like to see xyz.com's web page". Whenever you write a letter,
as you know, you must provide an address to where the letter is going. If
you want to see xyz.com's web page, you must write a letter to xyz.com asking
to see it. Typing the name "xyz.com" into your web browser is the equivalent
of writing "Bob Smith" on your envelope. You know who it is you want the letter
to go to, but beceause "Bob Smith" isn't enough information for the post office
to deliver the message, you must provide an address. This is where DNS comes
in. DNS is the "Yellow Pages" in our example. You hand your letter,
made out to 'Bob Smith' to your secretary (your Internet provider). Your
secretary then looks up "Bob Smith" in the yellow pages and finds his
permanent address. She then writes the full address on your letter, affixes
a stamp, and mails it off. When xyz.com receives your request for their
web page, they will send it back in another letter addressed to the return
address on your original letter.
Verisign runs some of the Internet's "root domain servers". These
servers, in our example, are the phone company that publishes the yellow
pages. Whenever
somebody moves into a new home (website - simplisticly),
they call the phone company. The phone company is responsible for publishing
their address in the yellow pages so that anyone who wants to send them a
letter can find them. Obviously being the phone company comes with a lot
of responsibility. What if a smaller phone company has customers that they
need to put into Verisign's yellow pages? What if the bigger phone company
wants to gobble up all the little phone companies by refusing to publish some
information, or perhaps call up all of the little phone companies customers and
tell them they need to pay them instead? There is much room for abuse here.
Root Servers are a public service
There are a significant
number of "Phone Companies" and they are all equal (or at least should be).
Where our illustration differs from real life is that
the "Yellow Pages" of
the Internet started out as a government-run organization to provide a public
service. When the government contract expired, this once public service slowly
migrated into a commercial service where one company has total control over
the entire Yellow Pages of the most common top-level domains (.com, .net, and others)
and has become "The Big Phone Company"
when they should be on the same level as everyone else. This is where our article begins.
We'll now discuss some of the ways the big phone company has played unfair in
the recent past and how to remedy the situation by making the phone book
a non-commercial project again.
Example 1: Anti-Competitive Waiting List Service
In 2001, Verisign launched a 'Waiting List' service enabling people who would
like to register an already-registered domain the minute it expires.
BuyDomains.com issued a statement that began to expose several issues around this new service.
On the
surface, this seems just as innocent as those telephone services that offer to
redial a busy number. When we look a little deeper, however, we see that this
service had been designed to hinder competition, rather than promote it.
Verisign's version of this service appears to hinge on the misuse of their
monopoly in the domain registration market - a monopoly they didn't even build
themselves, but purchased when it was a non-commercialized sector of a
government contract. As we discussed, Verisign owns Network Solutions,
a company that was originally commissioned by the US government to provide the root-servers and all top-level domain services
critical to domain name resolution.
Verisign has complete control over what domains can be
registered as a result.
The problem where Anti-Competitive business practice emerges for their
waiting list product is in domain
expiration. Prior to the launch of Verisign's waiting list product, a domain
that expired could be quickly re-registered by a different party. With the
introduction of this waiting list service, however, Verisign has decided to lock
domain names for 30, 60, or sometimes 90 days after their date of expiration
snuffing companies like BuyDomains, BulkRegister, and Netster, whose business
in part relies on registering expired domains. Sometimes I don't believe
Verisign has any intention of releasing them. I contacted them once about a
domain I would've liked to register that had expired. They informed me on
several occasions that it would be freed up in another two weeks. It was
eventually given to a Waiting List customer. The results of this business
practice are:
- Any other domain registry is blocked from registering that domain name
during this period for one of their customers
- Any customer of Verisign is blocked from registering that domain name
during this period unless they purchase the waiting list service
- Any customer who does not purchase the waiting list service becomes
subordinate to anyone who chooses to purchase the service - even if the
customer who did not purchase the service made their request first.
- Verisign, by blocking the release of the expired domain, ends up with an
unfair advantage not only over other registries, but also over the customer
in that they risk losing the domain name to someone else if they do not pay
for this extra service - a service they would not have needed had it not
existed.
So what has Verisign done here? They've created a service that you normally
would not have needed if it did not exist, and leveraged other customers who
are willing to pay for the service to force you to pay. On top of this,
Verisign has also used this as a method to get multiple people to pay for the
same service (for the same domain name). Rather than give refunds to the
customers who were not first in line, Verisign gives them only the ability to
register a different domain name. This means if ten customers pay the waiting list
fee, nine customers have just paid for a service that:
- Didn't deliver the results they wanted
- Will not refund their money
- Will leave them with a credit they are unlikely to use (after all, what
are the odds they'll find another expired domain they want)
Example 2: Deceptive Cancellation Notices
In 2002, BulkRegister sued Verisign over allegedly "deceptive techniques" in
an attempt to steal their customers. BulkRegister claimed that Verisign had
been mailing notices to their customers, explaining to them that their
domain names were about to expire, giving the option to renew (with Verisign)
for $29. This is the equivalent to receiving a notice from AT&T telling you
that your service is about to be disconnected if you don't pay them - and
you're not an AT&T customer.
Many of the domain names allegedly were not due to expire for several months
and on top of this they were not Verisign's customer to begin with. Many
believe that Verisign used the contact information from the users' domains
to contact them, which could be considered Intellectual Property. The bottom
line is that Verisign was arguably acting not only as an imposter, but because
Verisign had control over the
registry for several TLDs, gave the impression to some that they were acting
as BulkRegister's "big brother" or "parent company" and gave the illusion
of some type of autohrity over BulkRegister and their customers. Regardless
of Verisign's motives, the fact still remains that they outright lied to several
customers by telling them their domain was about to expire.
Example 3: TLD Wildcards and SiteFinder
According to this rant by Jason Garman,
Verisign implemented a new system which redirects any non-existent or
possibly non-responsive domains to Verisign's servers, and apparently did it
with no more than an hour or two notification and no input from the Internet
community. According to Jason's article, several problems have already been
discovered including:
- Many anti-spam tools have broken as a result of nonexistent domains now
appearing to exist
- Passwords and other private information that is accidentally sent to the
wrong URL or a nonresponsive URL will go through Verisign's servers
- SMTP (outgoing mail) is apparently listening on all nonexistent domains
or nonresponsive hosts.
On top of the issues outlined in the rant, Verisign's SMTP server on SiteFinder
is allowing all emails sent to nonexistant (or
misspelled) domain names to be delivered to Verisign, instead of being
bounced like they should...creating a significant
privacy issue. Verisign claims that they are not using any of these emails or
data captured from URLs (such as passwords and such) for any specific purpose,
but if that is the case why do they even bother running an SMTP server on
SiteFinder? It makes far more sense to shut it off and let the ISP's mail
system bounce it. This also opens up a can of worms in what would happen if
their SiteFinder were hacked? The hackers would be in control of all
the information collected from emails delivered to nonexistent domains
(or for nameservers that are not responding) as well as passwords and other
information captured in URLs.
Finally, Netster is suing Verisign over anti-trust violations claiming that
the sitefinder service is designed to snuff out the cybersquatting market.
After all, Verisign need not register any domain names to squat on them, making
it significantly more expensive for Netster to keep up. If Verisign wants to
get into this market, they should be required to pay the $35/year per-domain
they charge everyone else to register these domains. This raises an interesting
issue of trademark infringement. A bill was recently signed by the US House
making it illegal to cybersquat on domains that sound similar to a trademarked
name. If this law passes, Verisign might be liable for up to $100,000 per
infringement.
Many (myself included) believe that this will turn into a marketing ploy
for Verisign at the cost of more anti-competitive practice. Without seeking
any guidance or blessing from the Internet community (such as NANOG or
even ICANN), Verisign has taken it upon
themselves to make dramatic changes to the environment of the Internet -
changes that affect everyone. ICANN and the IAB finally got around to
denouncing this new service and requested Verisign remove it at once.
Is the SiteFinder service even benefitting anyone but Verisign? Not really. Prior to
the SiteFinder launch, many web browsers had their own built-in mechanisms to
deal with nonexistent domains. Microsoft Internet Explorer popped up a pretty
little search page, while Netscape and Mozilla could be configured to
perform address line searches. Even on browsers that generated an error message, users still got the idea that they had misspelled their domain name and
needed to check it. This was certainly just as useful and didn't provide the
same security risks as the SiteFinder service.
Effective of October 4 2003, Verisign was forced by ICANN to remove the
SiteFinder service. Ironically, a new service enabling users to pay for
privacy was introduced shortly thereafter. It is apparent to many that Verisign,
who is known for their notorious spamming of customers and anti-privacy
friendly services, is trying to create a new market to provide a solution for
a problem that Verisign themselves have played a hand in creating.
It would certainly
behoove the Department of Justice to investigate Verisign for this fraud and
method of extortion that equates to an anti-virus company writing viruses,
or the mob "offering protection" to businesses for a fee.
Solution
So with all this talk of anti-competitive business practices, what's the
solution? The primary goal is to restore the domain registry and servers to
the Internet community so that it is not run by any one commercial organization.
A non-commercial registry created from a consortium of network operations
veterans in the form of a non-profit organization will have the power to
accomplish the following:
- Establish a new set of top-level domain servers to complement the already community-owned root servers
- Publish a new server list for the Internet's root servers, resulting in Verisign's top-level domain servers to become obsolete
- Provide the legal and financial backing it will take to accomplish this
This certainly isn't an easy feat, but very do-able. The two main obstacles will
be first moving all domain records for top level domains over to the new domain
servers. Acquiring this information from an uncooperative commercial entity
(whether it be Verisign or some other registry) may be difficult and possibly
require legal action. The second obstacle will be fighting companies who
oppose the non-commercialization of a top-level registry in a court of law,
providing enough legal muscle to convince a judge not to impose an injunction
or heavy financial damages.
Several folks may not agree with me. You might believe it is a good thing that
each TLD be considered intellectual property, but a majority of individuals
I feel would disagree with that ideal. This ideal promotes monopoly at best,
and prevents competition by putting one commercial entity in full control
over how other commercial entities (who have just as much right to use the
top-level domain) do business. Whether you're typing .com, .net, .name,
.biz, or any other such domains into your browser, the entity controlling where
your browser goes and what rules govern the management of these names belong
to the Internet community as a whole and for the sake of the Internet, should
be in the hands of
A system that is not
driven by revenue, but financially backed by the Internet community collectively
. This is the only way to guarantee true and fair practices for the domain name
business. A non-profit organization could be organized to manage
such a feat.
Verisign themselves need (in my opinion) to be investigated for these
actions and brought before a jury. A large, collective class-action suit
from all the major domain registries may be appropriate. Finally, all
the users who have been wronged by Verisign through either their Waiting List
service or deceptive mailings, etc., might want to get together and find some
relief.
Other thoughts include establishing a clear set of registration guidelines
and forcing Verisign to follow them - for example requiring that all expired
domains be immediately released. Implementing fair update and locking
practices that Verisign has to follow themselves might also help make the
playground a bit more fair...rather than Verisign assuming their own precedence
over other registries.
Implementing fair rules and business practices that everyone must follow will
in the end provide a better naming environment for the Internet community,
commercial businesses, and end users.
|
|
