Sitefinder: The Biggest Internet Crisis You May Never Have Heard Of

Last week, VeriSign, the people who run the .com registry (the big data file that has all the .com registration data in it), unilaterally decided to change the way the most-traveled portion of the Internet works for most people. Until then, if you typed in a .com domain name that didn't exist, you would get an error message. Unless, of course, you were an MSN or AOL subscriber, in which case you would get a custom web page they each designed, and which included some ads from folks who thought that they might profit from common misspellings.

Well, VeriSign saw a profit opportunity, and it decided to eat AOL's and MSN's and everyone else's lunch by introducing its “Sitefinder” service. In the new .com, every browser typo, every attempt to load up (the technical term is “resolve”) a domain that didn't actually exist, leads you to special pages designed and owned by VeriSign…and on which we are all invited to buy tailored advertising. [Sitefinder, incidentally, has the most unintentionally hilarious terms of service I have ever seen : a web page you go to by accident, and only because VeriSign made you, links to the adhesive assertion that “By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference.” But I digress.]

Naturally, MSN and AOL are unhappy. But the technical community is furious. The web is not the whole Internet, and there are many other Internet tools that rely on getting the standard error message when a domain does not resolve properly. VeriSign's change threatened to break all those applications. [There are a lot of ccTLDs (national top-level domains like .ph) and one gTLD (.museum) that already do the same thing. But they are almost all very low volume, and their users were—in the main—forewarned before they registered their domains.]

The technical community responded by coding up changes to BIND, the dominant software for translating domain names into the Internet Protocol numbers that actually do the real work of identifying where the content you want is to be found, and telling the computer that has it how to find you. These changes essentially overtrump the VeriSign change. But fixes like this take time to deploy and propagate. It would be much tidier if VeriSign could be persuaded to put the cat back in the bag.

Meanwhile, the more formal part of the technical community also swung into action. The relevant Internet standards are defined by the Internet Engineering Task Force (IETF). The closest thing the IETF has to a governing body is a committee called the Internet Architecture Board (IAB). The IAB quickly issued a very careful and useful report. In effect, the IAB said that the relevant standards (called “RFCs”) are vague at the critical points, so thatwhat VeriSign did was not in technical violation of them. It's just in very, very bad taste. (Ironically, the IAB is chaired by a VeriSign employee who quite properly recused herself from the issue.)

Unlike most of the Internet, the domain name system has a global regulator. That job falls to the Internet Corporation for Assigned Names and Numbers (ICANN), the body chosen for that role by the U.S. Department of Commerce (for a long, technical description and critique of the relationship, see my Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution and Jonathan Weinberg's ICANN and the Problem of Legitimacy). Many people have thus looked to ICANN to force VeriSign to undo its change. Others bemoaned the fact that whatever ICANN was doing, its new streamlined processes meant that the public was cut out of its deliberations. An eloquent example of this is Michael Geist's lament that Regardless of the eventual outcome, Internet users will look back on the day that Internet governance mattered and remember that they didn't.

So far, however, ICANN, hasn't done much. It issued a preliminary statement, which prompted a very unenlightening reply from VeriSign .

Now ICANN's Security and Stability Committee has announced that it plans a meeting in Washington on October 7 to get input. That probably takes the pressure off ICANN to act immediately.

My sense is that is just as well for two reasons. The first is ably explored by Jonathan Weinberg at ICANNWatch. It turns out that under the trilateral (ICANN-VeriSign-US government) contractual regime negotiated by the US Government, ICANN probably lacks the authority to make VeriSign retreat.

There's a second reason. ICANN isn't democratic or accountable. In fact, we're in this pickle partly because of ICANN's own mistakes. The .com domain retains its importance and dominance for many reasons, but one of them is ICANN's total failure to permit much in the way of meaningful competition for it, something that is and would have been entirely in ICANN's power. It would be ironic and unfortunate to reward ICANN for its past failings by giving it new powers.

Some people will say that ICANN's impotence in the face of a serious technical hiccup is a problem. I think the signs are that the technical community is doing a fine job of working this one out in (excuse the ICANN-speak) a spontaneous, bottom-up, consensus-based manner that is technically sound and will contribute to the stability and security of the Internet.

Or, in other words, if you never heard about this crisis, odds are you may never need to.

Even a technical solution, however, doesn't mean that the lawyers will stay away from this one. Already two lawsuits have been filed against VeriSign, one by GoDaddy and the other by Popular Enterprises . Those suits may be nothing, however, compared to a looming patent infringement claim against VeriSign, as it appears that Sitefinder may infringe U.S. Pat. No. 6,332,158.

This entry was posted in Internet, Law: Internet Law. Bookmark the permalink.

3 Responses to Sitefinder: The Biggest Internet Crisis You May Never Have Heard Of

  1. Pingback: Sidelights

  2. Pingback: DFMoore: Your Daily Dose of Pizzazz!

  3. Jon Weinberg says:

    I’m not as confident about the ability of the old mechanisms to work this sort of thing out, given the breakdown of the social contract incorporated into the old Internet way, I’m unsure whether IAB/IETF and technical “routing around” can meaningfully constrain Verisign. One of the reasons ICANN (or something like it) seemed like a good idea in 1997-ish was the idea that with NSF stepping out of the picture, there needed to be some entity to ride herd on rapacious-monopolist-NSI; ICANN was supposed to do that job. But the outcome of the three-way battle between ICANN, NSI, and the activist community, often featuring an alliance of convenience between NSI and the activist community that got suspended temporarily when the activists remembered that they’d been hating NSI for even longer than they’d been hating ICANN, ended up giving us the worst of all worlds: an ICANN that’s simultaneously powerful and corrupt enough to do all the things that we don’t want, but too weak to stop Verisign from doing anything it wants.


Comments are closed.