The Shopify Arms Race

35m

This week - Scammers have managed to copy Jordan's entire website and steal her business -- more than once. But how are they doing it? And why is it so hard to fight now? 

If you like this show, please think about becoming a premium member - it will help us keep making it, making it better, and making it weirder.

https://www.hyperfixedpod.com/join

LINKS:

StoreLock

ICANN

What is the GDPR




Learn about your ad choices: dovetail.prx.org/ad-choices

Listen and follow along

Transcript

you have a question that no one in your life can help with?

Something that makes the people around you go, yikes, what a weird question.

Well, Freak, here on How to Do Everything, we want to help you out.

Each week, we get fantastic experts to answer your questions.

People like U.S.

Poet Laureate Ada Limon, bodybuilder Arnold Schwarzenegger, and rapper Rick Ross.

Season two just launched to go listen to How to Do Everything from NPR.

Support for this podcast and the following message come from Sutter Health: Cancer diagnosis can be scary, which is why Sutter's compassionate team of oncologists, surgeons, and nurses work together as one dedicated team, providing personalized care for every patient.

It's a whole cancer team on your team.

Learn more at sutterhealth.org.

This episode of HyperFixed is brought to you by Quince.

So, there was this educational film in the 80s that starred Mr.

T, and it was called Be Somebody or Be Somebody's Fool.

And at one point, he's doing a segment about like dressing properly and taking care of yourself.

And he starts that segment by saying, everybody's got to wear clothes, otherwise they'd be arrested.

And that's what Quince can do for you.

Quince has the kind of fall staples you'll wear non-stop, like super soft, 100% Mongolian cashmere sweaters starting at just $60.

Their denim is durable and fits just right, and their real leather jackets bring that clean classic edge without the elevated price tag.

I happen to own a great flannel shirt that I bought from Quince that I basically wear all fall.

In fact, I am wearing it right now and I will be wearing it again tomorrow because I did not take Mr.

T's advice.

I am a scrub.

Keep it classic and cool this fall with long-lasting staples from Quince.

Go to quince.com/slash hyperfixed for free shipping on your order and 365-day returns.

That's q-u-i-n-ce-e.com/slash hyperfixed.

Free shipping and 365-day returns.

Quince.com/slash hyperfixed.

Quince, Quince, wear clothes so you don't get arrested.

Hi, I'm Alex Goldman, and this is HyperFixed.

On this show, listeners write in with their problems, big and small, and I solve them.

Or at least I try.

And if I don't, I at least give a good reason why I can't.

But this week, I'm not even going to attempt to solve this problem.

Now, I planned to, and honestly, I was really looking forward to it because this week's problem, it used to be my specialty.

I would eat problems like this for breakfast.

It was the kind of thing where I would just step in and everything would fall into place and there'd be a ticker tape parade for me and I'd be hailed as the problem solver, the problem conqueror.

It was like amazing how easy these problems used to be for me.

But by the time I connected with this week's listener, her problem had already been solved by someone else.

And when I learned how it had been solved and why it had to be solved that way, I was so fascinated both by the mechanics of it and also by what it says about the world we're living in that I decided to tell the story anyway.

So here it is.

This week, the Shopify Arms Race.

All right, so about a month ago, a listener named Jordan posted to the HyperFix Discord asking about this problem she was having with her company's website.

Hey, Alex, how are you?

I'm good.

How are you?

Good.

Sorry,

my office mate is leaving soon, so he'll be quiet.

Jordan used to be a documentary filmmaker, but about three years ago, she decided to start looking for something that felt a little happier, which is how she found herself taking a job at an independent retailer called Brown's Kitchen.

They were looking for someone who knew retail, but also was able to help them start their e-commerce business.

And I had run my own website for a few years.

So I knew enough to build a Shopify template and get an e-commerce website up and running.

Brown's Kitchen is like an independent Williams Sonoma.

They sell cookware, bakeware, cutlery.

pretty much everything you need for your kitchen.

But back in 2022, when Jordan first got hired, none of that stuff was available on their website.

They were totally brick and mortar.

So Jordan got in there.

She built Brownskitchen.com into a real e-commerce site.

And over the next three years, the website grew into a legitimate source of revenue for the company.

But then, late last year, something started happening that threatened to undermine all that growth and tank the company's burgeoning e-commerce business.

So this was in November, which was peak Christmas Christmas shopping season.

The store is a madhouse.

And we started getting phone calls from people who were saying they ordered something through our website and they either haven't gotten it yet or they got some weird emails afterwards.

So Jordan's like, huh, well, that's weird.

Got to figure out what's happening with these orders.

But when she searched their system, she finds no record that any of these orders were ever placed on the company's website.

So the question becomes, why do so many customers think that they were?

And that's when we discovered that our website is being essentially duplicated by a scammer.

Brown's kitchen had been the victim of web spoofing, which is exactly what it sounds like.

A scammer will create a copycat website in the hopes of tricking customers into thinking that the site they're on is associated with legitimate business.

Except in Jordan's case, the scammer made one significant and very strategic change.

They lowered the prices of every item listed for sale.

So say you're looking for an espresso machine.

You'll find it on their website for half the price, and it looks very legitimate.

They have copied our full template.

All of our photos, everything is arranged in the same way with the same colors.

They have our logos logos on the page.

I mean, it looks identical to our real website.

Not to make this about me, but again, this kind of thing used to be my specialty.

Back when I worked as a tech reporter, my favorite thing in the world was hunting down internet scammers and confronting them directly.

And I was able to do that in large part using this incredibly helpful tool called a Whois lookup.

Through the Whois lookup, I was able to find personal information for every person who'd ever registered a website, including the names, phone numbers, and addresses of web scammers all over the world.

It wasn't perfect, but more often than not, it worked.

But in 2018, the rules around internet privacy began to change.

And suddenly, all of the personal information I used to be able to get through the WHOIS lookup, It stopped being accessible to the general public.

Now, if you want to get that kind of personal info, you have to get a a subpoena for it.

But there are other ways to address this kind of problem, and I was looking forward to using this story as a reason to share those tactics with a hyperfixed audience.

But just as I was starting to do recon on Jordan's spoof site, this happened.

And what is the duplicate website called?

So there have been two.

They both have currently been removed.

Jordan's problem had already been solved.

Or at least the part of it I thought she was going to ask me to solve.

The problem she actually wanted me to solve involved figuring out how this scammer had been able to create these exact replicas of her website.

The answer, which I told her immediately, was that the scammer just scraped code from her website.

More on this later.

Anyway, I was very disappointed.

And like a teenage Alex Goldman at a middle school dance, and I'm speculating here because I never went to a middle school dance, I began to emotionally detach myself from the outcome of this conversation.

But as I was sitting there, my mind floating somewhere above my body, Jordan started talking about how this whole thing got solved.

And my mood changed completely because the solution was so fascinating and so cool and so far beyond my understanding of the internet, I felt like I had to meet the person who pulled it off and ask him how he was able to do it.

Okay, so real quick, the two sites were brought down in different ways.

And the first one was pretty basic.

Jordan told me that she did some research and she learned that step one of these situations is to file a DMCA takedown request.

The thing is, the Digital Millennium Copyright Act only covers copyrighted material.

And we don't own the copyright to the images on our website.

Those images are all provided by the corporate vendor.

So those kept getting denied.

So Jordan's bosses had the clever idea to contact their corporate vendors, think companies like KitchenAid and Mixmaster, and have them file DMCA requests because they also have a vested interest in the success of Brown's Kitchen and the money to do something about it.

They got their corporate lawyers involved who have all the money and power in the world, and they got the first one taken down.

This happened back in December.

And then about three months later, a second spoof site popped up.

And Jordan's like, I can't go through this DMCA rigmarole again.

It took weeks the first time.

Our customers are being victimized.

I need a faster solution.

So on the same day that Jordan posted to the HyperFix Discord, she also posted about her problem on a subreddit for web development.

And there, she got a reply from a guy who said he'd built an app specifically to combat these web spoofers.

And when she told me about the app, it was unlike anything I'd ever heard of.

It's a temporary workaround.

It doesn't prevent the scammer from copying our website.

But what it does is when they copy our website, it puts up

like a pop-up window.

So when you go to the scammer's website, a pop-up window comes up and says, you are on a fake website.

It's impersonating this real website.

And it redirects you to our website.

How is that?

How can you do that on someone else's website?

I don't know.

I have no idea how it works.

But it's a Shopify app.

Okay.

So it's $4.99 a month.

And so far it's working.

Within two days, it discouraged the scammer from using our website and they took it down.

In 15 years of reporting on tech, I have never heard a story about planting a pop-up on someone else's website.

And as far as I knew, it shouldn't even be possible.

Like in order to make any changes on someone else's website, my understanding was that you needed to be be able to log into it.

But Jordan had seen this work.

And now all I wanted to do was understand how.

So I asked her to connect me to the guy who created it.

Adam, thank you so much for doing this.

Yeah, no problem.

I had somebody reach out to me and say, hey, I recommended you to the podcast.

And I was like, great, thanks so much.

And

was kind of surprised to actually see somebody follow up on that.

So yeah, excited to chat.

This is Adam Weiss.

He lives in Columbus, Ohio.

And for the past 20 years, he's been working as a a web developer, building apps and websites for clients all across the country.

And when I asked him about the genesis of this magical app he'd created, one of the first things he told me was that he never actually set out to create it.

Storelock, which is what it's called, was built out of a need to protect his clients from a new kind of web spoofing that he'd discovered entirely by accident.

It started back in 2022.

Adam was working on an analytics project for one of his clients, another independent e-commerce business powered by Shopify.

And while combing through their analytics, Adam discovered an imposter.

Somebody had copied their entire website and was hosting it on a very similar domain name, something where they just added an S to the domain.

And they were running Facebook ads to direct people from Facebook into this fake site with the intention of stealing people's credit cards.

Now, I've seen plenty of sites like this before, and so has Adam.

And one of the reasons they're so prolific is because the mechanics of traditional web spoofing are ridiculously simple.

As I explained to Jordan, scraping the code from someone's website can be accomplished very easily.

And there's tons of resources online teaching you how to do it and even just giving you the code.

But this site wasn't like those other spoofing sites.

It took me a little bit of time to kind of figure out that they had, you know, not just copied the site, but they were actually sort of mirroring it.

They were using some sort of technology, essentially, that anytime a request came in to their website, they would grab an exact copy of the current site and then sort of replacing any links or any phone numbers on the site in order to trick people into thinking that they were on the original website.

So every time someone visited their site, it would take an exact copy of the existing website.

Yep, well, 100%, right at that moment, too.

So if we were making changes to the website, it was getting updated on that fake site in real time.

Adam told me that in all his years of web development, he'd never seen anything like this.

And until he explained this to me, I'd never even heard of it, which is why I had very confidently and very incorrectly told Jordan her site was being scraped.

And I'm sorry about that, Jordan.

The thing is, even fake websites are required to have real registrations.

And even though you're no longer able to see the name of the person who registered the site, you can still figure out where they registered it.

And you do that using the whois lookup that I mentioned earlier.

So Adam used the whois lookup to figure out where the site was registered.

And then he wrote them a letter saying, Hey, one of your clients, one of your customers is doing something nefarious.

They're perpetrating fraud on your platform.

This, by the way, is exactly how I would have approached it.

And within a couple of days, the registrar removed the site.

But the problem was, it didn't end there.

Over the next six months, another half dozen of these spoof sites popped up, and all of them were exact replicas of this one client site.

Over and over again, Adam found himself turning to the Whois lookup, searching for registration information, and then asking the registrars to remove the scam sites.

For months, his life was like web spoof whack-a-mole.

And then, One day in 2023, Adam ran his Whois lookup on yet another one of these spoof sites.

And this time, he didn't find anything.

And I know that for a large swath of our audience, that probably doesn't sound like a big deal at all.

But this scenario that Adam found himself facing where the WHOIS record had no registration information, it's not supposed to be possible.

Because now that we can't access personal information through a WHOIS lookup, registrars provide one of our only avenues for recourse on the internet.

In fact, as far as I know, policing this kind of fraud is actually one of the registrar's only jobs.

And if a site has no registration information, then there's no one with the authority to take it down.

You could talk to the website's host, meaning the place where the site's files actually live, but they're generally even less responsive than registrars.

And for small to medium-sized businesses like Brown's Kitchen and like most of Adam's clients, leaving up your spoof site just isn't an option.

It's like sitting in a shark tank while actively bleeding.

Adam tried everything he could think of to get this site removed.

At one point, he even contacted Facebook to see if they could help, since most of the spoof site's traffic had been driven by Facebook ads.

And Facebook, they didn't really seem to care.

You know, this was another business to them.

They were earning money on ads, and they kind of left it at that.

They said, well, you know, there's not really a lot that we can do.

You know, it's not our problem.

So without a formal pathway to removing this website, Adam started looking for ways to neutralize its impact.

And that's when he had the idea that would eventually lead him to develop Storlock.

Adam knew that the spoof site was mirroring instantaneously.

And he had this theory that it wasn't just the superficial changes that were being mirrored.

So he started thinking, if the scammers are copying our website whole cloth, maybe we can stitch in a piece of code that exposes their deception.

Well, what if we put in some tiny bit of script

that would allow us to say, is it one of these domains that you're allowed to be on?

If not, then just redirect them right away.

So, Adam ran a test.

He wrote out a short script that asks a single question.

Am I on the website I was designed for?

And the next time the spoof site mirrored the real site, Adam's script sprang into action and said, Wait a minute, I'm in the wrong place.

I should let everybody know.

And the way it did that was via a pop-up on the spoof site.

That was the birth of Adam's Storlock app.

And in the years since then, he's continued to refine and build upon that original idea.

The Storelock team is small.

It's really just two people at this point.

And they've spent no money on marketing this product, in part because they realize it's the kind of thing you don't really know you need until you really need it.

So for now, they've been hanging out in the subreddits and on Shopify forums, watching out for people like Jordan who find their web shops facing attacks they don't know how to handle.

We don't have a ton of customers yet, but we've seen that this is a big enough problem that

there's enough market for us to go after and continue building this.

But for every move Adam makes to protect his customers, he knows the scammers aren't far behind.

They'll always be searching for a way to circumvent his defenses, and he'll always be searching for ways to block their circumventions.

And maybe this is all that any of us can do.

Maybe this Shopify arms race is the best that any of us should hope for.

But honestly, I find that very hard to accept.

And so does Adam.

Because we still remember the days when you could actually stop a scam at its source, when a reporter like me, or a web developer like Adam, or literally anyone else in the world, could use the whois lookup and find exactly who is perpetrating this attack on Jordan's site.

And we still don't really understand why we abandoned that system.

And if what Adam's saying is right, and we can't rely on registrars to act as enforcers on the internet, I would really love for someone to tell me

who exactly is supposed to be in charge.

After the break, we get an answer to that question.

And the answer kind of sucks.

This episode of HyperFixed is brought to you you by ExpressVPN.

Going online without ExpressVPN is like not closing the door when you use the bathroom.

Which, to be fair, my seven-year-old does all the time.

But even if you think you have nothing to hide, why give random creeps a chance to invade your privacy?

That's what ExpressVPN is for.

Because all of your traffic flows through their servers, internet service providers, including mobile network providers, know every single website you visit.

And in the US, ISPs are legally allowed to sell that information to advertisers.

ExpressVPN reroutes 100% of your traffic through secure, encrypted servers, so ISPs can't see your browser history.

And if you're at a coffee shop, engaging in international espionage, or just trying to watch some sports that aren't broadcast in the US, ExpressVPN has you covered.

It works on all devices, phones, laptops, tablets, and more, so you can stay secure on the go.

And it was rated number one by top tech reviewers like CNET and The Verge.

I've never been rated number one at anything ever.

Whenever I'm on public Wi-Fi, I always make sure to fire up a VPN to make sure that all my data is safe.

And you can too with ExpressVPN.

Protect your online privacy today by visiting expressvpn.com/slash hyperfixed.

That's exprsvpn.com/slash hyperfixed to find out how you can get up to four extra months free.

Expressvpn.com/slash hyperfixed.

Protect your privacy and close your damn bathroom door.

Divorce isn't that big a deal.

You don't have kids.

Or money.

The funniest film of the year is finally here.

Dakota Johnson and Adri Arjona star in Splitsville, an unromantic comedy.

I don't want to get a divorce.

No one does.

She does.

Critics are praising the sexy, absurd, and hilarious take on modern marriage and relationships as an outrageous instant classic.

We need to find a way to restore the balance, and you had sex with my wife, so maybe I don't know.

Nobody.

What is wrong with you?

Splitsville.

Rated R.

Now playing.

Welcome back to the show.

So, before the break, I learned more about the state of internet scams than I have in probably the previous two years.

I learned that scammers can spoof a website in real time, and that one way to deal with this is to essentially build a Trojan horse into the code of your website that outwits scammers by making their own site tell you that they're scammers.

And that ever since the WHOIS lookup redacted the personal information from its public database, we are often left at the mercy of registrars who aren't necessarily going to do that much to help you out.

But I still walked away from that conversation with some questions of my own.

The first of which was, why do we no longer have access to that personal identification information?

So I reached out to the people responsible for managing the WHOIS database.

So

just to start, could you tell me your name and what you do?

Okay, so my name is John Crane, as spelled here on Zoom.

I am the Senior Vice President and Chief Technology Officer for something called the Internet Corporation.

for assigned names and numbers.

The Internet Corporation of Assigned Names and Numbers is a mouthful.

So we will call it what everybody else calls it, which is ICAN.

ICANN is a nonprofit organization.

It is based in Southern California.

And among other things, they oversee the global domain system for the entirety of the Internet.

What they do is incredibly technical, but the short version is if your computer is trying to get to a certain domain, like.baseball or.cancer research, and yeah, both of those are real top-level domains, ICANN keeps a global list of these destinations and it helps route traffic to that domain.

But yeah, it's incredibly technical.

I was getting corrected by John left and right.

So

you're like an address book for every website in the world?

No.

We are not.

Okay.

We are,

if you like, the library index card of where you go to find that information.

We do not hold all the information.

We are the starting point of the path to go and find that information.

John has been with ICANN since the very beginning, like the late 90s.

And in the office of the CTO, one of his responsibilities is studying and advising on special policy issues all over the world.

So I started talking to him about this kind of fraud we've been discussing in this episode, where people are building websites to impersonate other legitimate websites.

I told him that they are doing it for the purposes of stealing credit card information.

And I told him about how much harder it is to handle these situations now that registrars are the only outlet for remediation.

And then I asked him, why did ICAN decide to redact this personal information from the WHOIs lookup?

And John was like, we didn't.

It's not that ICANN or some like developed a policy that said we will no longer share private data, which is what we call PII personally identifiable information.

It's that the laws changed.

And the reason the laws changed is an event you may remember.

So back in 2013, an NSA intelligence contractor named Edward Snowden walked out of his office carrying a thumb drive that was loaded to the gills with top secret government files.

He got on a plane, flew to Hong Kong, and then he sent the files off to WikiLeaks.

And when Wikileaks started publishing Snowden's secret files, the internet lost its mind.

The most startling revelations contained in those documents were about just how big the U.S.

surveillance apparatus had become.

It was through these leaks that we learned that US intelligence agencies could access servers at most of the major tech companies.

They were harvesting millions of cell phone records a day.

They were mapping locations based on cell phone information.

They were even collecting AOL instant messenger contexts.

And as the conversation about the way the government was watching us ramped up, I mean, these days, now that we've been completely captured by the global panopticon, Now that we've got AI facial recognition and half a dozen cameras on every car, this all seems pretty quaint.

But at the time, it freaked everybody out.

And then something happened in the legal sphere.

Okay.

People started caring about privacy.

And not just in the sense that they didn't want the government hijacking their webcams and looking at their naked butts, which is what I say when I'm explaining this to my kids.

People were also concerned about the fact that websites were tracking them around the internet in order to sell their data to advertisers and to credit agencies.

And in the heat of that terrifying moment, governments all over the world started passing reactionary laws to protect people's data, the most famous of which were Europe's general data protection regulations in 2018.

The GDPR basically said, If you're doing business in Europe or with Europeans,

you cannot share their, or even store in some cases, their data.

without express permission.

And because it is a world wide web and Europe is a powerful and populous continent, the impact of this change was felt all over the globe.

If you've ever encountered a pop-up asking, would you like to allow cookies on this website?

You have the GDPR to thank for that.

But laws governing the Internet, especially when they're reactionary, and especially when they're written by people who don't know a lot about the Internet, tend to have some unintended consequences.

And in the case of the GDPR, one of those unintended consequences was the nerfing of the whois lookup.

Things like whois

had to be less open, specifically with what we call personally identifiable data.

That's things like your name, your address, or combinations of pieces of data that put together could identify you as an individual.

Right.

And it was done to protect the citizenry.

It was done with completely good intent.

And there are some side effects that I think weren't foreseen.

What were the side effects that weren't foreseen?

That people tackling badness could not necessarily get access to data that they could before.

Apparently, in the earliest days of the GDPR, it was unclear if even law enforcement would still be entitled to this data.

Today, they're still only able to get their hands on some of it.

But not all of the badness is being fought by law enforcement, right?

A lot of the

counter-crime activity that happens online is actually by private organizations, like businesses, for example, that do this for their clients.

You know, if you're a business taking down fraudulent websites, in the past, you could go and find out who that person was and you could send them a subpoena or you could send them a cease and desist.

You can't really do that as easily now.

Now you have to send it to the registrar.

So because of this law that protects my privacy when I make a website, but also protects the privacy of a scammer if they do the same, the WHOIS record is off the table.

In the past, when I was able to locate tech support scammers by name to an office in Punjabi Bagh, New Delhi, based on a whois lookup, these days, the best I can do is get a site taken down.

And that is, at its very best, just a band-aid, because it is incredibly easy for a scammer to just switch registrars and run the whole scam again.

So there's hundreds of registrars, and like some registrars are more responsive than others in terms of like actually

policing this kind of content.

So, like,

what is it, what option does a person have if the registrar is not policing it?

So, let's talk about a domain name that is used for something called phishing.

Now, I think everybody's at least been attempted to be phished at some point, where they send you a link either on your phone.

Technically, we call that smishing because it's SMS phishing.

And there's a link, and you click on it, and you really shouldn't have,

and bad things happen.

That name in the lure, if you like,

the thing that takes you, is being used in a smish.

Now, recently, like in the last year, we changed our contracts working with the registries and the registrars.

That contract change is meant to ensure more accountability from the registrars.

So, now if someone comes to the registrar with evidence that one of their sites is engaging in phishing, the registry is obligated to step in and mitigate that abuse.

If they do not mitigate evidence abuse,

you can send a report to ICAN

along with the evidence that you shared with them, and we will go and talk to them.

And if they do not change their mechanisms to be within compliance with our contracts, they will eventually no longer be a registrar.

I mean, this is a big deal, because if they repeatedly fail to stop this kind of abuse, they could lose their status as a registrar.

But the thing is that this new policy only covers specific types of malicious activities.

And website spoofing, this specific type of attack we've been talking about in this entire episode, this scam that's become so prolific that Adam Weiss has built an entirely separate wing of his business devoted to addressing it.

It's not covered by the new ICAN policy.

The ICANN policies, not set by ICANN, the organization, but set by ICANN the community.

do not cover this.

And it's actually a really interesting conversation that is constantly going on ongoing at ICANN about

what do we do about these kind of things and whose role is it?

Is it the role of the naming industry or is this a role for the hosting industry?

Or is it both?

What is the role of law enforcement?

What is the role of governments?

So,

you know, it's very easy is not the right word, but it's very compelling to find a very cut and dry case and say, in this scenario, this is what should happen.

But most of the cases

you actually see, they're often not that cut and dry.

And it's not as easy for somebody on the outside to make a decision about it.

But if it's phishing, if it is used, for example, for distributing malicious software or malware, and there are a series of other types of abuse, then the registries and registrars are contractually obligated to mitigate that.

And if they don't, then we like to hear about it and we can go talk to them.

This seemed absolutely bonkers to me.

Because as near as I can tell, the only difference between what Jordan scammers are doing and what these phishing scammers are doing is that the phishers are sending texts or emails.

Jordan scammers were buying ads on Facebook, directing people to their scam site, but that isn't enforced by ICANN.

Now, John stressed that just because it isn't covered by the new ICANN policy doesn't mean that web spoofing is legal.

Most registrars have their own terms of service, most of which should cover this, and they're beholden to the laws of their country, which should also cover this.

But the thing is, I had just spoken to Adam, a guy who has now encountered multiple spoof sites with unlisted registration information.

And I wanted to know, one, how this was even possible, and two, what does John think we should do in this situation?

To the first question, he explained that ICAN enforces policy for all of the domains that are three letters or longer.

So.con,.org,.edu,.pizza,.diamonds, etc., etc.

All of those.

But what it does not manage is the two-letter domains for countries.

So whether it's.uk for England,.ca for Canada, or.ly for Libya, those are managed by the country of origin, and ICANN has no power to enforce anything for them.

As for what to do in a situation like this?

I wish I could just give an easy answer and say, well, you just go here, here, and here, and it will all be solved.

Businesses, like large corporations, suffer from this in the same way that small businesses do.

But they can afford the lawyers and the skill sets to go and track down people and actually have some effect on the behaviors.

As a moment pop shop or even a sole business owner, I have a few small businesses myself.

It's very hard.

I'm a big fan of the internet.

Obviously,

I wouldn't do my job if I wasn't.

But it comes with some downsides.

It's not all ups.

There are some serious downsides to an open

environment

that allows for all this ingenuity and all this growth.

I got to be honest, I was pretty bummed out about what he was telling me.

It felt like he was saying that this is just the price of doing business on the internet and that in exchange for all this information, people without resources to fight are going to get hurt.

And I think he may have sensed that I was feeling that way.

Because when I said this, I mean, I guess that's sort of the trade-off, right?

We've got almost the entire history of the world's information at our fingertips.

Sometimes people get scammed.

He immediately responded in the most thoughtful way possible.

And we wish they didn't, but it's this.

And, you know,

as we progress,

there will be better regulations from governments.

You could see GDPR

as a reaction to internet and information freedom, as governments reacting

to try and balance out the

too easy access to people's information.

And we will see more of that in the years going forward.

We will see new regulations and some of them will be good and some of them will be less good.

And even in the ICAN world, we will see new policy.

We will see the policies change about what we expect from the industry to protect the registrants and the end users.

And that is an ongoing discussion.

If you ever get the chance, you should actually come and visit an ICAM meeting either in person.

If you come in person, I'll buy you a beer or a coffee or whatever you drink.

But, you know, if not, go and watch it virtually.

It's a really interesting.

methodology or philosophy for how you manage global infrastructure.

It's not like the typical multilateral government to government that happens everywhere else.

Like everybody kind of gets to have a say.

And I'm a big fan of it, obviously.

What John was saying is this.

In the same way that scammers will always be looking for ways to attack your website and guys like Adam Weiss will always be looking for ways to defend it, The ICANN community will always be looking for ways to ensure that the internet's domain name system remains stable and safe.

And some of of the time, they're still going to get it wrong.

Because scammers and other bad actors on the internet are constantly innovating and evolving.

And ICANN is often just reacting to those evolutions.

So even though some of their policies feel pretty unsatisfying to me, and even though I do think there should be clearer pathways for minimizing harm on the internet, The idea of writing policy that has to be implemented fairly and evenly across continents and cultures, it's something I need to learn a lot more about before I feel comfortable having a real opinion about it.

And that's why I'm planning to attend ICAN's next meeting in June.

I'll probably do it virtually because it's in Prague, but I would love if you all joined me.

Because the way John explains it, ICAN is just an enforcer of rules, and it's up to us to help make those rules.

So let's do a good job.

This episode of Hyperfixed was produced and edited by Emma Cortland, Amore Yates, and Sari Soffer Sukenek.

It was hosted by me, Alex Goldman.

The music is by the Mysterious Breakmaster Cylinder and me.

The show is engineered by Tony Williams, fact-checking by me, Amore Yates, and Sari Soffer Sukenek.

You can get bonus episodes, join our Discord, and much more at hyperfixedpod.com slash join.

And listen, I say this every week, but I truly think that this kind of membership program is really the only way forward for narrative podcasting.

If you feel like you can support, please think about signing up.

And if you can't afford it, I totally get it.

Everybody is having to make difficult decisions about what they can afford right now, but if you could think about telling your friends and family about it, you know, sit your parents down and make them listen to it, that'd be awesome.

HyperFixed is a proud member of Radiotopia from PRX, a network of independent, creator-owned, listener-supported podcasts.

Discover audio with vision at radiotopia.fm.

Thanks so much for listening.

Radiotopia

from PRX.