I got the same mail two years ago, I think (haven't kept it, but the "reasoning" sounds familiar).
See, that's just half-truths that amount to lies.
They claim they need to store personal information about you when you're using your personal domain.
That's untrue. Only if you registered the domain with them they would need to know about you.
It's also untrue, because unlike .de, many other TLDs don't require full names and addresses in WHOIS, or there are "privacy shield" services like the one nearlyfreespeech.net is operating.
Security reasons.
Also untrue (although it's a reasonable business decision that they don't want to handle customers calling their support with the customer's own domain set up problems).
I continue to claim that there is exactly one reason they are refusing: A customer with a *@posteo.de address will pretty much never leave.
I wouldn't mind very much if they admitted that, it's certainly a geeky niche to serve, but this security-and-privacy bullshit really makes me mad.
Do you want to trust your privacy with a company that's lying, even if you wanted to argue that it's
a white lie?
I asked them (Posteo) about this 2 weeks ago and below is the response I received. I'm not an expert in this area, but the response sounded reasonable to me:
> We do not offer domain services because we do not save any personal data
for any of our services. This is not possible with domains.
> Domains must be registered to a person’s name and address. As a
provider, we would be required to store inventory data for all customers
that use their own domains with us. As a result, we would have to
provide this information to government agencies when requested.
> Additionally, security reasons also play a role in this decision. With
customer domains, the owner of the domain is responsible for setting up
security features like DNSSEC (and as a result also DANE). Even things
such as SPF and other protocols for delivery would lie in the customer’s
hand and could not be guaranteed by us.
> Because of these reasons we have decided not to offer domain services
and instead to remain consistent with our focus on data economy.
> There is no reason that domain providers will be incapable of providing a contact point and you were always able to put a separate email inbox on WHOIS.
The registrars have an interest in not delivering requests for sale or even abuse reports, because it's likely that they will result in the domain either being decommissioned or moved to another registrar.
In my opinion, it is reasonable to expect them to either validate you own the domain you are sending from, or to handle misuse aggressively. Perhaps they painted themselves into a corner in their infrastructure design and lack good engineers to resolve this? They might not admit this.
I guess one issue here is that I don't see how removing my name from their website prevents them from continuing to service their clients or direct their queries to the correct person.
This is an interesting idea executed terribly. Obviously there are huge liabilities associated with this kind of proxying, but for people which want or need highly anonymous domain registration it could be a worthwhile idea if backed up by an adequately robust contract.
The issues: firstly, they don't support freedom of speech:
>As long as you keep within the boundaries of reasonable law and you're not a right-wing extremist, we’re for promoting your freedom of speech
Secondly, they don't make it clear in what jurisdiction they operate.
Thirdly, they don't specify anywhere what registrar(s) they use to register domains. This prevents customers from performing due diligence on the registrar and its history (for example, does the registrar have a history of arbitrary domain suspensions?)
Fourthly, as mentioned in another comment, their terms of service is absurdly loose with regards to their responsibilites; they can terminate service arbitrarily, and have no obligation to transfer ownership to you in this case. This is completely unacceptable.
Fifthly, their website doesn't work properly without JavaScript. This is completely unacceptable in any case, but is particularly egregious for an anonymity-focused service which provides a Tor hidden service, where many customers may wish to keep JavaScript disabled (as is Tor Browser's default) to reduce attack surface. Apparently people don't know how to make websites anymore.
Sixthly, their website copy is amateurish and has basic typographical errors.
Seventh, and perhaps most gravely of all, their entire website betrays a fundamental misconception of the roles and demarcation of a registrar (or pretend registrar, as is the case here.) Above I mention that they are anti-free speech, but the very fact that they think it is the place of a (pretend) registrar to have a policy on this matter betrays a fundamental misconception about the liabilities of a domain registrar. The very idea that a domain registrar (or pretend domain registrar) should be in some way responsible for content hosted "on" a domain is faulty, and at the same time sets a hazardous precedent; this is exactly the kind of thinking which absolutely should not be encouraged or perpetuated in the domain name industry, as it is only going to lead to more and more political intervention at the domain name level.
A domain name registrar nominates domain names (meaning essentially the name itself, plus the specified nameservers) to a domain name registry. The only legitimate involvement a registrar has in the use of the domain name is any issue involving the legality of the literal domain name string itself, or the nameserver names, or maybe WHOIS data. Notice that for all its faults, this actually moreorless matches the ICANN model: There are dispute processes for trademark issues regarding the domain name string itself, and dispute processes for WHOIS data. There are emphatically not ICANN dispute processes for content served by nameservers, or content served by hosts referenced by zone data served by nameservers! (I suppose theoretically someone could find a way to break a law with the nameserver names themselves; setting a nameserver for example.com to <illegal-string>.example.com, say, but it seems like that's sufficiently obscure a possibility that it has not yet arisen.)
A domain name registrar is not responsible for the content served by name servers referenced by a domain name, let alone the content served by services provided by hosts referenced by the content of a zone file served by a name server referenced by a domain name. That this pretend registrar fundamentally fails to comprehend this demarcation of responsibility is extremely problematic, and betrays a troubling lack of understanding of the system.
Of course, it certainly may be the case that domain name registries and registrars (and pretend registrars) in the future get more and more dragged into disputes regarding services provided by hosts referenced by zone files served by nameservers referenced by a domain name, but this is extremely undesirable. It would represent the politicization of the domain name system, which would itself seriously undermine its stability and reliability. We have already seem some attempts to politicize the system and they do not bode well; it's certainly not helpful if registrars start overestimating the degree of their responsibility, as it only increases the feasibility of future politicization of the domain name system.
In particular, it should be noted that there is basically no case where the seizure of a domain name for the content it "hosts" (in reality, references, not even directly but via a set of referenced nameservers) can be proportionate; or at least, no case where it can be reliably ascertained that the seizure of a domain would not be grossly disproportionate.
For example, if google.com accidentally hosts a small amount of illegal material, should google.com be suspended? Of course not; so unless one is suggesting that 'important' domains should be subject to different, more preferential rules than 'unimportant' domains (an affront to the idea of an internet open for all), where is one supposed to draw the line?
Moreover, most nameservers do not allow zone transfers. This means that the extent of a zone served by nameservers referenced by a domain name cannot be reliably ascertained, which again means that there is no way to reliably ascertain that the seizure of a domain name is not grossly disproportionate. If a domain hosts illegal.example.com, but also hosts a million legal subdomains, how can the seizure of example.com for hosting illegal.example.com be proportionate? There is no way to reliably ascertain the existence of subdomains, so illegal.example.com could be known to search engines but the million legal subdomains could be unpublished, internal names yet unknown (by obscurity) to the world. Even if the full contents of a zone could be reliably ascertained, most records reference IPs (A/AAAA), not services (SRV, MX), so unless you portscanned every IP referenced, that doesn't tell you what type of service is hosted on those subdomains (and even if you did portscan those IP addresses, there's the possibility that some services are firewalled to certain source IPs, for example services for internal use only, etc. etc.; the possibilities are endless, and thus so are the opportunities for unforeseeable collateral damage).
There is an extremely relevant real-world example of this: the no-ip.org debacle (no-ip.org is a domain which provides free subdomains to arbitrary parties), in which a court, truly extraordinarily, allowed a private corporation, Microsoft, to assume control of the entire no-ip.org domain, simply because of a single bad user, and a very tenuous claim that the abusive subdomain involved infringement of a Microsoft trademark. This resulted in massive disruption to all other no-ip.org users. Again, there is no way of reliably ascertaining an upper bound for the operational impact caused by a domain seizure.
Actually something similar happened to me with Namecheap a few days ago. They banned one of my domains without any detailed explanation and refused to recover it. I end up registered the domain again at Cloudflare. Now I see this post, I don't know which company to trust anymore ...
Here is their response when I asked them details:
---
Thank you for your email. We regret any inconveniences you may have experienced.
Please be informed that Namecheap is doing its best in order to reduce any possible misuse of our services. It was noticed that the domain in question was marked as potentially abusive in our system, and we were forced to cancel it based on the result of an internal investigation. Please accept our apologies for the inconvenience caused by this action.
There are two options following which we can resolve the matter:
- Refund the domain to your payment source.
- Re-register it for you for free.
Please consider your choice and get back to us with a result.
I have had my firstname lastname domain (.dk as I am danish) since 2001 and have never seen a website refusing my domain or refuse to send a password reset.
I also have not had issues with giving the address to a non-technical person, only issue I have had is that the risk of spelling mistakes are higher than @gmail.com
> The domain no longer exists, and my registrar doesn't keep records older than 10 years because of GDPR, so I couldn't use that as a way to prove the page was actually mine.
Wait, are you complaining that they wouldn't take down a page immediately upon your request with no proof that it actually belonged to you?
The whole thing about .us needing real name and address of a person and you cannot hide your identity is hilarious. Everytime I had someone spamming me from .us and their data were obviously fake (Registrant name: Tom Cat, Address: Local trash can), the registrar didn't even bother replying to my emails. This has happened with GoDaddy and Dynadot, NameCheap (which is outsourcing all their support to Eastern Europe countries like Russia, so these people are actually looking at your sensitive data) cannot talk for others.
Very unfortunate that Namecheap isn’t cooperating. Not really sure what the hold up is, some say it’s related to the Namecheap vs. Tucows lawsuit [0], but realistically it wouldn’t make much sense to do something like this out of spite. I wonder if they’re worried about potential legal obligations of turning over such a “controversial” domain?
See, that's just half-truths that amount to lies.
They claim they need to store personal information about you when you're using your personal domain.
That's untrue. Only if you registered the domain with them they would need to know about you.
It's also untrue, because unlike .de, many other TLDs don't require full names and addresses in WHOIS, or there are "privacy shield" services like the one nearlyfreespeech.net is operating.
Security reasons.
Also untrue (although it's a reasonable business decision that they don't want to handle customers calling their support with the customer's own domain set up problems).
I continue to claim that there is exactly one reason they are refusing: A customer with a *@posteo.de address will pretty much never leave.
I wouldn't mind very much if they admitted that, it's certainly a geeky niche to serve, but this security-and-privacy bullshit really makes me mad.
Do you want to trust your privacy with a company that's lying, even if you wanted to argue that it's a white lie?
reply