It’s an unfortunate incident. Not a scandal.
I’ve waited a few days to write about the Moniker whois privacy flap. My first reaction was that this whole thing was being blown way out of proportion, so I wanted to wait and see how I felt in a few days.
But I still feel the same way.
What happened
I really don’t know all the details behind what happened. What I can gather from reading this blog entry is that an Oversee.net employee found out who owned a domain name protected by the company’s Moniker Privacy Services and disclosed this information to the domain owner’s boss.
How Bad is This?
This is a pretty bad lack of judgment by the individual who did this. I’d be rather upset if the company disclosed that I owned a particular domain name. Even if the information was publicly available, I wouldn’t want my registrar to disclose certain information without my permission.
How could this happen?
There are certain people who know just about every domain name I own. That includes my Moniker and Go Daddy account reps. They also know the few domains I have protected by whois privacy (mainly because they are for new ideas I had at one point).
Beyond that not many people at these companies should know what I have registered with them. I suspect their boss and their bosses boss up the chain could get access, too. I’ve always taken this into consideration when registering domain names.
I don’t know how the employee accessed the information in this case. But Moniker has said that distributing the information was against company policy.
Have you ever made a snap decision that seemed like no big deal at the time you made it, then afterward you ask yourself how you could have been so stupid? I know I have. Sounds like that’s what happened here.
Whose fault is it?
It depends on the details of what happened.
Perhaps there need to be more controls within the registrar (and I’m sure at other registrars, too). But there are limits.
As I mentioned, my Moniker and Go Daddy account reps know which domains I own. If one of them decided to break company policy and disclose this, there’s very little that can be done to stop that. It would be a bad decision for an employee to disclose this information, but good and bad people make bad decisions all the time.
Should the perpetrator be named, tarred, and feathered?
Not by Moniker.
Like it or not, these sorts of violations of company policy happen all the time in all industries. In most situations the company will not name who violated a company policy. It’s confidential information and they could get sued for doing it. It may not even be any of our business to know who it was.
One exception is if a law is broken, or if it’s a senior employee, officer, or an ironic person — such as the Chief Privacy Officer who was specifically entrusted with the information.
If the Moniker customer whose information was released wants to name names, that’s certainly up to them. But it’s certainly not Moniker who should disclose that information.
As for punishment, the employee could be fired. That’s serious. They also probably had a horrible holiday as they wondered about their fate. But it’s not like you go to jail for violating company policy.
What should Moniker have done after learning about what happened?
I’ll tell you this: they shouldn’t have immediately fired off an email to customers telling them what happened. Here’s why:
1. No customers are at immediate risk of damage due to this breach. If a lot of customers were victims, or a number of credit cards were disclosed somehow, that’s when an immediate message is warranted.
2. They need to investigate what exactly happened and determine if it’s the first time or a repeat occurrence. Do you think SnapNames immediately informed customers after the Halvarez scandal? No, they researched all the facts and then disclosed the information.
3. The company may need to make changes to internal procedures and would want to announce these in its communication.
4. The incident appears to only involve one customer and one employee. If that’s the case, and this is an isolated instance, it’s not the type of thing companies generally tell the world. If a customer service rep cusses me out, do they issue a press release? If a rogue customer service rep at Amazon tells someone else what I ordered, do they tell all their other customers that this happened or do they just discipline the employee?
In summary
Unless something else comes out, this is not a scandal we’re looking at. It’s an isolated incident perpetrated by one person who made a bad decision that affected only one customer.
It’s an unfortunate incident, and I don’t want to downplay that. All domain registrars should consider how this information is safeguarded. But let’s not make this something more than it is.
waiting for some numnut to say I wrote this because Moniker is an advertiser in 3, 2, 1…
You can get crucified for speaking common sense and called a corporate wh*re for a lot less. But not by me. Great post.
Fantastic analysis! Thank you for NOT being one of THEM with a Reactionary reporting ethic…Nicely Done! Mistakes are made, apologies given, penance is served, lessons learned, life goes on… sometimes this industry is filled with too many Drama Queens..but then again, most industries are…
How nice to hear the refreshing voice of reason in an often over-reactive world. Well said!
Why would anyone at the registrar need to know what your domains are. I strongly believe the registrar should be a service where you register the domain and no employee should be allowed to see what you register. Totally Possible.
Just like hashed passwords in the database, no admin knows your password.
@ NotSocialist
“Why would anyone at the registrar need to know what your domains are. I strongly believe the registrar should be a service where you register the domain and no employee should be allowed to see what you register. Totally Possible.”
I agree to an extent. Full service registrars assign account managers. If you don’t have an account manager then no one (should) be looking at your domains, except when a legal order comes in.
Domains can and are allowed legally to be hidden from registrar employees. If you plan on building a registrar build it with that feature in mind.
As usual, great post, with balanced objectivity! Why you’re the best AA!!
Hey! You wrote this because Moniker is an advertiser.
Oh, hang on…
The intial story on this went gangbusters on RicksBlog.com and it was then stated there that the revealing of the violator (which is known by author)as well perhaps the violated registrants “domain company” employer, would be disclosed at the close of business Monday (yesterday)
This revelation never happened eventhough it was conveyed it would eventually be unveiled there yesterday …Hmmmmm
What company does the aggrieved registrant (whos boss was contacted by the Moniker culprit) work for ?
That is such a great analysis. From all that I have heard about what happened, it made no sense to me that people were making this out to be some major industry scandal. It sounds like one person working at one company made a big mistake. There is no evidence that the company has been involved in any kind of pattern of dereliction of their duty to help preserve people’s privacy.
Ordinarily, this would have been a good response, but, you must admit that you do in fact have a conflict of interest. That is just a fact. I am starring at the Moniker ad right up there atop your blog. So, using the reverse psychology of counting down 3, 2 , 1 till someone points that out, doesn’t vitiate the obvious 🙂
@ Uzoma – true. But I also have a waitlist for that spot and could replace them if they got mad 🙂
I agree with you but ‘Moniker is an advertiser’ 🙂
And Rick Schwartz is an unstable drama queen prone to outbursts. Best to be ignored.
Would have to agree with all the comments within our post. I expected a big deal, especially coming from Rick, and was ‘let down’ by the nature of this. It’s an issue, it should be fixed, and it should remind other companies to consider their practices (if indeed any practices need to be changed). But that’s it.
Not sure the motive behind trying to make it a bigger deal and a conspiracy.
You have ad with Moniker – so what. Why is that a conflict of interest? You are a news guy and news channels all have advertisers. That shouldn’t – and usually doesn’t – mean they don’t report no Toyota recalls for example.
Good in-depth analysis as usual Andrew.
I agree with everything you say here, but I think you’re not really describing what happened accurately.
The Moniker employee didn’t just disclose it to the domain owner’s boss (assuming that what’s been posted is completely accurate – emphasis on “if”). He/she did so with the clear intention of causing grief for the domain owner.
Leaving that out makes it seem a lot more innocent, like it was some kind of oversight.
Regardless of the Moniker employee’s feelings about the name in question, disclosing it to someone’s boss with the intent to cause them grief (get them fired?) is f’ed up on many levels.
@ Pat – yes, that was a bad decision. But maybe there’s more to it than we’re hearing. Maybe it was all in jest. Who knows.
You said:
“It’s an isolated incident perpetrated by one person who made a bad decision that affected only one customer.”
The fact that Oversee asked Rick not to mention it for two weeks AND THEN covered it up is the real story.
This is a story about ethics of Oversee management.
@ Rob – wait, Oversee “asked” Rick not to disclose it for two weeks? I thought Rick threatened to release it within 2 weeks if they hadn’t done something.
do we know for sure that the perpetrator dug in to whois privacy or perhaps they looked in to the owners parking account instead.
@ Adam – I don’t know for sure. It’s a good point. Someone may have made that assumption. Although the statement about the incident came from Moniker and didn’t mention DomainSponsor.
@NotSocialist – I don’t know if a registrar *can* legally double blind themselves as they may be required to disclose the actual whois info to authorities, ICANN, etc. In fact in their Registration Agreement explicitly states they can disclose the actual registrant’s data to any 3rd party without even notifying the registrant – “at their sole discretion”.
I’m not trying to excuse the breach – it was obviously the wrong thing to do – but I don’t see how a registrar can hide the registrant info from themselves completely. Now they can have policies that prevent “casual” access to the data, but those policies would be internal to the registrar. As I’ve said all along, Moniker could resolve this by simply stating that they’ve changed their policy.
Those that are calling for an employee’s head on a stick don’t have a leg to stand on anyway, but those that want reassurance this won’t happen to them I think would appreciate knowing that there is a new, more restrictive policy in place as to who, how and why the information would be accessed.
Damn, I just went to defensively register PatSucks.com but the “Domain King” already owns it. LOL!
….and then Mr. Frager drags the Taliban into “the situation” … really —>
http://www.ricksblog.com/my_weblog/2011/01/ostrich-eagle-or-corporate-cubicle-whore-.html#comments
WTF = What The Frager ?
Would you feel differently if the Moniker employee had emailed *your* boss to make *you* look bad? I’m guessing you’d have a very different opinion if you were the victim. This is about being able to put yourself in someone else’s shoes.
@anon I am guessing it wasn’t all that important to the person it happened to either since he/she hasn’t spoken up about it.
*
If you’re the domain owner who was outted, then this IS a big deal.
That’s what I like about this industry: total lack of empathy except for me! me! me!
*
As a important point of discussion in the online privacy policies of ALL registrars, I find this issue valuable.
But, to feed Prick Schwartz’s need for drama, his megalomania, or his grudge against his trade show competitor Oversee, I find it inane.
@Donna Mahony – It was important enough for the person to contact Mike Berkens and Rick about, then spend large amount of time in a phone conference with Oversee’s CEO.
It’s really odd the number of people who are downplaying this like it was some harmless, unintentional act. The Moniker employee used private information to contact the domain owner’s employer in an attempt to harm his reputation. Don’t you think that’s extremely disturbing?! If not, you really need to question your morals.
@ anon – pls remember to use a valid email address when commenting. You don’t need to give your real name, just a valid email address. Thanks.
While people are pointing out Allemans got moniker ads why hasn’t anyone pointed out that Rick is a direct competitor of Oversee.
Why no reveal yet? I’m thinking if they out the moniker person More crap will surface that nobody wants
People are speculating in Ricks that it’s Chef Patrick so has anyone point blank asked him?
He is a pretty public guy. Easy to ask
I don’t think anybody is downplaying this. It was – and is – a big deal. For that customer certainly but also for Moniker itself.
HOWEVER, I do think it has been a bit blown out of proportion. One, we do not know all the facts. Two, that is likely to remain the case no matter what Moniker or the customer release at this point.
Three, if this is not systemic issue then it’s not as big of a deal as all this time involved is making it appear to be so. Fourth, if further evidence unveils that it is systemic – then we get up in arms about it. All of us.
@Andrew Douglas
You can pass information between entities without seeing it. A simple private algo would be enough. For other cases like legal issues and etc the info should be viewed only by the gaining viewable right entity. It should also be clear who and under what circumstances a 3rd party can view your domain info (court order is a must in my point of view).
@Andrew Allemann
“Full service registrars assign account managers.” – that’s ok. It still does not require them to see my private domains unless I allow them to see it. That’s how I’m going to setup my future registrar. No one, except court order cases, sees private domain information. Period.
Anon2: where are they speculating about Chef Patrick? I just searched the entire posting over there and see nothing.
A reason you’re throwing Chef in the mix?
Andrew,
From here
http://www.ricksblog.com/my_weblog/2010/12/the-privacy-issuewho-has-access-to-that-info-what-they-can-do-with-it.html
Quotes from Rick…
“I agreed to hold this until December 31 which was against my better judgement and I am truly disappointed this is now in my lap.”
and
“To make a long story short, we agreed not to tell the story until the 31st and that they really need to get out in front of it because it should have been made public that day. But it was Christmas week etc. etc. etc. Deals pending. They needed some time. But if there was no statement from them by then we would be compelled to state the facts as we have them and I have not heard them disputed whatsoever. I told Craig it would look much better coming from them and not us. Day after day passed. Not a word.”
So, not sure who is saying what here. May be the domainer and Rick is posting his words.
Either Rick agreed not to post or the domainer agreed not to post.
Regardless, as I said, the story is Oversee trying to bury this story.
THAT’S the story, the cover up hence Rick’s post here about the Ostrich strategy by Oversee here
http://www.ricksblog.com/my_weblog/2011/01/ostrich-eagle-or-corporate-cubicle-whore-.html
An employee using his position at a company to access private information, disclosing that information to the owner’s employer with the intend to cause harm to the owner.
This IS a big deal.
It is another black eye for Oversee.net. They already had limited credibility after the whole Halvarez fiasco and how they handled it.
Brad
That’s something nobody here really knows except the parties involved. Not unless, say, that employee’s email or his/her statement about it are brought to light.
If the email said something like:
“Dear Sir,
I’m emailing you because one of your dumbass employees registered SirSucksdottld. I thought I should let you know about that.”
I honestly won’t necessarily think that employee had some evil intent to cause that registrant harm. But I’ll definitely call my employee’s attention to that if ever it’s brought to mine.
Of course, the employee could always deny he wanted to screw the registrant. That’s a judgment call at that point, and only the employer or so will ultimately decide based on what s/he determines.
Now, I say this because I’ve also screwed up during my early days (about five to six months) with a registrar. I had no intent to cause the customer harm, but I won’t blame some of you for thinking I should’ve been fired that moment if you knew what I’d done.
My manager called me in and told me what happened, I gave my side, but apologized and said I’m ready to accept whatever results out of that. Oh, and I did sorta beg to give me a chance to show my mettle.
I guess the heavens smiled down on me that time: they still retained me, though kept a very watchful and tight eye. I’ve since learned a lot of valuable stuff, contributed my share of good performance with them, and voluntarily left after five years with no further incidents after that.
I gather from Ricks’ blog, though, that Moniker didn’t at least indicate if the employee apologized or so? At any rate, I don’t blame some folks for moving their stuff away from Moniker.
You only wrote this because Moniker is an advertiser.
(Couldn’t resist)
Moniker has done some pretty despicable things in the past, but you are right – this is being blown out of proportion. Great post.
This is one domain, one perpetrator and one incident. I’m shocked that Rick of all people is making a big deal out of this….
@GMan
Nah, don’t be. Look through his previous blog posts and you’ll see it’s not really the first time.
Then again, trust is a fleeting commodity nowadays.
It’s really outright Whacky that after all the discussions on multiple blogs, hoopla & drama that the 2 lead stars of the show — 1)the perpitrator and the 2)Victim + employer have not been divulged or “come to the surface” … That is what makes the whole situation worse than it should be.
What up ?
@whodat
The victim of this already had their identity revealed on a private domain. Luckily to only one person that they know of.
Why would they have to come out to the whole world just because a Moniker employee does not act according to company policy?
What up is that Oversee has covered this up for weeks to protect the perpetrator and themselves. And all the Moniker employees are in on it.
Moniker employees need to stand up for the company and their clients and demand his/her termination or change of position. Protecting all of their clients
Not knowing the nature of the email from the employee to the employer leaves a lot out. Although, obviously it was serious enough for the victim to move forward with Oversee.
Also, although this article was very nice and well written, and many parts I agree with. But nowhere does it show that Andrew has spoken with the victim. So if any information was gathered it was from other posts or Oversee. The victim obviously discussed the situation with other bloggers, and their opinions differed from Andrew.
The only “positive Oversee” posts that I have seen so far, Morgan Linton and DNW, have come from those not knowing the entire truth of what went down. Or at least the story from the victim, who obviously has some proof of what happened or other bloggers would not have stuck their neck out.
I have followed all this very closely because I am concerned that it was my account manager. And all of my domains are at Moniker, many on private. So I am not going to let this die until I know otherwise or know that my account manager has been taken off my account
Big suprize, more BS at oversee/moniker. This is a company that has exhibited a complete lack of control over it’s employees. Halvarez rigged thousands of auctions and yet the domainers still line up to give their cash to these guys for domain name registrations, auctions and domain conferences. Fool me once shame on you. Fool me twice….
If this employee also recently had a highly publicizied partnership in a high profile purchase, say like ScienceFiction.com, with two oversee.net employees part of this investment group, that would complicate ease of transparency re: this privacy breach, no?
@ Marcia Lynn – I don’t see why that would complicate things.
@Marcia
When you read rick’s timeline, it seems like it happened a few days before the deal being made public.
@DDN
“Why would they have to come out to the whole world just because a Moniker employee does not act according to company policy?”
Good point on one hans….but on the other hand the victim and/or employer knowingly & willingly fed/spread/diseminated the “story” to RicksBlog, TheDomains, DNJournal…and then some…..thus creating the incredible buzz, publicity, concerns questions and detail requests by the masses.
Seems like they wanted a lot of this “situation” in public view by directly/deliberately feeding well know/highly followed Domainarati with the “scoop”…so it’s real hard ( and perhaps unjustified) to have their cake(spilling the beans widely)…and eat it too (remain anonymous/private) !
Typo Corrections:
DDN — > DNW
hans –> hand
——–
Happy Domaining !
@ Marcia Lynn – I don’t see why that would complicate things.
Andrew, you are a very smart person, you would have to know how that wold complicate things. Perhaps it was one of the individuals involved in that deal that was the culprit?
Have you emailed the “chef” to ask about the story? Since he is at the center of the scifi deal perhaps he would know more about what Marcia is speaking of,
Which makes me feel better since I do not work with him at Moniker, I work with Don
@ aa – I’m not sure how a deal that doesn’t involve Moniker would be affected by this, even if someone is involved in both.
Here is how I, a Moniker customer since day 1, would feel that it effects both:
Oversee employees are all involved, maybe more behind the scenes. So, if a top person named in the scifi deal’s credibility is ruined it puts a black eye on the whole deal.
It would in my opinion.
If you heard the CEO of American Express or Visa was emailing what you are spending money on, that would hurt your reputation, to your boss. Wouldn’t it effect how you feel about the company?
With Oversee having the Halvarez scandal behind them mostly, I think they erred on the side of caution to announce this 1 incident but like you said Legally cant name the employee or else he/she could seek retribution.
Oversee as a whole may have a lot of faults but having known the Exec team there and many employees former and present, I really doubt it will go beyond this 1 incident. The first violator may get a harsh punishment but it wont be anything compared to a second offender.
With all the scrutiny they are under to the community, they have to take harsh actions now
So overall good article and i dont condone what happened but you cant judge a company with over 200 employees on 1 persons actions.
Ask Rick.