Last week, Microsoft completed a legal attack on two large and quite nasty botnets by obtaining a court order transferring 23 domain names to Microsoft’s control. The botnets went down and the Internet was a better place for it. But in doing so, Microsoft also took out the world’s largest dynamic DNS provider using a dangerous legal theory and without any prior notice to Vitalwerks Internet Solutions—the company that runs No-IP.com—or to the millions of innocent users who rely on No-IP.com every day.
Just two days later, Microsoft reversed course and began returning control of the seized domains to Vitalwerks. And yesterday, Microsoft and Vitalwerks announced a settlement agreement, with Microsoft admitting that “Vitalwerks was not knowingly involved with the subdomains used to support malware.”
We commend Microsoft’s prompt about face. A company with less integrity would have stuck to its guns, and we are pleased that Microsoft instead worked quickly to rectify this situation. That said, we are disappointed that Microsoft crafted its lawsuit in a way that created these problems in the first place.
A Flawed Plan
First, some background. No-IP.com provides what’s known as dynamic DNS service at both free and paid levels. With dynamic DNS, users who lack a static IP address (mostly mobile users and home and small business DSL or cable subscribers) can host servers at a constant URL, for instance example.no-ip.org, despite the fact that the IP address of that server, and hence the route needed to find it on the Internet changes frequently. I actually use No-IP.com on my parents’ computer in Los Angeles so that I can provide remote tech support from San Francisco without having them locate and read me their IP address over the phone every time they need help. Prior to Microsoft’s action, No-IP.com boasted more than 18,000,000 users of its free service alone.
Microsoft claims to have had no problem with the vast majority of No-IP.com’s users, and we have no reason to doubt Microsoft's sincerity. Instead, Microsoft was concerned by the use of No-IP.com’s service by a pair of botnet operators controlling a total of just over 18,000 nodes at as many subdomains. The botnets used dynamic DNS for essentially the same reasons that I do; it allowed the operators to keep track of the individual nodes of the botnet without having to maintain a current list of their IP addresses or a static command and control server. Microsoft’s plan was to use its own nameservers to send requests to resolve the botnet-associated subdomains to a blackhole, while continuing to resolve requests for the legitimate subdomains to their appropriate IP addresses. So they went to court, in secret and without telling No-IP.com, and convinced a Federal District Judge in Nevada to order the domain name registries to list Microsoft’s nameservers as authoritative for 23 of No-IP.com’s most popular domains.
But Microsoft’s plan failed catastrophically. The transfer resulted in more 5,000,000 subdomains served by No-IP.com simply failing to resolve. The details of the technical failure are obscure from outside Microsoft, but those numbers are worth repeating. In order to take down an 18,000-node botnet, Microsoft commenced a legal action that resulted in the termination of DNS service to nearly 5,000,000 subdomains with which Microsoft had no complaint. In other words, the seizure order that Microsoft asked for, and a federal judge approved, was 99.6% overbroad.
Drawing an analogy to the real world, imagine a busy shopping mall filled with legitimate businesses and a single mafia front. Microsoft, feeling injured by the mafia front’s usage of its trademark and attacks on its users, went to federal court in secret and obtained an order transferring control of the mall to Microsoft's own mall cops, who vowed to keep out only the mafia. But Microsoft’s mall cops were apparently overwhelmed by the number of visitors and simply locked the mall’s doors, keeping out everyone, including the 99.6% of visitors who had legitimate shopping to do.
Microsoft’s plan could have worked. Apparently Microsoft simply lacked the infrastructure capacity to put it into place. How did they make such a gross miscalculation? By telling themselves, and the court, that their “goal is to cut-off traffic to [the botnet] while allowing traffic through to any other sub-domains, if there are any such sub-domains at all.” Microsoft's lawsuit was intended to blackhole only the .1% of No-IP.com’s subdomains that were involved with the botnets it sought to disrupt, and it glossed over the effect on the millions of other domains, even suggesting it was possible that they were all bad actors. And because No-IP.com was kept in the dark, the judge heard only Microsoft's version.
A Flawed Process
Microsoft’s technical failure, as well as its suggestion to the court that there might not have been any innocent users of No-IP.com, both depended on the ex parte (legalese for without the participation of the other side) nature of the proceedings. Had No-IP.com been aware of the lawsuit, and the pending order to seize what amounted to a large fraction of its business, it would have been able to correct both of Microsoft’s failures and spare the owners of the nearly 5,000,000 innocent subdomains (including yours truly) from having their DNS service cut without notice.
Microsoft argued to the court that an ex parte hearing was required because if notice to the defendants was given, the botnets would pack up shop, switch to a different dynamic DNS provider, and disappear. Perhaps that was a good reason to keep notice from the botnet defendants, but it’s no reason to keep knowledge of the lawsuit from No-IP.com. Microsoft appears to be suggesting to the judge that No-IP.com would surely have tipped off the botnet operators, or at least allowed the botnet operators to somehow escape. That is utter nonsense.
In ex parte proceedings, lawyers owe a heightened duty of candor to the court, since there’s no adversary to challenge their assertions. We would have hoped that would have resulted in a more thorough pre-lawsuit investigation. Now, just over a week after convincing a judge that it was vital to keep notice from No-IP.com, Microsoft has admitted that it is confident that No-IP.com was not acting in concert or even involved with the botnet operators. Thus withholding notice from No-IP.com was never warranted.
A Flawed Legal Theory
Not only did Microsoft bungle the facts and the tech underlying its seizure of No-IP.com’s core business, its case against the provider was based on a downright dangerous legal theory. Microsoft argued that, as a provider of free network services, No-IP.com was negligent. Indeed, Microsoft claims that No-IP.com had a legal obligation to:
- Require all users to provide their real name, address, and telephone number.
- Put that information in a public database.
- Use a “web reputation” service to identify bad actors.
- And encrypt its customers’ usernames and passwords.
Every one of those points is rubbish, and none is a legal duty of service providers. First, anonymity online is unambiguously protected by the First Amendment and is a cornerstone of our democracy. Service providers are free to allow their users the option of exercising their constitutional rights. Second, publishing a public database of users is by no means a best practice, and in fact would be one of the worst. Third, several companies offer “web reputation” services, including Microsoft. While a service provider is certainly free to use one of those services if it so chooses, the claim that it is legally required to do so is spurious. To the contrary, under federal law, service providers are not held responsible for the acts of their users, and not made responsible for failing to adequately block bad content. And finally, did Microsoft actually argue that it is a security best practice, and in fact a legal duty, for service providers to encrypt passwords? Because storing users’ passwords in a form that could be decrypted to plaintext by anyone, including the provider, is absolutely terrible security hygiene. If Microsoft meant that the best practice is to store the passwords in a table of cryptographic hashes, it should have said so.
In sum, Microsoft’s theory of why No-IP.com was negligent would condemn essentially every provider of free network services on the Internet, as well as many paid providers. We strongly disagree that following any of the four practices that Microsoft claimed No-IP.com failed to follow would be a good idea, much less best practice or a legal obligation.1
We're glad that the disruption to No-IP.com's users lasted only a few days, and we have these suggestions for any company that wants to use the courts to eliminate threats to its users:
- Give notice to innocent intermediaries, before seizing their business.
- Don't gloss over innocent uses and users of a service, especially when those uses may make up 99.9% of the service.
- Abandon Microsoft's half-baked negligence theory that, if accepted, would mean the end to free network services.
- Be prepared to actually meet the infrastructure demands that any proposed legal solution presents, so as not to cause more disruption than necessary.
At the end of the day, we commend Microsoft for dropping its suit against No-IP.com so quickly, and we’re left hoping that the next time the company decides to take it upon itself to clean up the Internet, it will reconsider the tactics it employs to do so.
- 1. We have an additional technical legal quibble with the way Microsoft’s lawsuit against No-IP.com proceeded. The ex parte restraining order that Microsoft obtained, compelling the domain name registries to transfer No-IP.com domains to Microsoft, was authorized by Federal Rule of Civil Procedure 65. That rule however specifically provides that only the parties, their agents, and people in “active concert” with the parties can be bound by an ex parte restraining order. Microsoft’s order purported to bind the third-party domain name registries (companies that are neither agents of, nor in active concert with, No-IP.com) despite Rule 65’s prohibition.