VeriSign changes prompt privacy warnings, anger
Privacy advocates claim Site Finder captures user data
Follow @infoworldBOSTON - Privacy advocates are warning that recent changes to the .com and .net database of domain names by VeriSign could violate the privacy of millions of Internet users, inadvertently sending confidential e-mail content and Web surfing data to VeriSign's systems.
The concerns come after VeriSign introduced a new service on Monday to automatically direct users who type in a nonexistent Internet domain name to a company Web site, sitefinder.verisign.com, which offers a choice of alternative Web addresses.
Almost immediately the service provoked angry responses from Internet users who charged that VeriSign was abusing its stewardship of the .com and .net domains to boost company profits.
The new service also prompted a lawsuit. Filed by Popular Enterprises LLC of Orlando, operator of the Site Finder competitor Netster.com, the suit charges VeriSign with antitrust violations for using its control of the .com and .net domains to squeeze out competitors.
Now one company is warning that the service may be turning over a wealth of potentially useful information and sensitive personal data to VeriSign.
In particular, e-mail messages sent to addresses at nonexistent Internet domains will be delivered to VeriSign's Site Finder servers instead, according to Lance Cottrell, president and founder of Anonymizer Inc. of San Diego, a provider of anonymous Web surfing and online privacy protection products.
In the past, those messages would not have left the systems of the user's ISP (Internet service provider) before being marked as undeliverable and returned to the user. VeriSign could potentially harvest these messages and their contents, Cottrell said.
Internet users should also be concerned about VeriSign collecting information about surfing patterns from requests for domains they were trying to reach, he said. Such information could provide a wealth of free market research to Herndon, Virginia-based VeriSign, Cottrell said.
Such accusations are "fiction," according to Brian O'Shaughnessy, a VeriSign spokesman.
"We do not log, and do not have any plans to log, any data sent to Site Finder," he said
The new service is a valuable tool that will improve the Internet experience of the users behind more than 20 million mistyped domain requests each day, O'Shaughnessy said.
"Enhancing the user experience is the reason we're in this business. We, like many technology companies, are looking at the best way of using technology to make the user's experience online a fulfilling one," he said.
But the service has raised other questions and problems as well, according to Cottrell.
Some spam filters that use DNS (Domain Name System) requests to verify whether the return address on spam was valid were affected by the new VeriSign service, he said. Rather than being rejected by the .com and .net DNS servers, such requests are now sent to Site Finder, he said.
In addition, Site Finder does not filter incorrect domains for attack code, making the site vulnerable to cross-site scripting attacks, which could be used to hijack the Site Finder site and the VeriSign name for attacks on other Internet users, Cottrell said.
"It's a concentration of information that was previously very dispersed and that makes (Site Finder) a high value target for hackers," he said.
