Forgot your password?
typodupeerror
Security Government Your Rights Online

JotForm.com Gets Shut Down SOPA-Style 188

Posted by samzenpus
from the it-was-nice-knowing-you dept.
itwbennett writes "In a post on the company blog, JotForm.com cofounder Aytekin Tank alerts users that 'a US government agency has temporarily suspended' the jotform.com domain. He explains that it is part of an 'ongoing investigation' of content posted to its site by a user. Although which user and what content haven't yet been disclosed, there is speculation about forms used for a phishing attack on a South African bank. JotForm hosts over two million user-generated forms, and uses software to block fraudulent accounts (65,000 so far), so you can see there's plenty of opportunity for mischief."
This discussion has been archived. No new comments can be posted.

JotForm.com Gets Shut Down SOPA-Style

Comments Filter:
  • by Anonymous Coward on Thursday February 16, 2012 @06:38PM (#39067709)

    away from the authority of a shoot first ask questions later country.

  • Least Intrusive? (Score:5, Insightful)

    by Jane Q. Public (1010737) on Thursday February 16, 2012 @06:43PM (#39067751)
    It was my understanding that in the United States, law enforcement (of any kind) is obligated to use the "least intrusive means" they reasonably can to effect an arrest or seizure.

    In cases like this, blocking the domain name is so obviously the opposite of "least intrusive", I wonder if they have grounds to prosecute under 18 US 242. I know I would consider it, if this were done to me or my company.
    • by wbr1 (2538558)
      IANAL But I don't think they don't have grounds to prosecute. A federal prosecutor would have to file charges for a criminal proceeding to take place. What US Attorney is going to file criminal charges against another branch? Probably not many.
      • Re:Least Intrusive? (Score:5, Informative)

        by Jane Q. Public (1010737) on Thursday February 16, 2012 @06:56PM (#39067905)
        You need to look at 18 USC 242. It applies to anybody, including Congress and the President.

        If their rights were violated, they have grounds. Period. But actually prosecuting is another matter of course. Even so, 242 is used every year, and the conviction rate is very high. Much higher than most kinds of criminal prosecution.
    • by PortHaven (242123)

      You're understanding is nice in theory but utterly failed to the nth degree in reality.

      I mean, who the heck thinks of using a chainsaw to go through the front door of a house. It's not even a fast or effective way. A sledgehammer is far more efficient.

      http://boston.cbslocal.com/2012/01/31/fbi-uses-chainsaw-in-raid-on-wrong-fitchburg-apartment/ [cbslocal.com]

      • Actually, she too has grounds to prosecute under 18 USC 242. To say that her rights were violated (and not even in a "reasonable" way) is pretty much an understatement. She was effectively kidnapped at gunpoint.

        You missed the whole point of my post. Yes, abuses happen. But when they do, it is not only the right but the duty of the victim to sue and/or prosecute if they can. If they do not, they do everyone else a disservice.

        242 is a good law, and unlike most others of its kind it has teeth.
        • Any reason that you think this shutdown has anything to do with:

          "such person being an alien, or by reason of his color, or race,"

          Otherwise 18 USC 242 has no application here.

          • Lots of people read it that way, but that's not what it actually means. 18 USC 242 does not cover just discrimination. As many successfully prosecuted cases prove.

            There is an "or" in there that makes all the difference. What it actually says is:

            "... or to different punishments, pains, or penalties, on account of such person being an alien, or by reason of his color, or race, than are prescribed for the punishment of citizens..."

            So it actually applies to:

            "... the deprivation of any rights, privileges, or immunities secured or protected by the Constitution or laws of the United States"

            OR to:

            "... different punishments, pains, or penalties, on account of such person being an alien, or by reason of his color, or race, than are prescribed for the punishment of citizens..."

            So it's deprivation of rights OR discrimination. And while IANAL, I have looked up cases and that is how the court has consistently interpreted it.

            • Here is what it actually says:

              Whoever, under color of any law, statute, ordinance, regulation, or custom, willfully subjects any person in any State, Territory, Commonwealth, Possession, or District to the deprivation of any rights, privileges, or immunities secured or protected by the Constitution or laws of the United States, or to different punishments, pains, or penalties, on account of such person being an alien, or by reason of his color, or race, than are prescribed for the punishment of citizens, sh

              • "I'm not going to get into a debate about parsing that one sentence."

                I'm not either. I don't have to. Instead, I just looked up what the COURTS have to say about it. And they interpret it the way I stated.

                I'm not debating, I'm simply stating facts.

  • by forkfail (228161) on Thursday February 16, 2012 @06:46PM (#39067787)

    Even if the owners are not guilty of negligence, which it appears they are not (65K forms removed), this sort of arbitrary, no-warrant, no-subpoena, no due-process can absolutely ruin a business.

    There is no way the Feds can make up for this; CIO's will say, "Well, I guess we shouldn't use them - we might not have access to our data."

    • by Garth Smith (1720052) on Thursday February 16, 2012 @06:56PM (#39067903) Homepage
      You can even see this in the comments on the Jotforms blog. About a quarter of the comments are, "I paid you [Jotforms] for service. It is YOUR responsibility to keep your service up! It is not my responsibility as a customer to deal with the Feds." From a paying customer point of view, I can see where they are coming from. Though what they should really be thinking is, "The government think's I am customer using an illegal service."
  • by wbr1 (2538558) on Thursday February 16, 2012 @06:52PM (#39067865)
    All the talk of what happens when your data is in the cloud and the business is sold or shutters itself, here is another example. Not only do you have to worry about your dates security and availability for those reasons, now the feds can shut down a service you may use for god knows what important aspects of your business, but you can bet your perfectly legal and confidential business records are now available to the feds sans-warrant. Yeah, cloud computing is the end-all be-all. Think again, get the buzz words out of your head, and your head out of the 'cloud'.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      When I first heard 'cloud' in the context of computing I assumed something along the lines of encrypted and distributed storage like a large Tahoe LAFS network. This could be a very good way of keeping your data up.

      Imagine my shock when I learned that cloud meant passing control of critical elements of your web presence to some third party and paying for the privilege. Perhaps 'lobotomy' would be a better term than 'cloud'.

  • Copyrights, patents and all other government regulations and money counterfeiting and taxes and laws and wars that go beyond what the authorised by the people via the Constitution to the government are all tools of the totalitarianism.

    Sure, YOU may believe that some of what government is pushing is good, so YOU may believe that there is a line that will not be crossed, and you will get something for nothing from the government. You think that government will stop its abuse of power once that abuse helps YOU

  • We're only getting one side of the story so it's impossible to tell if there was reasonable cause for what appears to be a search of the database. Per updates from JotForm the suspension has been lifted.
    • by forkfail (228161) on Thursday February 16, 2012 @07:13PM (#39068115)

      Without warrant, due process or subpoena - on an anonymous accusation alone - their business was probably just ruined. Because a cloud company that loses it's reputation as a stable data location is DOA.

      If one has reasonable cause, the next step is to get a court order. The above linked articles indicate that it is extremely unlikely that such was done.

      Furthermore, the linked articles state that the business in question has, on their own initiative, taken down 65K bad forms.

      There may have been something amiss with some of their customer's data, but there is no way in hell that this was the appropriate response. There is no way that taking down this site without due process prevented a nuclear or biological attack, or any other 24-esque scenario.

    • As the other poster stated: there is no such thing as "reasonable cause".

      There is "probable cause", but there doesn't appear to be real probable cause in this case.

      Or rather: there may have been probably cause to take down some sites or investigate some users. But shut down the whole domain? Hell no. Unless the majority of users were committing crimes there COULD NOT BE "reasonable cause".
      • by tomhath (637240)

        Probable cause, reasonable suspicion, yes I didn't get the term right, but you got the point.

        but there doesn't appear to be real probable cause in this case

        Really? How do you know that? We don't know why the Feds asked to have the domain unavailable for two days.

        • Because malicious or even illegal use by some users is not probable cause for the seizure of the entire domain. That is the point everybody has been making here.
    • by sowth (748135)

      What "search"? Unless I misunderstood the story, the Feds contacted the site's registrar (GoDaddy) and asked for it to be shut down. The website's database was obviously hosted someplace else as the JotForm registered jotform.net and pointed it to their host, putting their entire database back online.

  • No surprise (Score:4, Informative)

    by Blackbrain (94923) on Thursday February 16, 2012 @07:29PM (#39068293)

    Go Daddy has a history of pulling registrations without notification to domain owners. Remember seclists.org and familyalbum.com? Those domains were redirected because of third party complaints. The complaints were not even made by law enforcement. The GoDaddy TOS expressly allows them to suspend service at their discretion and they do it at the first sign of trouble.

    I'm not defending GoDaddy in the least, but people doing business with them should be aware of their history and policies.

    • by Skapare (16644)

      I'm not defending GoDaddy at all, either.

      My one and only experience with them was an issue a client had with GoDaddy not putting the DNS records on correctly, even though they had been set correctly in the control panels. Now I have had this experience with other domain registrars, too. But in the case of GoDaddy, they just would not fix it because they appear to have the attitude that they don't want to communicate with their customers. I had a somewhat similar problem with Gandi a few months ago, and w

      • by am 2k (217885)

        Had I been a GoDaddy user, then at least I could have changed registrar when they showed their stupidity by endorsing SOPA.

        I'm not defending GoDaddy at all (see a pattern here?), but how was that a stupid move? They specifically made sure that they were exempt from SOPA, so it would have gotten them a competitive advantage.

  • So I can only hope that maybe this news gets them more noticed to compensate them for the losses incurred as a result of a domain registrar and/or US agency (allegedly the Secret Service) that fits somewhere between malicious or stupid (depending on which way Hanlon's Razor [wikipedia.org] swings). Unfortunately, the service they provide seems to be more oriented to small businesses rather than to the geeks that would be reading this at Slashdot and other techie sources.

  • The content industry claimed that we needed SOPA/PIPA to take down these horrible sites or they'd lose millions upon billions upon trillions and zombies would rise from the grave (or some such... I tend to lose track of their doomsday scenarios if Technology X isn't stopped). We don't have SOPA and yet MegaUpload and JotForm.com were taken down just fine. This is, of course, putting aside whether or not MegaUpload or JotForm *SHOULD* have been taken down. Clearly, though, they have the capability to take

  • by Animats (122034) on Thursday February 16, 2012 @11:48PM (#39070703) Homepage

    It's not just JotForms. Google is now the leading site being exploited to host phishing pages. [sitetruth.com] Google has reasonable defenses against phishing for their "sites" product. However, Google doesn't seem to have those protections on their document and spreadsheet products. Here's a fake login form hosted by Google. [googlegroups.com] That's been up since 2010. Here's a fake login page hosted as a Google spreadsheet. [google.com] Google allows unlimited HTML in a spreadsheet, which means it can be abused in this way. We have a full list, if anyone is interested.

    "formbuddy.com" and "surveymonkey.com" [surveymonkey.com] can also be abused in this way. Formbuddy seems to kick phishing pages off quickly. Surveymonkey, not so good at this.

    If you offer free hosting, and don't have aggressive anti-phishing controls in place, you will be pwned.

  • Am I the only one thinking that temporarily migrating from the suspended .com to a .net domain is probably the most stupid thing they could do? Seriously, switching from one controlled TLD to another on the same "jurisdiction"...
  • It's not uncommon for sites to get hacked (one every 3.5 seconds is the current rate), and in some cases this is so they can host a phishing form (which is why the US government took down JotForm.com).

    Given this draconian approach to removing some phishing forms, and given that's it's tough to completely stop hackers, it's clear that this could happen to any site, or to cloud services that host your content under a shared domain (maybe even Tumblr or Pinterest).

    The only protection is not to host sites with

  • by Hentes (2461350) on Friday February 17, 2012 @10:41AM (#39074847)

    It might look like cruel move, but in these times fast reaction like this is the only way to protect the artists. Of course, these filthy pirates are now crying all kinds of bullshit like that they didn't host files but forms, but we all know that the site was used mainly for piracy.

  • by bradley13 (1118935) on Saturday February 18, 2012 @03:21PM (#39087407) Homepage

    Take note of this: "...the Secret Service still isn't talking, returning a bland and meaningless statement to press requests: 'We are aware of the incident and we're reviewing it internally to make sure all the proper procedures and protocols were followed.' "

    When the company contacted the Secret Service, asking why their site was down, "the agent told me she is busy and she asked for my phone number, and told me they will get back to me within this week".

    To date they still have no explanation and no court order concerning the take-down of their site. Even if there were a court order, there is zero reason not to contact the business and provide them a chance to cushion the effects for their legitimate customers. This sort of behavior is irresponsible. Clearly, court orders, due process and formal procedures are for wimps, not the elite *drum roll* Secret Service.

    I hope JotForm can afford to file a court case over this. This sort of thing can do immense damage to a company's reputation, and someone in the Secret Service needs a slap upside the head.

    In any case, as others have observed, any serious Internet company needs to avoid all TLDs controlled in the USA. Sure, register a .com address, but use it to forward to your real site, hosted under a different TLD - and make it clear to users that the non-.com TLD is the correct one.

    Unrelated to the Internet, but nonetheless relevant: About 10 years ago I was with a small European company that was marketing a new ERP system to small companies. Our attorney told us flat-out: do not sell to anyone in the USA. The legal system is so screwed that it just isn't worth the risk - the laws are impossible, the customers sue at the drop of the hat, etc, etc. To underscore this, any sort of legal or liability insurance we looked at specifically excluded coverage for business transacted with US customers. It appears that things have only gotten worse...

The biggest mistake you can make is to believe that you are working for someone else.

Working...