VeriSign changes prompt privacy warnings, anger

Privacy advocates are warning that recent changes to the .com and .net database of domain names by VeriSign Inc. could violate the privacy of millions of Internet users, inadvertently sending confidential e-mail content and Web surfing data to VeriSign’s systems.

The concerns come after VeriSign introduced a new service last week to automatically direct users who type in a nonexistent Internet domain name to a company Web site,, which offers a choice of alternative Web addresses.

Almost immediately the service provoked angry responses from Internet users who charged that VeriSign was abusing its stewardship of the .com and .net domains to boost company profits.

The new service also prompted a lawsuit. Filed by Popular Enterprises LLC of Orlando, operator of the Site Finder competitor, the suit charges VeriSign with antitrust violations for using its control of the .com and .net domains to squeeze out competitors.

Now one company is warning that the service may be turning over a wealth of potentially useful information and sensitive personal data to VeriSign.

In particular, e-mail messages sent to addresses at nonexistent Internet domains will be delivered to VeriSign’s Site Finder servers instead, according to Lance Cottrell, president and founder of Anonymizer Inc. of San Diego, a provider of anonymous Web surfing and online privacy protection products.

In the past, those messages would not have left the systems of the user’s ISP before being marked as undeliverable and returned to the user. VeriSign could potentially harvest these messages and their contents, Cottrell said.

Internet users should also be concerned about VeriSign collecting information about surfing patterns from requests for domains they were trying to reach, he said. Such information could provide a wealth of free market research to Herndon, Va.-based VeriSign, Cottrell said.

Such accusations are “fiction,” according to Brian O’Shaughnessy, a VeriSign spokesperson.

“We do not log, and do not have any plans to log, any data sent to Site Finder,” he said.

The new service is a valuable tool that will improve the Internet experience of the users behind more than 20 million mistyped domain requests each day, O’Shaughnessy said.

“Enhancing the user experience is the reason we’re in this business. We, like many technology companies, are looking at the best way of using technology to make the user’s experience online a fulfilling one,” he said.

But the service has raised other questions and problems as well, according to Cottrell.

Some spam filters that use Domain Name System (DNS) requests to verify whether the return address on spam was valid were affected by the new VeriSign service, he said. Rather than being rejected by the .com and .net DNS servers, such requests are now sent to Site Finder, he said.

In addition, Site Finder does not filter incorrect domains for attack code, making the site vulnerable to cross-site scripting attacks, which could be used to hijack the Site Finder site and the VeriSign name for attacks on other Internet users, Cottrell said.

“It’s a concentration of information that was previously very dispersed and that makes (Site Finder) a high value target for hackers,” he said.

VeriSign acknowledged that the Site Finder service did affect some spam filters. However, the company is having a “robust conversation” with those companies and individuals to find ways around the problem, O’Shaughnessy said.

VeriSign could not immediately comment on accusations that the Site Finder site is vulnerable to cross-site scripting attacks.

Asked whether VeriSign had anticipated these problems and the backlash against Site Finder, O’Shaughnessy said that the company tested the new service thoroughly before deploying it, but that the complex nature of the Internet makes it difficult to predict all of the possible issues that might arise.

As for accusations that VeriSign abused its role as a manager of the Internet infrastructure in launching Site Finder, the company said that it is only acting in the best interest of Internet users.

“The facts are that millions of people are using the service now and getting to what they need quicker,” O’Shaughnessy said.

The managers of other top-level domains, including the .biz domain are considering similar services, he said. Besides, companies are free to modify their DNS servers to do whatever they want, including ignore the Site Finder service, O’Shaughnessy said.

That’s just what Anonymizer has done on the DNS server it operates, Cottrell said.

Requests that are returned from the .com and .net root servers with the Site Finder address are re-translated into “Domain does not exist” messages for the user, he said.