XYZ bosses agree to pay $1.5 million to settle Fed’s loan scam claims
Some of XYZ’s top executives have agreed to pay $1.5 million to settle a US Federal Trade Commission lawsuit alleging they “deceptively” harvested vast amounts of personal data on millions of people and sold it “indiscriminately” to third parties including potential scammers and identity thieves.
The FTC says that the execs, through a network of interlinked companies, deceptively collected loan applications through at least 200 web sites, promising to connect the applicant with verified lenders, but instead sold the personal data willy-nilly to the highest bidder through a lead-generation marketplace.
The data was bought by companies that in the vast majority of cases were not in the business of providing loans, the FTC said. The buyers were not checked out by the XYZ execs and exposed consumers to identity theft and fraud, it added.
The allegations cover activities starting in 2012 and carrying on until recently, the FTC said.
“[They] tricked millions of people into giving up sensitive financial information and then sold it to companies that were not making loans,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in a press release. “The company’s extraction and misuse of this data broke the law in several ways.”
“The FTC’s allegations were wholly without merit,” the defendants’ lawyer, Derek Newman, told DI in an email. “But litigation against the FTC is expensive and resource draining. For that reason, my clients chose to settle the case and move on with their business.”
“In fact, the FTC did not require any changes to my clients’ business practices that they had not already implemented before the case was filed,” he added.
The suit (pdf) named as defendants XYZ.com CEO Daniel Negari, COO Michael Abrose, business development manager Jason Ramin, and general counsel Grant Carpenter. Two other named defendants, Anisha Hancock and Sione Kaufusi, do not appear at first glance to be connected to the domains business.
The settlement (pdf) sees the defendants pay $1.5 million and agree to certain restrictions on their collection and use of data, but they did not admit or deny any liability.
The lead generation business was carried out via at least 17 named companies, including XYZ LLC (which appears to be a different company to the .xyz registry, XYZ.com LLC), Team.xyz LLC and Dev.xyz LLC. The FTC complaint groups them together under the name ITMedia.
Some of the companies are successors to Cyber2Media, the FTC said, a company that in 2011 had to settle a massive typosquatting lawsuit filed by Facebook.
Despite the personnel crossover, nothing in the complaint relates directly to the .xyz domains business, and the only domains listed in the complaint are some pretty nice .coms, including badcreditloans.com, personalloans.com, badcredit.com, fastmoney.com and cashadvance.com.
The complaint alleged deceptive representations and unfair distribution of sensitive information as well as violations of the Fair Credit Reporting Act. It reads:
In numerous instances, Defendants, through ITMedia’s actions, have shared and sold sensitive personal and financial information from consumers’ loan forms — including consumers’ full names, addresses, email addresses, phone numbers, birthdates, Social Security numbers, bank routing and account numbers, driver’s license and state identification numbers, income, status and place of employment, military status, homeownership status, and approximate credit scores—without consumers’ knowledge or consent and without regard for whether the recipients are lenders or otherwise had a legitimate need for the information.
Essentially, the complaint alleged that the defendants bullshitted consumers into handing over personal info thinking they were applying for a legitimate loan, when in fact the info was just being harvested for resale to sometimes dodgy buyers.
The complaint reads:
ITMedia’s practice of broadly disseminating consumer information, including to entities that share information with others whose identities and use of the information are unknown to ITMedia, exposes consumers to the risk of substantial harm from identity theft, imposter scams, unauthorized billing, phantom debt collection, and other misuse of the consumers’ information. Some consumers have complained that, shortly after submitting loan applications to ITMedia, they have received communications using the names of ITMedia websites to present sham loan offers or demands for repayment of counterfeit debt.
The $1.5 million settlement will be paid by “Individual Defendants and Corporate Defendants, jointly and severally”, according to court documents.
UPDATE: This article was updated shortly after publication with a statement from XYZ’s lawyer.
ICANN punts o.com auction to US watchdogs
Verisign’s proposed auction of the domain o.com might have a negative effect on competition and has been referred to US regulators.
That’s according to ICANN’s response to the .com registry’s request to release the domain, which is among the 23 single-letter domains currently reserved under the terms of its contract.
ICANN has determined that the release “might raise significant competition issues” and has therefore been referred to “to the appropriate governmental competition authority”.
It’s forwarded Verisign’s request to the US Department of Justice.
Verisign late last month asked ICANN if it could release o.com to auction as a test that could presumably lead to other single-character .com names being released in future.
The plan is for a charity auction, in which almost all the proceeds are donated to internet-related good causes.
Only the company running the auction would make any significant money; Verisign would just take its standard $7.85 annual fee.
ICANN told the company that it could find no technical reason that the release could not go ahead.
The only barrier is the fact that Verisign arguably has government-approved, cash-printing, market dominance and is therefore in a sensitive political position.
Whether its profitless plan will be enough to see the auction given the nod remains to be seen.
A certain bidder in the proposed auction would be Overstock.com, the online retailer, which has been pressuring ICANN and Verisign for the release of O.com for well over a decade and even owns trademarks covering the domain.
Disclosure: several years ago I briefly provided some consulting/writing services to a third party in support of the Verisign and Overstock positions on the release of single-character domain names, but I have no current financial interest in the matter.
Canada shrugs over .sucks
The Canadian trade regulator has sent ICANN a big old “Whatever” in response to queries about the legalities of .sucks.
The response, sent by Industry Canada’s deputy minister John Knubley yesterday, basically says if the intellectual property lobby doesn’t like .sucks it can always take its complaints to the courts.
Other than opening and closing paragraphs of pleasantries, this is all Knubley’s letter (pdf) says:
Canada’s laws provide comprehensive protections for all Canadians. Canada has intellectual property, competition, criminal law and other relevant legal frameworks in place to protect trademark owners, competitors, consumers and individuals. These frameworks are equally applicable to online activities and can provide recourse, for example, to trademark owners concerned about the use of the dotSucks domains, provided that trademark owners can demonstrate that the use of dotSucks domains infringes on a trademark. Intellectual property rights are privately held and are settled privately by the courts.
There’s not much to go on in there; it could quite easily be a template letter.
But it seems that Vox Populi Registry has been cleared to go ahead with the launch of .sucks, despite IP owner complaints, at least as far as the US and Canadian regulators are concerned.
The Federal Trade Commission was equally noncommittal in its response to ICANN two weeks ago.
Vox Populi is based in Canada. It’s still not entirely clear why the FTC was asked its opinion.
ICANN had asked both agencies for comment on .sucks’ legality after its Intellectual Property Constituency raised concerns about Vox Pop’s “predatory” pricing.
Pricing for .sucks names in sunrise starts at around $2,000.
ICANN told DI in April that it was in “fact finding” mode, trying to see if Vox Pop was in breach of any laws or its Registry Agreement.
The .sucks domain is due to hit general availability one week from now, June 19, with a suggested retail price of $250 a year.
If anything, the $250 says much more about Vox Pop’s business model than the sunrise fees, in my opinion.
FTC slams new gTLDs but waffles over .sucks legality
The US Federal Trade Commission has made some strong criticisms of the new gTLD program but has refused to answer the question of whether .sucks is behaving illegally.
In a letter to ICANN today (pdf), FTC chair Edith Ramirez took the opportunity to ask for a bunch of changes to the program.
But she declined to reply to ICANN’s original question, which was: are Vox Populi’s launch policies and pricing illegal?
Ramirez said she “cannot comment on the existence of any pending investigations” but said “the FTC will monitor the activities of registries and other actors in this arena” and “will take action in appropriate cases”.
She goes on to make three “recommendations” about new gTLDs in general.
She wants ICANN to “encourage the best practice” of all domain registrants to prominently identify themselves on their web sites, so that consumers are not confused.
This will never happen.
Ramirez then says rights protection mechanisms should be strengthened to prevent companies like Vox Pop violating the “spirit” of the RPMs by charging such high prices.
Finally, she echoes the advice of the Governmental Advisory Committee in asking for gTLDs representing regulated industries to have much more stringent registration requirements.
ICANN is of course under no obligation to take these recommendations as anything other than the comments of a single community member.
It’s good news for .sucks — without a determination of illegal behavior ICANN presumably has no reason to act against it.
It remains to be seen what the Canadian regulator, which ICANN also contacted for guidance, will say.
UPDATE: ICANN has just released the following statement from general counsel John Jeffrey:
We want to thank Chairwoman Ramirez for her response and for the FTC’s active interest in ICANN.
We greatly appreciate the Chairwoman’s stated understanding and appreciation of the importance of the concerns ICANN had conveyed regarding the .SUCKS gTLD rollout, as well as the broader set of consumer protection issues relating to the new gTLD program that the FTC has restated in the Chairwoman’s letter.
The FTC’s comments on consumer protection issues throughout the new gTLD program have been an important part of the dialogue of the ICANN community relating to these topics.
ICANN in “fact-finding” mode over potential .sucks breach
ICANN is playing its cards close to its chest when pressed on what it thinks Vox Populi may have done wrong with its .sucks launch pricing and policies.
The organization told DI in a statement that it is currently “fact-finding”, and will not speculate on what parts of the Registry Agreement may have been breached.
ICANN on Thursday reported Vox Pop to the US and Canadian trade regulators, asking them to judge whether the registry’s $2,000 sunrise fee broke any laws.
Its Intellectual Property Constituency reckons the launch, which also places thousands of trademarks on permanent, high-priced “Sunrise Premium” list amounts to nothing more than a “shakedown” of brand owners.
Vox Pop CEO John Berard told DI last week that the referral to the US Federal Trade Commission, despite that fact that the company and its owners are Canadian, amounted to “appeasement” of the IPC.
In response, ICANN told DI in a statement:
The registry is offering domain name registrations to registrants located in jurisdictions around the world. It¹s possible that a registry’s activities could violate the law in the registry’s own jurisdiction; it is also possible that a registry’s activities could violate the law in the jurisdiction of a registrar or registrant where the registry offers domain name registrations. In this case, the IPC letter was signed by an attorney based in New York City, and ICANN thought it appropriate to ask both U.S. and Canadian authorities to consider the IPC allegations.
ICANN seems to be saying on the one hand that registries are beholden to the laws of wherever their registrants are based and on the other hand that the jurisdiction of the IPC’s current president, Greg Shatan, somehow has a bearing on what laws gTLD registries are obliged to obey.
I await correction from more knowledgeable readers, but I don’t think either of those statements is accurate.
If the latter is true, then perhaps the IPC should in future elect its leaders from only the countries with the most trademark-friendly regimes.
In ICANN’s letters to the FTC and IPC, the organization said it was “evaluating other remedies”. From the context, it seems that ICANN is thinking it could initiate some kind of compliance action against .sucks regardless of the what governmental regulators say.
Asked to explain this, ICANN told DI:
We¹re currently doing some fact-finding and analysis to assess whether there has been any breach by the registry of its obligations, and, based on the results of that analysis, we will try to determine what remedies, if any, may be available. Obviously, it will depend on all the facts and circumstances. Beyond that, since we haven¹t finished that evaluation process it would be inappropriate to speculate about possible remedies.
That’s not saying much, but it leaves the door open for ICANN Compliance to do something even if the FTC and Office of Consumer Affairs deem that no laws have been broken.
One possible “breach” that has been floated relates to the differential pricing created by the Sunrise Premium list. However, my take on this is that, under the new gTLD contracts, it’s not massively different to other kinds of premium pricing program.
Differential pricing protections only apply to renewal fees. If the registrant is told at the point of sale that their renewal fees will be high, that enables registries to put different fees on different domains.
There have also been theories put forward about ICANN’s motivation for referring .sucks to regulators.
The idea that ICANN can defer to the FTC and others on legal matter is not entirely new. In cases where registries intend to merge, ICANN is allowed under its contracts to refer the deals to regulators before approving them.
But this is the first time ICANN has referred new gTLD pricing to competition authorities.
Is it a case of ICANN ass-covering?
ICANN is taking unique fees worth up to $1 million extra from Vox Populi and, as I wrote two weeks ago, the optics of this are bad for ICANN, which could look like it is profiteering from .sucks.
ICANN has explained that the extra fees related to entities that were owned by Vox Pop parent Momentous, the Canadian registrar that had many subsidiaries go out of business owing ICANN a tonne of cash.
By punting the IPC’s complaint to regulators, ICANN could deflect criticism that it is not doing enough to protect rights holders and registrants while avoiding having to make a tricky decision itself.
Regardless, the FTC referral and the fact that ICANN is charging Vox Pop special fees sends a strong message that ICANN does not trust the registry one bit.
ICANN reports .sucks to the FTC over “predatory” pricing
ICANN has referred .sucks registry Vox Populi to the US Federal Trade Commission over concerns from intellectual property owners that its pricing is “predatory”.
The organization has asked the FTC and the Canadian Office of Consumer Affairs to determine whether Vox Pop is breaking any laws.
It asks both agencies to “consider assessing and determining whether Vox Populi is violating any laws or regulations enforced by your respective offices”.
If it is determined that laws are being broken, ICANN said it would be able to “enforce remedies” in the .sucks registry agreement.
ICANN goes on to say that it is “evaluating other remedies” in the registry’s contract.
The shock news comes two weeks after the Intellectual Property Constituency of ICANN complained that Vox Pop’s $2,000 sunrise fee is just a “shakedown scheme”.
The IPC said March 27 it was:
formally asking ICANN to halt the rollout of the .SUCKS new gTLD operated by Vox Populi Registry Inc. (“Vox Populi”), so that the community can examine the validity of Vox Populi’s recently announced plans to: (1) to categorize TMCH-registered marks as “premium names,” (2) charge exorbitant sums to brand owners who seek to secure a registration in .SUCKS, and (3) conspire with an (alleged) third party to “subsidize” a complaint site should brand owners fail to cooperate in Vox Populi’s shakedown scheme.
The IPC is also pissed off that there’s a Sunrise Premium fee that applies to the most famous brands, regardless of when they register.
Vox Pop CEO John Berard told DI tonight that the company’s pricing and policies are “well within the rules”, meaning both ICANN’s rules and North American laws.
He asked why ICANN has referred the matter to the FTC, given that Vox Populi is a Canadian company.
He said that a senior ICANN executive had told him it was because many IPC members are US-based. He described this as “appeasement” of the IPC interests.
Greg Shatan, president of the IPC, whose letter sparked ICANN’s outreach to the FTC and OCA, said that the word “justice” is more appropriate than “appeasement”. He told DI tonight:
We’re looking forward to the FTC and OCA taking a look at Vox Populi’s behavior. And there’s lots to look at. The punitive TMCH Sunrise, where a “rights protection mechanism” intended to protect trademark owners has been turned into a scheme to extort $2,500 and up… The eternal Sunrise Premium of the far-from-spotless .SUCKS registry. The mysterious “everybody.sucks” — purportedly a third party, purportedly providing a “subsidy” to registrant — would anyone be surprised if that was a sham?
With reference to the FTC referral, Shatan also told DI tonight:
I don’t think ICANN wants to waste the FTC’s time. It’s far more rational to think that ICANN informed the FTC because Vox Populi’s activities are within the jurisdiction of the FTC. Mr. Berard’s remarks seem to indicate that he believes that Vox Populi operates beyond the reach of US laws.
With a tech contact in Bermuda and an admin contact in the Caymans, that may have been Vox Pop’s intention. Vox Pop may be operating outside US laws, but I doubt they are operating beyond their reach.
Vox Populi is incorporated in Canada, hence ICANN’s outreach to the Canadian regulator. According to its gTLD application, its only 15%+ owner is Momentous, another Canadian company.
But its IANA record lists an address in Bermuda for its technical contact and Uniregistry’s office in Grand Cayman as its administrative address.
There’s been rumors for months that Uniregistry or CEO Frank Schilling helped bankroll Vox Populi’s participation in the .sucks auction, which saw it splash out over $3 million.
ICANN is asking the US and Canadian agencies to respond to its letter with “urgency”, as .sucks is currently in sunrise and is due to go to general availability May 29.
Trademark owners and celebrities are already registering their names in the .sucks sunrise period.
ICANN confirmed in a separate letter today to IPC chair Greg Shatan that Vox Pop has paid ICANN a unique $100,000 start-up fee, and has promised to pay an extra $1 per transaction, due to now-defunct Momentous subsidiaries defaulting on “substantial payments”.
As DI reported last week, ICANN says that the fee is “not related to the nature” of .sucks, but it could give the appearance that ICANN is a beneficiary of the .sucks business model.
This article was published quite quickly after the news broke. It was updated several times on April 9, 2015. It was updated with background material. It was then updated with comments from Vox Pop. It was then updated with comments from the IPC. Later commenters had the benefit of reading earlier versions of this post before they submitted their comments.
Crocker to speak at second gTLD collisions summit
ICANN chair Steve Crocker is among a packed line-up of speakers for an event on Tuesday that will address the potential security risks of name collisions in the new gTLD program.
It’s the second TLD Security Forum, which are organized by new gTLD applicants unhappy with ICANN’s proposal to delay hundreds of “uncalculated risk” applied-for gTLDs.
The first event, held in August, was notable for statements playing down the risk from the likes of Google and Digicert.
While Crocker is scheduled to speak on Tuesday, anyone expecting insight into the ICANN board’s thinking on name collisions is likely to be disappointed.
The title of his talk is “The Current State of DNSSEC Deployment”, which isn’t directly relevant to the issue.
Crocker, due to conflicts of interest protections, is also not a member of ICANN’s New gTLD Program Committee, which is tasked with making decisions about the collision problem.
While Crocker’s views may wind up remaining private, we can’t say the same for Amy Mushahwar and Dan Jaffe, representing the Association of National Advertisers, both of whom are also speaking.
The ANA is firmly in the Verisign camp on this issue, claiming that gTLD name collisions create unacceptable security risks for organizations on the internet.
Also on the line-up for Tuesday are Laureen Kapin of the US Federal Trade Commission and Gabriel Rottman of the American Civil Liberties Union, both of whom could bring new perspectives to the debate.
The TLD Security Forum begins at 9am at the Washington Hilton and Heights Meeting Center in Washington, DC. It’s free to attend and will be webcast for those unable to show up in person.
FTC chief says most new gTLD bids are “defensive”
The US Federal Trade Commission is still “looking at” ICANN’s new gTLD program amid concerns that most of the applicants applied defensively, it has emerged.
FTC chairman Jon Leibowitz also said today that he thinks new gTLDs will cause consumer confusion and lead to an increase in fraud.
“We have been very, very concerned about ICANN and their dramatic expansion of the domain names, which we think will cause consumer confusion and even worse lead to more areas where malefactors can hide from the law while defrauding consumers,” Leibowitz said.
“A lot of companies that have plunked down $185,000 per domain name — and there have been hundreds of companies that have done it — have mostly done it for defensive purposes,” he added.
Most new gTLDs are not dot-brands, so Leibowitz probably misspoke when he said that “most” applications are defensive. Within the subset of bids that are dot-brands, he may be on firmer ground.
His comments came during a press conference to discuss the FTC’s settlement of its competition probe of Google, which has itself applied for almost 100 new gTLDs.
The settlement agreement relates to Google’s search practices and not its gTLD applications.
Leibowitz said that the FTC is “not looking that issue [new gTLDs] with respect to Google, we’re looking at that issue with respect to ICANN”.
The FTC’s concerns about the program are not new, but it has not publicly expressed them recently.
In December 2011 the agency said the program could “magnify both the abuse of the domain name system and the corresponding challenges we encounter in tracking down Internet fraudsters.”
Whois verification rules coming this year
No more Donald Duck in the Whois?
Registrars could be obliged to verify their customers’ identities when they sell domain names under new rules proposed for later this year, according to ICANN president Rod Beckstrom.
He told National Telecommunications and Information Administration boss Larry Strickling today that the new provisions could make it into the new Registrar Accreditation Agreement by March.
Beckstrom wrote:
ICANN expects that the RAA will incorporate – for the first time – Registrar commitments to verify WHOIS data. ICANN is actively considering incentives for Registrars to adopt the anticipated amendments to the RAA prior to the rollout of the first TLD in 2013.
The RAA is currently being renegotiated by ICANN and the registrar community, following governmental outrage about the RAA at its meeting in Dakar last October.
If new Whois rules are added to the RAA, it will be up to registrars to decide whether to implement them immediately or wait until their existing ICANN contracts expire — hence the need for “incentives”.
Documents ICANN has been posting following its RAA meetings have been less than illuminating, so the letter to Strickling today is the first public insight into what the new contract may contain.
Whois verification, which is often found at the top of the wish-lists of intellectual property and law enforcement communities, is of course hugely controversial.
Civil rights advocates believe that checking registrant identities will infringe on rights to privacy and free speech, while not helping to prevent crime. Actual criminals will of course not hand over their true identities when registering domain names.
The process of verifying Whois data may also wind up making domain names more expensive, due to the costs registrars will incur implementing or subscribing to automated verification systems.
Nevertheless, the anti-new-gTLDs campaign in Washington DC led by the Association of National Advertisers recently led to Whois – a separate issue – being placed firmly on the new gTLDs agenda.
The chairman of the Federal Trade Commission, as well as Strickling, both wrote to ICANN to express concern about the lack of progress on strengthening Whois over the last few years.
Beckstrom’s letter to Strickling can be read here. His reply to FTC chairman Leibowitz – which also schools him in why new gTLDs probably won’t increase fraud – can be read here.
Chance of new gTLD delay “above zero”
ICANN has not completely ruled out the possibility that its new generic top-level domains program will be delayed, according to senior vice president Kurt Pritz.
Pritz was asked during a meeting of the GNSO Council last week whether the recent Congressional hearings into new gTLDs could lead to a delay of the January 12 launch.
“I think the risk is above zero,” Pritz said.
An “above zero” risk of delay could still mean a very small risk, of course.
He went on to point out that “the reputation of the multi-stakeholder model is wrapped up in this too”, and that to delay would be a disservice to all the people who have worked on the program.
He noted that the National Telecommunications and Information Administration assistant secretary Larry Strickling has come out in strong support of the multi-stakeholder model.
While the NTIA does not plan to enforce a delay, ICANN itself could make the decision under political pressure from elsewhere in the US, such as from Congress or the Federal Trade Commission.
Pritz faced a rough ride during a House Energy and Commerce Committee hearing last week, during which a number of Congressmen said they believed delay was appropriate.
The committee was largely concerned about the possible costs to trademark holders and implications for law enforcement agencies.
The hearing was called following lobbying by the Association of National Advertisers and the Coalition for Responsible Internet Domain Oversight.
Recent Comments