What ‘price’ for your Facebook account details?

When I logged into the ‘free‘ airport wifi at Calgary airport a few moths back I was in invited to either give “BOLDstreet Wireless” permission to my Facebook account or otherwise pay a few dollars for an hour’s connection.

At first I thought was a strange choice, until it dawned me on that this WiFi company was essentially putting a marketing $ value on my Facebook account… Hand over access and they’ll monetize my account in some untransparent way in order to cover the cost of the not-so-free-anymore wifi.

It turns out BOLDstreet Wireless has built this out as a product which companies like Calgary Airport Authority can be purchase to track, monetize and analyize public wifi hotspot activity.

In true hacker mentality I logged in with a fake developer account I use for testing purposes – but whatever.

I forgot all about this until today when I was invited to do exactly the same – give permission for an app to access my Facebook account in return for a ‘free’ Häagen-Dazs ice cream.

Now, there is nothing new or usual about companies wanting to get a little information about your for the CRM systems in return for providing a free sample. But there are some stark and concerning differences created with this new approach:

  • Unlike a survey which questions you directly, there is no transparency as to what information is being taken
  • In addition to my own profile data, limited data about my friends is being handed over too.
  • A fresh snapshot of this information can be requested at any time due to the fact permission persists until the user turns it off
  • More personal data might be made available in the future as Facebook evolves the data they store about you – eg phone number

Perhaps one of the most concerning aspects of all this is the fact that BOLDStreet and Häagen-Dazs are potentially getting access about me through my friends using their service – data I did not give either company permission to have. In fact, I wouldn’t even know if they had this information.

There’s nothing new per se with the issue of applications having access to this data – this has been the case since day 0 for apps. However, one argument has been that socially orientated apps need this information in order to be able to provide a social experience. But this use case is certainly new and doesn’t warrant these types of companies gaining access about a user’s social graph in addition to the user’s personal details directly.

From my own experience, this is becoming a common trend. Facebook Connect certainly has advantages but it also has disadvantages too. Be careful who you are giving permission to your account to and make sure you regularly review the list of companies and apps with permission to access your profile (ditto for Twitter too).

Poisoned RSS: An approach to dealing with aggressive feed thieves

Poison by ?C?vin ?Ever since the first RSS feeds were published there have been the issue of nasty, spammy people sucking up those RSS feeds and reposting the content on their own nasty, spammy blogs (splogs). The are many approaches to dealing with the the problem – friendly (emailing to ask them to take things down and desist), legal (eg DMCA, but only works for US based sites), technical (eg blocking based on black lists but that is a pain) and editorial (eg short-form RSS, which sucks).

One way not to deal with the problem is to remove your RSS feeds altogether – which, it is rumored, local blog network Gothamist (home of SFist) is considering doing in order to concentrate on the distribution of their proprietary content apps instead. I’m confident that is an extremely flawed strategy, but I digress.

My girlfriend Violet Blue runs a highly successful blog, tinynibbles.com (warning: content very NSFW), which suffers immensely from splogs republishing her content without permission. As I look after her server and the technical operations for her empire of sites, I decided to see if I could help solve this problem in a different way.

What I am about to go through is a tutorial on how you can really try to hurt someone who is leaching your RSS feed – to the extent that it damages and potentially destroys their splog operation. I am not a lawyer but I do not believe any of what I am about to go through is illegal – although I’ll admit that it is naughty.

In a nutshell…

…what we are going to do is intercept the requests from the target’s server for our RSS feed and divert them to a ‘poisoned’ RSS feed that contains both content warnings but also javascript that when rendered on their website will take over their page, rendering their site and advertising useless for anyone that comes to visit them. If you wanted to go further, you could also use this method to try to execute shell commands on their server, although at this point things become legally murky and ethically questionable.

This tutorial assumes you have some basic site admin skills, can access your logs and can set a .htaccess file.

So here goes…

Step 1: Identify your target

Chances are you’ve discovered someone republishing your content via a Google search or a trackback from the splog to your site. The first thing to do is to get the IP address of the site. Most splogs will request your feed from the same server as they serve their webpages from so this makes it easy to identify them when they come to visit your site to pull down your RSS feed. I’m going to assume that my target has the ip address

Step 2: Search your logs

Search your logs for any access to your site by this ip address. You might want to try:

$ grep "" /var/log/access_log

where is the ip address of the splog and /var/log/access_log is the path + filename of your web server’s access logs.

Hopefully you will have found some matches: - - [16/Jan/2011:14:03:51 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (880701279)" - - [16/Jan/2011:15:57:13 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (1416539927)" - - [16/Jan/2011:20:31:40 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (686799288)" - - [16/Jan/2011:23:52:38 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (2099013304)" - - [17/Jan/2011:02:26:34 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (1475562814)"

It’s worth pointing out this will not work if you directly link your RSS feeds to a 3rd party site like Feedburner, because the request from the splog never reaches your server. At this point sadly there is little you can do, as Google (Feedburner’s parent company) do not give you control to serve different content to arbitrary ip addresses. If you want to use a service like Feedburner, consider offering publicly an RSS url on your server that 302 redirects to Feedburner – achieving the same result while maintaining control of requests.

Step 3: Build the poisoned RSS feed

We are going to create a separate RSS feed that we will redirect the splog’s requests to. If they are creating a new page/blog post for every item in your feed, our new poisoned RSS feed will force their server to generate pages containing what we want to say.

At this point you need to decide how far you want to take things:

  • Display a content warning explaining that they are reproducing your content without permission and you are unhappy about it
  • Display images from TubGirl and other Shock Sites
  • Hijack their page’s DOM and redisplay the page. Anyone accessing their site will only see your content, with all adverts and other links removed.
  • Attempt to run commands on their server – eg attempt to delete files, elevate user permissions, purge the database, etc.

For my situation I decided to go for the first 3.

To create the poisoned RSS feed, you could save out your own current RSS feed and use that as a template. Replace the obvious text in each item with what you would like to say and save it back to your server. Alternatively you could just use my poisoned PHP script on Github.

My script will make their request’s IP address and other HTTP details appear at the footer of each page along with a tracking string so you can search in Google for any other places the are publishing too. It will also try to inject JavaScript that will manipulate the DOM so that when they or anyone else visits their site only your message will appear. Finally, the script outputs 10 identical items, each with a random GUID so that more pages are created each time the splog revisits as it will think each item is new each time.

As a bonus you can also set it to email you when someone access the poisoned feed.

Step 4: Intercept the splog request

The simplest way to divert requests for your RSS feed by the splog, and divert them to the poisoned RSS feed is to put the following into the top of your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123$
RewriteRule ^(.*)$ http://www.mysite.com/poisonedrss.php

Again, where is the splog’s ip address.

Step 5: Sit back and wait

You can now sit back and wait until the splog requests your content again, at which point it will be directed to your poisoned feed. The splog will go on to ingest the poisoned content in it.

What will happen is that the splog will take each of the items in the feed and convert them to individual pages. Your poisoned content will get ingested into their pages, where if they are not running a correct level of character escapes, Javascript and other code will get executed when the end-user visits the page.

‘Hacking the BBC’, a BBC Backstage Retrospective

Back in October 2010 the BBC announced that BBC Backstage – the developer platform and open data project I had created with Tom Loosemore and James Boardwell back in 2004 – would be closing at the end of the year.

It was sad news, but one that was both expected and appropriate. The project set out to do big things:

  • introduce a large and buerocratic media organization to the concepts of open data,
  • share that data with 3rd party developers in order to let them find new and experimental uses for it
  • foster internal and external innovation practices that were new, chaotic and sometimes challenging to an old encumbant.

But I think its fair to say that on the whole, the project met its goals and expectations.

As a by-product I think BBC Backstage, and the community that formed around it, also helped kick-start the fledgling London Startup community that we have today. What was then called “The London New Media Scene”, primarily because of the agency orientated slant of the London industry at the time, influenced a generation of non-commercial hackers and NTK subscribers to become entrepenurial and start building startups.

With BBC Backstage winding up, the BBC has produced a wonderful retrospective, “Hacking the BBC”, which I had the honour of being interviewed for. You can download a copy here (pdf) or see below.

The closure of BBC Backstage is certainly a sad day for me, but at the same time I’m confident that it was time to do it. The challenge for the BBC is maintaining the concept of open data and external innovation – and weaving it through the entire fabric of the organization. They claim that is something that is happening, and I think there are good people there championing the notion – but I think the BBC still has some way to go before that box can be really ticked.

You can read Jemima Kiss’s coverage on the Guardian’s website or you can check out a few photo memories I have of the project:

A very flush-faced looking me launching the project at OpenTech 2005 (photo by Natalie Downe)
Ben Metcalfe and the launch of BBC backstage

The BBC Backstage Team winning a New Statesman Award for innovation, 2006
New Statesman Award 06

and of course, cheekily snapping Tom Loosemore in a suit:

Is RackSpace’s acquisition of CloudKick one big competitive intelligence coup?

I’ve been wondering why RackSpace acquired CloudKick (see RWW for a good overview of the announcement). CloudKick provides monitoring and performance measurements of your servers and cloud instances.

I doubt the acquisition has been made to bolster RackSpace’s own internal monitoring because the company would already have a very mature solution for that by now.

My concern is that RackSpace has acquired the company to be able to obtain, essentially by the back-door, performance and metric data of the servers running on RackSpace’s competitors. Given that CloudKick is geared up to predominantly monitor servers on Amazon EC2, GoGrid, Linode, RackSpace and SliceHost (which is also owned by RackSpace) it doesn’t sit well that suddenly one of the biggest vendors in there would suddenly be monitoring your server operated by one of the competitive vendors in that list.

This is always a problem when a company is purchased by one of the vendors it sits above in the value chain, esp when impartiality and independence is important in a space such as vendor monitoring.

The CloudKick Agent that you install on your server to log the data and send it back to CloudKick (now RackSpace) streams some pretty all-encompassing data about your server. There is no doubt in my mind that the competitive intelligence RackSpace can obtain from this is massive. And if I’m right, expect to see the price of CloudKick to drop and/or the free option to offer greater allowances in order for RackSpace to maximize the amount of data it can obtain.

While it looks on the surface that RackSpace made a smart move by obtaining CloudKick’s userbase (including Fortune 1000 companies), the question remains whether those customers will stay knowing that their data is being monitored by a big player like RackSpace. And further more whether the vendors themselves will be happy that large amounts of data in aggregate is being obtained by a competitor – I can see Amazon being particularly vulnerable and concerned here.

(this post is an elaboration of a comment I made to this effect on Hacker News)

Thoughts on WikiLeaks’ delayed release of the ‘CableGate’ files

I think it’s interesting that WikiLeaks have been ‘late’ on actually releasing the cables directly to the public. At the time of writing only 219 cables are available out of what is supposed to be 250k+.

Sure, that could be because of the DDOS attack but it looks as though that is being aimed against the existing servers behind wikileaks.org whereas cablegate.wikileaks.org is running on a separate server. Presumably whoever is behind the DDOS attack wouldn’t have had prior knowledge about that server.

It has meant that the newspapers (who were given pre-public access to the dumps) have effectively “leaked” the information themselves as NYTimes and Guardian have started publishing the details before Wikileaks actually does the leaking.

I’m wondering if there was an agreed embargo when WikiLeaks was supposed to actually “press the button”. I further wonder if this will negatively effect the relationship between Wikileaks and the media going forward. Interestingly, Guardian which always prides itself on having data driven processes on stuff like this, has only released the metadata so far — I guess so that they are not the ones to do a complete leak before Wikileaks.

Some thoughts on Path – the most visible MVP test to date

or, alternative title: “The media and your users won’t understand or care you went for an MVP”

Path has finally been revealed to the world via one of those ‘oh lets just put a post up on our Tumblr’ anouncements on a Sunday night that suddenly is joined at the top of TechMeme with half-a-dozen-or-so considered and clearly embargoed puff pieces by each of the usual suspects.

My favorite is probably Caroline McCarthy’s CNet piece because it has a photo of the view my old apartment used to enjoy before they erected the shiny green Infinity Towers in front of it. Path is housed in a condo near the top floor of Infinity II. I guess there is a metaphor in there about the new disrupting the old, but whatev’s.

So this launch was embargoed to the hilt. And we know TechCrunch doesn’t do embargos so it almost certainly didn’t get a briefing. So it was interesting that rather than have an AolTC staffer here on the West Coast write up the buzzy launch, they had co-editor Erick Schonfeld go out of his way to post a negative missive at 3am local time to him in NYC. The TC post does smell of the editor launching a politically-motivated chastisement rather than letting one of his numerous local SF subservient staffers write it up based on the service’s merits alone. TC, after all, has to do what it can to influence against embargoes (or not giving it the exclusive, for that matter).

Biggest Minimum Viable Product so far?

For me, what is so interesting about Path is that its clearly the most visible MVP (Minimum Viable Product) launch to date since the meme/concept came to fruition. If you don’t know what that means, go check out the interview with Eric Ries at Venture Hacks.

You can only use Path on iPhone, and even then you can only upload photos – no commenting for example. No other phones are supported, not even iPod Touches. There is a web-based version but you can’t add anyone as a friend (even if you know their url), they can only add you if they happen to have an iPhone.

It would have been relatively easy for Path to have added obvious features like some kind of friending functionality on the web-based version but they clearly decided they really want you to use the iPhone or not take part yet. A total MVP approach. Build the minimum needed, test the market place and learn from the reaction. Repeat until you have success.

The issue is few people really understand MVP as a strategy, even in the industry let alone the wider public.

In an era of ‘write it up in 15 minutes to earn your $20-per-post’, bloggers and journalists will analyze what is put in front of them rather than take the time to consider where a product is on its lifecycle. That lack of understanding and need to publish fast might also explain another reason why Erick tore Path to shreds and even Mashable’s Ben Parr isn’t sure either.

When you put aside the warm-and-fuzzy puff-pieces that come out of being invited into an embargoed meeting with Path CEO Dave Morin to discuss the merits of the work of Robin Dunbar (anthropologist) and Daniel Kahneman (Nobel-laureate psychologist) while taking in views of the Bay Bridge, you have to wonder whether any of the other folks writing about Path really understand the MVP concept either.

My takeaway is that Path should be communicating its MVP’ness directly, pointing out to users where things will be changing and improving – even if that does give some of the game away to Path’s competitors. Everyone wins in the long-haul as users are more likely to stick around knowing that improvements are in the works.

And MVP proponents – such as Eric Ries, Dave McClure and the startup founders who utilize it – need to do a better job of priming the pump and getting the media on-side. I just spoke to one tech blogger who had never heard of MVP, and said that she didn’t understand the point if it meant that products were being launched that users might have difficulty using.

Today Apple announced the end of the optical drive from *all* its laptops

I’ve been saying for sometime that Apple is about to kill off the optical drive inside its future laptop ranges. And tucked into Steve Jobs’ keynote today was probably the foundation of that strategy.

The new MacBook Air (which is sans-optical drive) comes with a special usb-thumb drive that enables users to reinstall their operating system. It looks like this:

You can install an operating system from any external drive – it doesn’t have to be a DVD, it can be a USB disk, external hard drive or even an SD card. But you do need some kind of external disk, in case you can’t boot into the laptop, leaving the OS as the only piece of software that needs to be delivered via physical medium.

You can already download iLife and iWorks via the internet and license them online. And with the announcement of the App Store for Mac, Apple is clearly signaling the end of physical distribution of software.

Finally, if you subscribe to the Steve Jobs way of consuming media, the CD and DVD also dead there too. All the music, tv and films you could ever want are available for download via iTunes – be it to your Mac, iPhone or AppleTV.

Even if you consume your media independently, the Amazon MP3 store, music-on-demand services such Pandora and the continued widespread use of p2p all support the end of the physical distribution of media. NetFlix (probably anticipating this) are about to release a streaming-only service very soon too.

Plus there are many gains to be had on the hardware side of things

There’s another side to this story, which are the benefits to Apple from the loss of the optical drive.

Even in a large laptop like the MacBook Pro 15″ that I’m typing this post on, you can see from the image below that a large amount of footprint is taken up by the optical drive. Check out this photo from iFixIt.com which clearly shows the optical drive in green:

Every time Apple makes its laptops smaller, lighter and thinner they are having to deal with an awkward component that can’t be made any smaller – the optical drive has to take a 5″ disk regardless of the size of the laptop.

One of the reasons the iPad has such battery life is the ability for Apple to stuff the case full of battery. With the optical drive gone, Apple can make thinner laptops that have more battery inside them.

Finally, piracy can probably also be reduced if the USB keys themselves contain some kind of proprietary mechanism to check the operating system is being installed from an Apple-manufactured memory stick.


Given Apple’s fairly recent switch to including SD card slots on MacBooks, I actually thought they would go with SD card but it looks like USB drive is going to be the medium of choice. I guess as the MacBook Air 11″ has shown, Apple has designs on such small technology that even an SD slot may be too big to accomodate across all of it’s lines.

vb.ly is dead, long live vbly.us

(for those not familiar with the back story, check here).

Having become clear Libya has no intention of ever releasing the vb.ly domain back to Violet, we have course-corrected by reopening her url shortening service under the new domain vbly.us.

We had originally pursued a number of other 2-letter options (eg xx.yy) to relaunch the service under. However, given what has happened with Libya and the .ly space we decided to avoid any ccTLD that has regulations that were unclear or open to interpretation. Ultimately, we don’t want what happened with Libya happening again to the service’s users, so for the stability and assurance of the service going forward we elected to register a .us domain.

A .us domain, registered and owned by a US Citizen (Violet) and hosted on servers in US (Newark, New Jersey to be exact) ensures that the service completely resides under US jurisdiction and benefits from full First Amendment Rights.

The domain vbly.us also means that you can easily modify your existing urls to work with the new domain. Thus http://vb.ly/yoururl becomes http://vbly.us/yoururl and will work as before. No urls were lost or forgotten during the downtime.

At a higher level, the “vb.ly saga” has been an interesting experience which I will write a more reflective post about shortly. Issues to be discussed range from the wonders of elastic server instances to meet the worldwide media influx through to dealing with a highly sensitive and emotionally charged issue such as Islam and the legal implications of Sharia law.

In the meantime, I’m sorry to all the users of the service who were let down by what had happened. With the .us registration we do not expect this to happen again.

Please follow the @vb_ly twitter account for further developments! You can also track this story on Hacker News.

Our response to NIC.ly’s statement on the vb.ly domain deletion

NIC.ly, the domain registry for the .ly domain, have made a statement regarding their deletion of our domain vb.ly (prior coverage here, here, here (slightly NSFW), and across the internet)

Contrary to their assertion in their statement, we did NOT receive any communication from NIC.ly before they pulled the vb.ly domain.

We had received other emails from them previously including our domain renewal notice just a month and a half before so I know they had a working email address for us and that we were receiving their correspondence.

They’ve made out in their statement that we ignored their email – given how upset myself and Violet Blue have been over this I would urge people to consider whether these are the actions of two people who would intentionally ignore such a significant warning. Why would we do that?

It is disappointing that NIC.ly didn’t use the opportunity of their statement to discuss the issue of a domain registry regulating, and essentially censoring, the content of a website. They attempted to redirect the conversation by over-embellishing the nature of the site to suit their argument rather than dealing with the wider issue for everyone which is why is a domain registry proscribing editorially what is and isn’t allowed content-wise on a website that use its domains. I would urge the wider Internet public to consider the incredibly serious issues that raises.

I am also disappointed that NIC.ly didn’t respond to our concerns about how this essentially makes the use of .ly domains for user-generated content untenable.

I do, however, feel relieved that they will not be letting anyone else register the domain – we were concerned from a security perspective of someone else registering the domain and re-routing existing vb.ly links out there to insecure or spoofed websites. We hadn’t highlighted this concern previously because we didn’t want to give away such a vector for abuse but now they have said the domain is ‘locked’ I’m happy to mention it.

UPDATE: Post publication, I have a further thought with regards to NIC.ly’s statement on their recent change to their policy on short domain registrations. From their statement:

NIC.ly’s concern that the rise in popularity of URL shorteners from abroad taking up all these names has deprived locals of their right to register the important 3 letter abbreviations of their various businesses and interests. We as a Registry would prefer seeing art.ly used for a website about Libyan art for instance

I wonder what the current owners of the domain art.ly think about this statement? I find it shocking that having been happy to have previously sold art.ly the current owners, the domain registry is now saying that they don’t really want them to own it and would rather they had it back and could sell it to a local company.

I had previously questioned whether NIC.ly’s was under pressure to recover ‘valuable’ domains that have already been registered to foreign owners. This would appear to confirm I was correct. I therefore feel this further puts into question the commercial viability for anyone using a .ly domain that could be considered ‘premium’ as there is now an additional concern of NIC.ly aspiring to have the domain back.

The .ly domain space to be considered unsafe

I would like to warn current and future owners of .ly domains of a concerning incident regarding the deletion of one of our prime domains ‘vb.ly’ by NIC.ly (the domain registry and controlling body for the Libyan domain space ‘.ly’).

In short:

The domain was seized by the Libyan domain registry for reasons which seemed to be kept obscure until we escalated the issue. We eventually discovered that the domain has been seized because the content of our website, in their opinion, fell outside of Libyan Islamic/Sharia Law.

This is deeply concerning for everyone, but especially .ly domain owners, because it sets a precedent that all websites running on a .ly domain must comply with Libyan Islamic/Sharia Law in order to maintain their domains. This is especially concerning for anyone running a url shortener or hosting user-generated content on a .ly domain.

You may also not know that since June 2010 .ly domains less than 4 characters long may no longer be registered by anyone who isn’t in Libya – which suggests there is tension around foreign owned, high-value, short .ly domains.

The full story:

Our domain ‘vb.ly’ (which was joint owned by myself and my partner Violet Blue) was deleted by NIC.ly without warning or notice on or around September 23rd 2010. We were subsequently told that our domain has been removed to us being “in clear violation of NIC rules and regulations” relating to “text referring to adult content and offensive imagery from [our] main page”.

The regulations for .ly domains are available at http://nic.ly/regulations.php. Aside from the fact that we contest that any adult content or offensive imagery exists on the site (vb.ly is a url shortener), what is more concerning is that there does not appear to be any regulation(s) written on that page that actually pertains to the violation notice we were given.

In other words we felt that the NIC.ly registry was claiming it has deleted our domain for infringements that do not actually form any part of their regulations.

However after numerous emails and escalating the matter to NIC.ly directly, we were told by Mr Alaeddin S. ElSharif (Web services Dept. NIC.ly/Libya Telecom and Technology):

“…clause 3.5 clearly states that: “The Applicant certifies that, to the best of his/her knowledge the domain name is not being registered for any activities/purpose not permitted under Libyan law.”

Pornography and adult material aren’t allowed under Libyan Law, therefore we removed the domain…”

Again, while we contest that there was NO pornography or adult material on vb.ly, I would suggest that there is a far more concerning issue here if domain registries can decide on the validity of a domain registration based on the content of the website that uses it. I would argue that the two are extricably decoupled and separate entities.

An additional concern is that the clause being used here pertains to Libyan Islamic Law which appears impossible to find listed in English.

This incident also follows on from a significant (but sadly unreported) recent decision by NIC.ly that as of June 2010:

“.LY domains that are shorter than 4 characters are only allowed for companies or individuals having presence in Libya.” [link]

Existing owners of such domains may renew but those premium domains are no longer open for registration by anyone who does not have a presence in Libya. Think about that, the domains for bit.ly, owl.ly (another set of url shorteners) and ad.ly (advertising solution), would not be registrable now by foreigners. Previously, any domain available was available to anyone who wanted to register it.

We found this u-turn in registration policy surprising. We wonder whether having seen the ‘mini domain gold rush’ that occured with the .ly domain space, there is suddenly a desire – perhaps even pressure – to have local Libyans control some of the the most premium and valuable .ly domains.

With this already in our minds, we found the following line from the email communication we received about the deletion deeply concerning:

…your domain being removed from NIC.LY records and made available for re-registration for locals

We wonder whether this line suggests that in the back of the mind of the person deleting our domain was the motivation that a rare <4 letter .ly domain would suddenly become available for a local Libyan national to register.

I’m not against Libyans registering .ly domains; instead I suggest that NIC.ly/Libya realized too late the value of these premium domains and now there is clearly back-peddling going on to ensure they don’t all end up in the hands of non-Libyans. Further more, I wonder if there is pressure for NIC.ly to do what it can to recover premium <4 letter .ly domains where possible so that they end up back in the pool only available for locals to re-register Finally, I wonder whether NIC.ly are being pressured to go so far with this that they would even revoke domains for reasons that don’t specifically violate any of the regulations that domain owners agreed to upon registration.

.ly domain space to be considered unsafe

For these reasons I believe the .ly domains should be considered unsafe. Anyone running a business or relying on a website with a one, two or three letter .ly domain should be incredibly cautious. This obviously includes anyone who uses bit.ly, 3.ly, owl.ly and any other similar url shortener.

I cannot see how the deletion of our .ly domain couldn’t happen to the owners of these domains too. In fact bit.ly is hosting many, many links that depict the Prophet Muhammad (PBUH), extreme pornographic subject matter, etc.

However, the fact that NIC.ly are asserting editorial control over the content of any website using a .ly domain is perhaps the most troubling to any .ly domain owner and indeed the internet community at large. Not only is it paramount to censorship and doesn’t reflect the decoupled nature of domains vs websites, but it sets a dangerous precedent in the space.

At the time of writing our domain vb.ly is still revoked and our website is offline.

To sum up:

  • .ly domains deemed to be in violation of NIC.ly regulation are being deregistered and removed without warning – causing significant inconvenience and damage.
  • .ly domains are being deregistered and removed due to reasons that do not correspond to the regulations defined in the official NIC.ly Regulations.
  • NIC.ly seems to want to extend their reach beyond the domain itself and regulate the content of websites that use a .ly domain. The concept amounts to censorship and makes .ly domains untenable to be used for user-generated content or url shorteners.
  • Libyan Islamic/Sharia Law is being used to consider the validity of domains, which is unclear and obscure in terms of being able to know what is allowed and what isn’t.
  • NIC.ly have suddenly decided that <4 letter .ly domains should only be available to local Libyans and this appears to create motivation to recover what premium domains they can to go back into this new local-only pot of domains.

You can read more about this, including copies of email correspondence, over at Violet Blue’s TechYum website.

UPDATE: My partner Violet Blue (former co-owner of vb.ly) has a thought provoking review of the way this story has played out across the media today. Her site is slightly NSFW.