Hijacking the Net

Two weeks ago, on September 15, Verisign, a publicly traded U.S. company, hijacked the Internet. In seconds, the world discovered that the Internet had been expropriated by Verisign, the Domain Names Registrar, the very body that was given the keys to the Net to maintain order.

Two weeks ago, on September 15, Verisign, a publicly traded U.S. company, hijacked the Internet. It did so in secret, without telling anyone of its plans. In seconds, the world discovered that the Internet, the public, global, transcontinental and intercontinental, transnational network, had been expropriated by Verisign, the Domain Names Registrar, the very body that was given the keys to the Net to maintain order.

Verisign specializes in data security. In March 2000 it acquired Network Solutions, which since 1993 had the right to sell domain names with the .com or .net suffix. Verisign wasn't cheap. It paid Network Solutions in a shares deal valued at $21 billion at the time. Since the acquisition, Verisign has owned a monopoly on selling domain names like the ones with the popular .com suffix. It has that right until 2007. How popular is .com? There are 24.4 million Internet address with a .com suffix on the Net and every 24 hours another 25,000 addresses are registered. The .net addresses are second most popular and Verisign is also responsible for keeping those names in order. In short, every time a domain name is sold, Verisign gets a slice.

But that wasn't enough for it. On September 15 it decided to hijack the Net. The system was simple. Assume someone wanted to visit the Haaretz Web site in English and accidentally typed aaretz.com instead of haaretz.com. The surfer's request is sent to a Verisign-maintained database, which sends back the message that no such site exists. Until September 15, a surfer received a message that more or less said, "ladies and gentlemen, no such site exists." But Verisign understood that they could make a lot of money from our typing mistakes. Instead of sending a message back saying the site doesn't exist, something else could be shown to the Web surfer. So, Verisign sent them to a special page that it set up where it tried to help the Web surfer find the site they were looking for - and if at the same opportunity the surfer clicks on a link at the page or sees some advertising that sends another few tens of millions into Verisign's coffers, why not? And indeed, the page turned out to be extremely popular, registering some 65 million hits on the first week it was up, visits from surfers who don't know how to spell. Some Internet Service Providers are trying to fight the phenomenon with various technical tricks that return the traditional "Cannot find server" message.

The tiny change Verisign made in the Domain Names Server structure of the Internet created a shower of side-effects. Here's one example. Many applications that block spam are based on examining the addresses of the sites that seemed to have sent the message. If the sites don't exist, then the message surely isn't as innocent as it might appear. But Verisign is hiding the "Site doesn't exist" message. And with some sleight of hand it created something out of nothing. From now on there's a site that says, "true, the site you were looking for doesn't exist, but what do we care, you can make us richer."

The fact that a single body, which only a few had ever heard of only a little while ago, holds such extraordinary power over one of the life channels of the Western world should teach us a thing or two. First it should prove to us that monopolies on the Internet are always bad. There are people who thought the warnings about the exaggerated power concentrated in Microsoft was just picking on an innocent company. But Microsoft is dangerous by virtue of controling the Web browser used by some 90 percent of the travelers on the information superhighway, and controling the operating systems on which that browser is installed. Microsoft has already proved that it can't always restrain itself and avoid using its power wrongly. When it happens, nobody can stop it.

The second thing is the extent to which the Internet is fundamentally exposed. The Internet does not belong to Verisign nor even to its father. But Verisign has the power to manipulate it in ways that affect how we surf the Web. That gives the company the ability to affect all of us. There are a number of other key points in the Net's structure that must not be put into the hands of a single body.

Three lawsuits have already been filed against Verisign. It's a public company, with shareholders and customers, and subject to U.S. laws. With a little luck, some judge will decide to teach it a lesson and might even strip it of the right to do similar things in the future. But that's not where the trouble ends. There are too many governments that would be happy to have the power that Verisign now has, in the name of the "public interest." That's the last thing we need.