The Shopify Arms Race

Robin

Hi there, it's Robin from prx. I'm very excited to tell you about Neverpost, the newest show in the Radiotopia family. Have you ever wondered why is the Internet like that? That's the question the folks at Never Post try to answer in each episode. Why is there something called influencer voice? What's the deal with the TikTok shop? What is posting disease and do you have it? Why can it be so scary and yet feel so great to block someone on social media? The Neverpost team wonders why the Internet and the world because of the Internet is the way it is. They talk to artists, lawyers, linguists, content creators, sociologists, historians, and more about our current tech and media moment from PRX's Radiotopia Never post a podcast for and about the Internet episodes every other week at Neverpo St. And wherever you find pods.

Alex Goldman

This episode of Hyperfixed is brought to you by Progressive Insurance. Fiscally responsible financial geniuses, monetary magicians. These are things people say about drivers who switch their car insurance to Progressive and save hundreds. Visit progressive.com to see if you could save Progressive Casualty Insurance Company and affiliates. Potential savings will vary. Not available in all states or situations. Hi, I'm Alex Goldman and this is Hyperfixed. On this show, listeners write in with their problems, big and small, and I solve them. Or at least I try. And if I don't, I at least give a good reason why I can't. But this week I'm not even going to attempt to solve this problem. Now, I planned to, and honestly, I was really looking forward to it because this week's problem, it used to be my specialty. I would eat problems like this for breakfast. It was the kind of thing where I would just step in and everything would fall into place and there'd be a ticker tape parade for me and I'd be hailed as the problem solver, the problem conqueror. It was like amazing how easy these problems used to be for me. But by the time I connected with this week's listener, her problem had already been solved by someone else. And when I learned how it had been solved and why it had to be solved that way, I was so fascinated both by the mechanics of it and also by what it says about the world we're living in that I decided to tell the story anyway. So here it is this week, the Shopify arms race. Alright, so about a month ago, a listener named Jordan posted to the Hyperfix discord asking about this problem she was having with her company's website. Hey Alex, how are you? I'M good. How are you?

John Crane

Good.

Jordan

Sorry, we're. My office mate is leaving soon, so it'll be quiet.

Alex Goldman

Jordan used to be a documentary filmmaker, but about three years ago, she decided to start looking for something that felt a little happier, which is how she found herself taking a job at an independent retailer called Brown's Kitchen.

Jordan

They were looking for someone who knew retail, but also was able to help them start their e commerce business. I had run my own website for a few years, so I knew enough to build a Shopify template and get an e commerce website up and running.

Alex Goldman

Brown's Kitchen is like a independent Williams Sonoma. They sell cookware, bakeware, cutlery, pretty much everything you need for your kitchen. But back in 2022, when Jordan first got hired, none of that stuff was available on their website. They were totally brick and mortar. So Jordan got in there, she built brownskitchen.com into a real e commerce site. And over the next three years, the website grew into a legitimate source of revenue for the company. But then, late last year, something started happening that threatened to undermine all that growth and tank the company's burgeoning e commerce business.

Jordan

So this was in November, which was peak Christmas shopping season. The store is a madhouse. And we started getting phone calls from people who were saying they ordered something through our website, and they either haven't gotten it yet or they got some weird emails afterwards.

Alex Goldman

So Jordan's like, huh, well, that's weird. Got to figure out what's happening with these orders. But when she searched their system, she finds no record that any of these orders were ever placed on the company's website. So the question becomes, why do so many customers think that they were?

Jordan

And that's when we discovered that our website is being essentially duplicated by a scammer.

Alex Goldman

Brown's Kitchen had been the victim of web spoofing, which is exactly what it sounds like. A scammer will create a copycat website in the hopes of tricking customers into thinking that the site they're on is associated with legitimate business. Except in Jordan's case, the scammer made one significant and very strategic change. They lowered the prices of every item listed for sale.

Jordan

So say you're looking for an espresso machine, you'll find it on their website for half the price. And it looks very legitimate. They have copied our full template. All of our photos, everything is arranged in the same way with the same colors. They have our logos on the page. I mean, it looks identical to our real website.

Alex Goldman

Not to make this about me, but again, this kind of thing used to be my specialty. Back when I worked as a tech reporter, my favorite thing in the world was hunting down Internet scammers and confronting them directly. And I was able to do that in large part using this incredibly helpful tool called a Whois Lookup. Through the Whois Lookup, I was able to find personal information for every person who'd ever registered a website, including the names, phone numbers, and addresses of web scammers all over the world. It wasn't perfect, but more often than not, it worked. But in 2018, the rules around Internet privacy began to change. And suddenly, all of the personal information I used to be able to get through the Whois Lookup, it stopped being accessible to the general public. Now, if you want to get that kind of versal info, you have to get a subpoena for it. But there are other ways to address this kind of problem. And I was looking forward to using this story as a reason to share those tactics with a hyperfixed audience. But just as I was starting to do recon on Jordan's spoof site, this happened. And what is the duplicate website called?

Jordan

So there have been two. They both have currently been removed.

Alex Goldman

Jordan's problem had already been solved, or at least the part of it I thought she was going to ask me to solve. The problem she actually wanted me to solve involved figuring out how the scammer had been able to create these exact replicas of her website. The answer, which I told her immediately, was that the scammer just scraped code from her website. More on this later. Anyway, I was very disappointed. And like a teenage Alex Goldman at a middle school dance, and I'm speculating here because I never went to a middle school dance, I began to emotionally detach myself from the outcome of this conversation. But as I was sitting there, my mind floating somewhere above my body, Jordan started talking about how this whole thing got solved. And my mood changed completely. Because the solution was so fascinating and so cool and so far beyond my understanding of the Internet, I felt like I had to meet the person who pulled it off and ask him how he was able to do it. Okay, so real quick, the two sites were brought down in different ways, and the first one was pretty basic. Jordan told me that she did some research, and she learned that step one of these situations is to file a DMCA takedown request. The thing is, the Digital Millennium Copyright act only covers copyrighted material, and we.

Jordan

Don'T own the copyright to the images on our website. Those images are all provided by the corporate vendor. So those kept getting denied.

Alex Goldman

So Jordan's bosses had the clever idea to contact their corporate vendors, think companies like KitchenAid and Mixmaster, and have them file DMCA requests because they also have a vested interest in the success of Brown's Kitchen and the money to do something about it.

Jordan

They got their corporate lawyers involved who have all the money and power in the world, and they got the first one taken down.

Alex Goldman

This happened back in December. And then about three months later, a second spoof site popped up. And Jordan's like, I can't go through this DMCA rigmarole again. It took weeks the first time. Our customers are being victimized. I need a faster solution. So on the same day that Jordan posted to the Hyperfix discord, she also posted about her problem on a subreddit for web development. And there she got a reply from a guy who said he'd built an app specifically to combat these web spoofers. And when she told me about the app, it was unlike anything I'd ever heard of.

Jordan

It's a temporary workaround. It doesn't prevent the scammer from copying our website. But what it does is when they copy our website, it puts up like a pop up window. So when you go to the scammer's website, a pop up window comes up and says you are on a fake website, it's impersonating this real website, and it redirects you to our website.

Alex Goldman

How is that, how can you do that on someone else's website?

Jordan

I don't know. I have no idea how it works. But it's a Shopify app. Okay, so it's $4.99 a month, and so far it's working. Within two days, it's discouraged the scammer from using our website and they took it down.

Alex Goldman

In 15 years of reporting on tech, I have never heard a story about planting a popup on someone else's website. And as far as I knew, it shouldn't even be possible. Like, in order to make any changes on someone else's website, my understanding was that you needed to be able to log into it. But Jordan had seen this work and now all I wanted to do was understand how. So I asked her to connect me to the guy who created it. Adam, thank you so much for doing this.

Adam Weiss

Yeah, no problem. I had somebody reach out to me and say, hey, I recommended you do the podcast. And I was like, great, thanks so much. And was kind of surprised to actually see somebody follow up on that.

Alex Goldman

So, yeah, excited to chat this is Adam Weiss. He lives in Columbus, Ohio, and For the past 20 years, he's been working as a web developer, building apps and websites for clients all across the country. And when I asked him about the genesis of this magical app he'd created, one of the first things he told me was that he never actually set out to create it. Storelock, which is what it's called, was built out of a need to protect his clients from a new kind of web spoofing that he discovered entirely by accident. It started back in 2022. Adam was working on an analytics project for one of his clients, another independent e commerce business powered by Shopify. And while combing through their analytics, Adam discovered an imposter.

Adam Weiss

Somebody had copied their entire website and was hosting it on a very similar domain name. Something where they just added an S to the domain, and they were running Facebook ads to direct people from Facebook into this fake site with the intention of, you know, stealing people's credit cards.

Alex Goldman

Now, I've seen plenty of sites like this before, and so is Adam. And one of the reasons they're so prolific is because the mechanics of traditional web spoofing are ridiculous. Ridiculously simple. As I explained to Jordan, scraping the code from someone's website can be accomplished very easily, and there's tons of resources online teaching you how to do it and even just giving you the code. But this site wasn't like those other spoofing sites.

Adam Weiss

Took me a little bit of time to kind of figure out that they had not just copied the site, but they were actually sort of mirroring it. They were using some sort of technology, essentially, that anytime a request came in to their website, they would grab an exact copy of the current site and then sort of replacing any links or any phone numbers on the site in order to trick people into thinking that they were on the original website.

Alex Goldman

So every time someone visited their site, it would take an exact copy of the existing website?

Adam Weiss

Yep. Well, 100% right at that moment, too. So if we were making changes to the website, it was getting updated on that fake site in real time.

Alex Goldman

Adam told me that in all his years of web development, he'd never seen anything like this. And until he explained this to me, I'd never even heard of it. Which is why I had very confidently and very incorrectly told Jordan her site was being scraped. And I'm sorry about that, Jordan. The thing is, even fake websites are required to have real registrations. And even though you're no longer able to see the name of the person who registered the site, you can still figure out where they registered it. And you do that using the WHOIS lookup that I mentioned earlier. So Adam used the Whois lookup to figure out where the site was registered. And then he wrote them a letter.

Adam Weiss

Saying, hey, one of your clients, one of your customers is doing something nefarious. They're perpetrating fraud on your platform.

Alex Goldman

This, by the way, is exactly how I would have approached it. And within a couple days, the registrar removed the site. But the problem was, it didn't end there. Over the next six months, another half dozen of these spoof sites popped up. And all of them were exact replicas of this one client site. Over and over again, Adam found himself turning to the Whois lookup, searching for registration information, and then asking the registrars to remove the scam sites. For months, his life was like web spoof whack a molecule. And then one day in 2023, Adam ran his Whois lookup on yet another one of these spoof sites. And this time he didn't find anything. And I know that for a large swath of our audience, that probably doesn't sound like a big deal at all. But this scenario that Adam found himself facing, where the WHOIS record had no registration information, it's not supposed to be possible. Because now that we can't access personal information through a WHOIS lookup, registrars provide one of our only avenues for recourse on the Internet. In fact, as far as I know, policing this kind of fraud is actually one of the registrar's only jobs. And if a site has no registration information, then there's no one with the authority to take it down. You could talk to the website's host, meaning the place where the site's files actually live, but they're generally even less responsive than registrars. And for small to medium sized businesses like Brown's Kitchen, and like most of Adam's clients, leaving up your spoof site just isn't an option. It's like sitting in a shark tank while actively bleeding. Adam tried everything he could think of to get the site removed. At one point, he even contacted Facebook to see if they could help. Since most of the spoof site's traffic had been driven by Facebook ads.

Adam Weiss

And Facebook, they didn't really seem to care. You know, this was another business to them. They were earning money on ads and they kind of left it at that. They said, well, you know, there's not really a lot that we can do, you know, it's not our problem.

Alex Goldman

So without a formal pathway to removing this website, Adam started looking for ways to neutralize its impact. And that's when he had the idea that would eventually lead him to develop Storlock. Adam knew that the spoof site was mirroring instantaneously, and he had this theory that it wasn't just the superficial changes that were being mirrored. So he started thinking, if the scammers are copying our website whole cloth, maybe we can stitch in a piece of code that exposes their deception.

Adam Weiss

Well, what if we put in some tiny bit of script, you know, that would allow us to say, is it one of these domains that you're allowed to be on? If not, then just redirect them right away.

Alex Goldman

So Adam ran a test. He wrote out a short script that asks a single question. Am I on the website I was designed for? And the next time the spoof site mirrored the real site, Adam's script sprang into action and said, wait a minute, I'm in the wrong place. I should let everybody know. And the way it did that was via a pop up on the spoof site. That was the birth of Adam's Storlock app. And in the years since then, he's continued to refine and build upon that original idea. The storlock team is small. It's really just two people at this point. And they've spent no money on marketing this product, in part because they realize it's the kind of thing you don't really know you need until you really need it. So for now, they've been hanging out in the subreddits and on Shopify forums, Watching out for people like Jordan who find their web shops facing attacks they don't know how to handle.

Adam Weiss

We don't have a ton of customers yet, but we've seen that this is a big enough problem that there's. There's enough market for us to go after and continue building this.

Alex Goldman

But for every move Adam makes to protect his customers, he knows the scammers aren't far behind. They'll always be searching for a way to circumvent his defenses, and he'll always be searching for ways to block their circumventions. And maybe this is all that any of us can do. Maybe this shopify arms race is the best that any of us should hope for. But honestly, I find that very hard to accept. And so does Adam. Because we still remember the days when you could actually stop a scam at its source. When a reporter like me or a web developer like Adam or literally anyone else in the world could use the whois lookup and find exactly who is perpetrating this attack on Jordan's site. And we still don't really understand why we abandoned that system. And if what Adam's saying is right and we can't rely on registrars to act as enforcers on the Internet, I would really love for someone to tell me who exactly is supposed to be in charge. After the break, we get an answer to that question. And the answer kind of sucks. I'm Nomi Frye. I'm Vincent Cunningham.

Nomi Frye

I'm Alex Schwartz. And we are Critics at Large, a podcast from the New Yorker. Guys, what do we do on the show every week?

Alex Goldman

We look into the startling maw of our culture and try to figure something out.

Nomi Frye

That's right. We take something that's going on in the culture now. We maybe it's a movie, maybe it's a book, maybe it's just kind of a trend that we see floating in the ether and we expand it across.

Jordan

Culture as kind of a pattern or a template.

Adam Weiss

We talked about the midlife crisis, starting with a new book by Miranda July.

Alex Goldman

But then we kind of ended up.

Adam Weiss

Talking about Dante's Inferno.

Jordan

You know, we talked about Kate Middleton.

Alex Goldman

Her so called disappearance. And from that we moved into right wing conspiracy theories. Alex basically promised to explain to me.

Adam Weiss

Why everybody likes the Beatles.

Nomi Frye

You know, we've also noticed that advice is everywhere. Advice columns, advice giving. And we kind of want to look at why. Join us on Critics at Large from the New Yorker. New episodes drop every Thursday. Follow wherever you get your podcasts.

Alex Goldman

Welcome back to the show. So before the break, I learned more about the state of Internet scams than I have in probably the previous two years. I learned that scammers can spoof a website in real time, and that one way to deal with this is to essentially build a Trojan horse into the code of your website that outwits scammers by making their own site tell you that they're scammers and that ever since the WHOIS lookup redacted the personal information from its public database, we are often left at the mercy of registrars who aren't necessarily going to do that much to help you out. But I still walked away from that conversation with some questions of my own, the first of which was, why do we no longer have access to that personal identification information? So I reached out to the people responsible for managing the WHOIS database. So just to start, could you tell me your name and what you do?

John Crane

Okay, so my name is John Crane, as spelled here on zoom. I am the senior vice president and chief technology officer for something called the Internet Corporation for Assigned Names and Numbers.

Alex Goldman

The Internet Corporation of Assigned Names and Numbers is a mouthful. So we will call it what everybody else calls it, which is icann. ICANN is a nonprofit organization. It is based in Southern California, and among other things, they oversee the global domain system for the entirety of the Internet. What they do is incredibly technical, but the short version is if your computer is trying to get to a certain domain like DOT Baseball or DOT Cancer Research, and yeah, both of those are real top level domains. ICANN keeps a global list of these destinations and it helps route traffic to that domain. But, yeah, it's incredibly technical. I was getting corrected by John left and right. So you're like an address book for every website in the world.

John Crane

No, we are not.

Alex Goldman

Okay.

John Crane

We are, if you like, the library index card of where you go to find that information. We do not hold all the information. We are the starting point of the path to go and find that information.

Alex Goldman

John has been with ICANN since the very beginning, like the late 90s. And in the office of the CTO, one of his responsibilities is studying and advising on special policy issues all over the world. So I started talking to him about this kind of fraud we've been discussing in this episode where people are building websites to impersonate other legitimate websites. I told him that they are doing it for the purposes of stealing credit card information. And I told him about how much harder it is to handle these situations now that registrars are the only outlet for remediation. And then I asked him, why did ICANN decide to redact this personal information from the who is lookup? And John was like, we didn't.

John Crane

It's not that ICANN or some like developed a policy that said, we will no longer share private data, which what we call pii, Personally Identifiable information is that the law has changed.

Alex Goldman

And the reason the laws changed is an event you may remember. So back in 2013, an NSA intelligence contractor named Edward Snowden walked out of his office carrying a thumb drive that was loaded to the gills with top secret government files. He got on a plane, flew to Hong Kong, and then he sent the files off to WikiLeaks. And when WikiLeaks started publishing Snowden's secret files, the Internet lost its mind. The most startling revelations contained in those documents were about just how big the US Surveillance apparatus had become. It was through these leaks that we learned that US Intelligence agencies could access servers at most of the major tech companies. They were Harvesting millions of cell phone records a day. They were mapping locations based on cell phone information. They were even collecting AOL instant messenger contact lists. And as the conversation about the way the government was watching us ramped up, I mean, these days, now that we've been completely, completely captured by the global Panopticon, now that we've got AI facial recognition and half a dozen cameras on every car, this all seems pretty quaint. But at the time, it freaked everybody out.

John Crane

And then something happened in the legal sphere, okay. People started caring about privacy, and not.

Alex Goldman

Just in the sense that they didn't want the government hijacking their webcams and looking at their naked butts, which is, you know, like what I say when I'm explaining this to my kids. But people were also concerned about the fact that websites were tracking them around the Internet in order to sell their data to advertisers and to credit agencies. And in the heat of that terrifying moment, governments all over the world started passing reactionary laws to protect people's data, the most famous of which were Europe's General Data protection regulations in 2018. The GDPR basically said, if you're doing.

John Crane

Business in Europe or with Europeans, you cannot share their, or even store, in some cases, their data without express permission.

Alex Goldman

And because it is a world wide web and Europe is a powerful and populous continent, the impact of this change was felt all over the globe. If you've ever encountered a pop up asking, would you like to allow cookies on this website? You have the GDPR to thank for that. But laws governing the Internet, especially when they're reactionary and especially when they're written by people who don't know a lot about the Internet, tend to have some unintended consequences. And in the case of the gdpr, one of those unintended consequences was the nerfing of the WHOIS lookup.

John Crane

Things like whois had to be less open, specifically with what we call personally identifiable data. That's things like your name, your address, or combinations of pieces of data that put together could identify you as an individual.

Alex Goldman

Right.

John Crane

And it was done to protect the citizenry. It was done with completely good intent. And there are some side effects that I think weren't foreseen.

Alex Goldman

What were the side effects that weren't foreseen?

John Crane

That people tackling badness could not necessarily get access to data that they could.

Alex Goldman

Before, apparently in the earliest days of the gdpr, it was unclear if even law enforcement would still be entitled to this data. Today. They're still only able to get their hands on some of it.

John Crane

But not all of the badness is being fought by law enforcement. A lot of the countercrime activity that happens online is actually by private organizations, businesses for example, that do this for their clients. You know, if you're a business taking down fraudulent websites in the past, you could go and find out who that person was and you could send them a subpoena or you could send them a cease and desist. You can't really do that as easily now. Now you have to send it to the registrar.

Alex Goldman

So because of this law that protects my privacy when I make a website, but also protects the privacy of a scammer if they do the same, the WHOIS record is off the table. In the past, when I was able to locate tech support scammers by name to an office in Punjabi Bagh, New Delhi, based on a WHOIS lookup, these days, the best I can do is get a site taken down and that is at its very best just a band aid. Because it is incredibly easy for a scammer to just switch registrars and run the whole scam again. So there's hundreds of registrars and like some registrars are more responsive than others in terms of like actually policing this kind of content. So like, what option does a person have if the registrar is not policing it?

John Crane

So let's talk about a domain name that is used for a something called phishing. Now I think everybody's at least been attempted to be phished at some point where they send you a link either on your phone. Technically we call that smishing because it's SMS phishing and there's a link and you click on it and you really shouldn't have and bad things happen. That name and the lure, if you like, and the thing that takes you is being used in a smish. Now recently, like in the last year, we changed our contracts working with the registries and the registrars.

Alex Goldman

That contract change is meant to ensure more accountability from the registrars. So now if someone comes to the registrar with evidence that one of their sites is engaging in phishing, the registry is obligated to step in and mitigate that abuse.

John Crane

If they do not mitigate evidence abuse, you can send a report to ICANN along with the evidence that you shared with them and we will go and talk to them. And if they do not change their mechanisms to be within compliance with our contracts, they will eventually no longer be a registrar.

Alex Goldman

I mean this is a big deal because if they repeatedly fail to stop this kind of abuse, they could lose their status as a registrar. But the thing is that this new policy only covers specific types of malicious activities and website spoofing. This specific type of attack we've been talking about in this entire episode, this scam that's become so prolific that Adam Weiss has built an entirely separate wing of his business devoted to addressing it. It's not covered by the new ICANN policy.

John Crane

The ICANN policies, not set by ICANN the organization, but set by ICANN the community, do not cover this. And it's actually a really interesting conversation that is constantly going on ongoing at ICANN about what do we do about these kind of things and whose role is it? Is it the role of the, the naming industry, or is this a role for the hosting industry, or is it both? What is the role of law enforcement? What is the role of governance? So, you know, it's very easy is not the right word, but it's very compelling to find a very cut and dry case and say, in this scenario, this is what should happen. But most of the cases you actually, you actually see, they're often not that cut and dry. And it's not as easy for somebody on the outside to make a decision about it. But if it's phishing, if it is used, for example, for distributing malicious software or malware, and there are a series of other types of abuse, then the registries and registrars are contractually obligated to mitigate that. And if they don't, then we like to hear about it and we can go talk to them.

Alex Goldman

This seemed absolutely bonkers to me because as near as I can tell, the only difference between what Jordan scammers are doing and what these phishing scammers are doing is that the Fishers are sending texts or emails. Jordan scammers were buying ads on Facebook directing people to their scam site. But that isn't enforced by icann. Now, John stressed that just because it isn't covered by the new ICANN policy doesn't mean that web spoofing is legal. Most registrars have their own terms of service, most of which should cover this. And they're beholden to the laws of their country, which should also cover this. But the thing is, I had just spoken to Adam, a guy who has now encountered multiple spoof sites with unlisted registration information, and I wanted to know, one, how this was even possible, and two, what does John think we should do in this situation? To the first question, he explained that I can enforce his policy for all of the domains that are three letters or longer. So.comorgeduardo.pizza.diiamonds etc. Etc. All of those. But what it does not manage is the two letter domains for countries. So whether it's.uk for England, ca for Canada or.ly for Libya, those are managed by the country of origin and ICANN has no power to enforce anything for them. As for what to do in a situation like this, I wish I could.

John Crane

Just give an easy answer and say, well, you just go here, here and here and it will all be solved. Businesses like large corporations suffer from this in the same way that small businesses do, but they can afford the lawyers and the, the skill sets to go and track down people and actually have some effect on the behaviors as a mum and pop shop or, or even a sole business owner. I have a few small businesses myself. It's, it's very hard. I'm a big fan of the Internet. Obviously I, I wouldn't do my job if I wasn't. But it comes with some downsides. It's not all ups. There's, there are some serious downsides to, to a open environment where that allows for all this ingenuity and all this growth.

Alex Goldman

I gotta be honest, I was pretty bummed out about what he was telling me. It felt like he was saying that this is just the price of doing business on the Internet and that in exchange, exchange for all this information, people without resources to fight are going to get hurt. And I think he may have sensed that I was feeling that way because when I said this, I mean, I guess that's sort of the trade off, right? We've got almost the entire history of the world's information at our fingertips. Sometimes people get scammed. He immediately responded in the most thoughtful way possible.

John Crane

And we wish they didn't, but, but it's this. And you know, as we progress, there will be better regulations from governments. You could see GDPR as a reaction to Internet and information freedom, as governments reacting to try and balance out the too easy access to people's information. And we will see more of that in the years going forward. We will see new regulations and some of them will be good and some of them will be less good. And even in the ICANN world, we will see new policy, we will see the policies change about what we expect from the industry to protect the registrants and the end users. And that is an ongoing discussion. If you ever, ever get the chance, you should actually come and visit an ICANN meeting either in person. If you come in person, I'll buy you a beer or a coffee or whatever. You drink, but you know, if not, go and watch it virtually. It's a really interesting methodology or philosophy for how you manage global infrastructure. It's not like the typical multilateral government to government that happens everywhere else. Like, everybody kind of gets to have a say, and I'm a big fan of it.

Alex Goldman

Obviously what John was saying is this. In the same way that scammers will always be looking for ways to attack your website, and guys like Adam Weiss will always be looking for ways to defend it, the ICANN community will always be looking for ways to ensure that the Internet's domain name system remains stable and safe. And some of the time they're still going to get it wrong, because scammers and other bad actors on the Internet are constantly innovating and evolving, and ICANN is often just reacting to those evolutions. So even though some of their policies feel pretty unsatisfying to me, and even though I do think there should be clearer pathways for minimizing harm on the Internet, the idea of writing policy that has to be implemented fairly and evenly across continents and cultures, it's something I need to learn a lot more about before I feel comfortable having a real opinion about it. And that's why I'm planning to attend ICANN's next meeting in June. I'll probably do it virtually because it's in Prague, but I would love if you all joined me, because the way John explains it, ICANN is just an enforcer of rules, and it's up to us to help make those rules. So let's do a good job. This episode of Hyperfixed was produced and edited by Emma Cortlandt, Amor Yates and Seri Safer Sukinek. It was hosted by me, Alex Goldman. The music is by the mysterious Breakmaster Cylinder and me. The show was engineered by Tony Williams. Fact checking by me, Amor Yates and Sari Soffer Sukanek. You can get bonus episodes, join our discord and much more@hyperfixpod.com join and listen. I say this every week, but I truly think that this kind of membership program is really the only way forward for narrative podcasting. If you feel like you can support, please think about signing up. And if you can't afford it, I totally get it. Everybody is having to make difficult decisions about what they can afford right now. But if you could think about telling your friends and family about it, you know, sit your parents down and make them listen to it, that'd be awesome. Hyperfixed is a proud member of Radiotopia from prx, a network of independent creator owned listeners supported podcasts. Discover audio with vision at Radiotopia fm. Thanks so much for listening Radiotopia from prx.