Hyperfixed - The Shopify Arms Race
Episode Date: March 27, 2025If you like this show, please think about becoming a premium member - it will help us keep making it, making it better, and making it weirder.https://www.hyperfixedpod.com/joinThis week - Sca...mmers have managed to copy Jordan's entire website and steal her business -- more than once. But how are they doing it? And why is it so hard to fight now? LINKS:StoreLockICANNWhat is the GDPR Learn about your ad choices: dovetail.prx.org/ad-choices
Transcript
Discussion (0)
Hi there, it's Robin from PRX.
I'm very excited to tell you about NeverPost, the newest show in the Radiotopia family.
Have you ever wondered why is the internet like that?
That's the question the folks at NeverPost try to answer in each episode.
Why is there something called influencer voice?
What's the deal with the TikTok shop?
What is posting disease and do you have it?
Why can it be so scary and yet feel so great to block someone on social media?
The NeverPost team wonders why the internet, and the world because of the internet, is
the way it is.
They talk to artists, lawyers, linguists, content creators, sociologists, historians,
and more about our current tech and media moment from PRX's
Radiotopia, Never Post, a podcast for and about the internet. Episodes every other week at neverpo.st
and wherever you find pods. Hi, I'm Alex Goldman, and this is Hyper Fixed. On this show, listeners
write in with their problems, big and small, and I solve them.
Or at least I try.
And if I don't, I at least give a good reason why I can't.
But this week, I'm not even going to attempt to solve this problem.
Now I planned to, and honestly I was really looking forward to it, because this week's
problem, it used to be my specialty.
I would eat problems like this for breakfast.
It was the kind of thing where I would just step in
and everything would fall into place
and there'd be a ticker tape parade for me
and I'd be hailed as the problem solver,
the problem conqueror.
It was like amazing how easy these problems
used to be for me.
But by the time I connected with this week's listener,
her problem had already been solved
by someone else.
And when I learned how it had been solved and why it had to be solved that way, I was
so fascinated both by the mechanics of it and also by what it says about the world we're
living in that I decided to tell the story anyway.
So here it is.
This week, the Shopify arms race.
All right. So about a month ago, a listener named Jordan posted to the
Hyperfix Discord asking about this problem she was having with her
company's website. Hey Alex, how are website. Hey, Alex, how are you?
I'm good. How are you?
Good. Sorry, my office mate is leaving soon, so he'll be quiet.
Jordan used to be a documentary filmmaker, but about three years ago,
she decided to start looking for something that felt a little happier,
which is how she found herself taking a job
at an independent retailer called Brown's Kitchen.
They were looking for someone who knew retail, but also was able to help them
start their e-commerce business.
And I had run my own website for a few years.
So I knew enough to build a Shopify template and
get an e-commerce website up and running.
Brown's Kitchen is like a independent Williams-Sonoma.
They sell cookware, bakeware, cutlery, pretty much everything you need for your kitchen.
But back in 2022, when Jordan first got hired, none of that stuff was available on their website.
They were totally brick and mortar. So Jordan got in there,
she built Brownskitchen.com into a real e-commerce site, and over the next three years, the website
grew into a legitimate source of revenue for the company. But then, late last year, something
started happening that threatened to undermine all that growth and tank the company's burgeoning
e-commerce business. So, this was in November, which was peak Christmas shopping season.
The store is a madhouse.
And we started getting phone calls from people who were saying
they ordered something through our website,
and they either haven't gotten it yet,
or they got some weird emails afterwards.
So Jordan's like, huh, well, that's weird.
Got to figure out what's happening with these orders.
But when she searched their system,
she finds no record that
any of these orders were ever placed on the company's website.
So the question becomes,
why do so many customers think that they were?
That's when we discovered that our website
is being essentially duplicated by a scammer.
Brown's Kitchen had been the victim of web spoofing,
which is exactly what it sounds like.
A scammer will create a copycat website
in the hopes of tricking customers into thinking that the site they're on is
associated with a legitimate business. Except in Jordan's case, the scammer made
one significant and very strategic change. They lowered the prices of every
item listed for sale. So say you're looking for an espresso machine, you'll find it on their website for half the
price and it looks very legitimate.
They have copied our full template, all of our photos, everything is arranged in the
same way with the same colors, they have our logos on the page.
I mean, it looks identical to our real website. Not to make this about me, but again,
this kind of thing used to be my specialty.
Back when I worked as a tech reporter,
my favorite thing in the world was hunting down internet scammers
and confronting them directly.
And I was able to do that in large part
using this incredibly helpful tool called a Whois lookup.
Through the Whois lookup, I was able to find personal information for every person
who'd ever registered a website, including the names, phone numbers,
and addresses of web scammers all over the world.
It wasn't perfect, but more often than not, it worked.
But in 2018, the rules around internet privacy
began to change.
And suddenly, all of the personal information
I used to be able to get through the Who Is lookup,
it stopped being accessible to the general public.
Now, if you wanna get that kind of personal info,
you have to get a subpoena for it.
But there are other ways to address this kind of problem.
And I was looking forward to using this story as a reason to share those tactics with the Hyperfix audience.
But just as I was starting to do recon on Jordan's spoof site, this happened.
And what is the duplicate website called?
So there have been two.
They both have currently been removed.
Jordan's problem had already been solved.
Or at least the part of it I thought she was going to ask me to solve.
The problem she actually wanted me to solve involved figuring out how the scammer had
been able to create these exact replicas of her website.
The answer, which I told her immediately, was that the scammer just scraped code from
her website.
More on this later.
Anyway, I was very disappointed.
And like a teenage Alex Goldman at a middle school dance,
and I'm speculating here
because I never went to a middle school dance,
I began to emotionally detach myself
from the outcome of this conversation.
But as I was sitting there,
my mind floating somewhere above my body,
Jordan started talking about how this whole thing got solved.
And my mood changed completely. Because the
solution was so fascinating and so cool and so far beyond my understanding of the internet,
I felt like I had to meet the person who pulled it off and ask him how he was able to do it.
Okay, so real quick, the two sites were brought down in different ways. And the first one was
pretty basic. Jordan told me that she did some research, and she learned that step one of these situations
is to file a DMCA takedown request.
The thing is, the Digital Millennium Copyright Act only covers copyrighted material.
And we don't own the copyright to the images on our website. Those images are all provided by the corporate vendor.
So those kept getting denied.
So Jordan's bosses had the clever idea to contact their corporate vendors,
think companies like KitchenAid and Mixmaster,
and have them file DMCA requests.
Because they also have a vested interest in the success of Brown's Kitchen and the money to do something about it.
They got their corporate lawyers involved to have all the money and power in the world,
and they got the first one taken down.
This happened back in December.
And then about three months later, a second spoof site popped up.
And Jordan's like, I can't go through this DMCA rigmarole again. It took
weeks the first time. Our customers are being victimized. I need a faster solution. So on
the same day that Jordan posted to the Hyperfix Discord, she also posted about her problem
on a subreddit for web development. And there she got a reply from a guy who said he built
an app specifically to combat these web spoofers.
And when she told me about the app, it was unlike anything I'd ever heard of.
It's a temporary workaround. It doesn't prevent the scammer from copying our website.
But what it does is when they copy our website, it puts up like a pop-up window. So when you go to the scammers website,
a pop-up window comes up and says, you are on a fake website, it's impersonating this
real website, and it redirects you to our website.
How is that, how can you do that on someone else's website?
I don't know.
I have no idea how it works.
But it's a Shopify app.
Okay.
So it's $4.99 a month and so far it's working.
Within two days it discouraged the scammer from using our website and they took it down.
In 15 years of reporting on tech, I have never heard a story about
planting a pop-up on someone else's website.
As far as I knew, it shouldn't even be possible.
In order to make any changes on someone else's website,
my understanding was that you needed to be able to log into it.
But Jordan had seen this work,
and now all I wanted to do was understand how
So I asked her to connect me to the guy who created it Adam. Thank you so much for doing this. Yeah, no problem I had somebody reach out to me and say hey, I recommended you do the podcast. I was like great. Thanks so much and
Was kind of surprised to actually see somebody follow up on that. So yeah excited to chat. This is Adam Weiss
He lives in Columbus, Ohio.
And for the past 20 years, he's been working as a web developer,
building apps and websites for clients all across the country.
And when I asked him about the genesis of this magical app
he'd created, one of the first things he told me
was that he never actually set out to create it.
Store Lock, which is what it's called,
was built out of a need to protect his clients from a new
kind of web spoofing that he discovered entirely by accident. It started back in 2022. Adam was
working on an analytics project for one of his clients, another independent e-commerce business
powered by Shopify, and while combing through their analytics, Adam discovered an imposter.
combing through their analytics, Adam discovered an imposter.
Somebody had copied their entire website
and was hosting it on a very similar domain name,
something where they just added an S to the domain.
And they were running Facebook ads to direct people
from Facebook into this fake site
with the intention of stealing people's credit cards.
Now, I've seen plenty of sites like this before,
and so has Adam.
And one of the reasons they're so prolific
is because the mechanics of traditional web spoofing
are ridiculously simple.
As I explained to Jordan,
scraping the code from someone's website
can be accomplished very easily.
And there's tons of resources online
teaching you how to do it,
and even just giving you the code. But this site wasn't like those other spoofing sites.
Took me a little bit of time to kind of figure out that they, you know, not just
copy the site, but they were actually sort of mirroring it.
They were using some sort of technology essentially that anytime a request came
in to their website, they would grab an exact copy of the current site and
then sort of replacing any links or any phone numbers on the site in order to trick people
into thinking that they were on the original website.
So every time someone visited their site, it would take an exact copy of the existing
website?
Yep.
Well, 100% right at that moment too.
So if we were making changes to the website, it was getting updated on that fake site in real time
Adam told me that in all his years of web development
He'd never seen anything like this and until he explained this to me
I'd never even heard of it
Which is why I had very confidently and very incorrectly told Jordan her site was being scraped. And I'm sorry about that, Jordan.
The thing is, even fake websites are required
to have real registrations.
And even though you're no longer able to see the name
of the person who registered the site,
you can still figure out where they registered it.
And you do that using the whois lookup
that I mentioned earlier.
So Adam used the whois lookup
to figure out where the site was registered.
Then he wrote them a letter saying,
''Hey, one of your clients,
one of your customers is doing something nefarious.
They're perpetrating fraud on your platform.''
This, by the way, is exactly how I would have approached it.
Within a couple of days, the registrar removed the site.
But the problem was, it didn't end there.
Over the next six months, another half-dozen of these spoof sites popped up, and all of
them were exact replicas of this one client's site.
Over and over again, Adam found himself turning to the Whois lookup, searching for registration
information, and then asking the registrars to remove the scam sites.
For months, his life was like web spoof whack-a-mole.
And then, one day in 2023, Adam ran his Whois lookup
on yet another one of these spoof sites.
And this time, he didn't find anything.
And I know that for a large swath of our audience,
that probably doesn't sound like a big deal at all. But this scenario that Adam found himself facing, where the Whois record had no registration
information, it's not supposed to be possible.
Because now that we can't access personal information through a Whois lookup, registrars
provide one of our only avenues for recourse on the internet.
In fact, as far as I know, policing this kind of fraud
is actually one of the registrar's only jobs.
And if a site has no registration information,
then there's no one with the authority to take it down.
You could talk to the website's host,
meaning the place where the site's files actually live,
but they're generally even less responsive than registrars.
And for small to medium-sized businesses
like Brown's Kitchen and like most of Adam's clients,
leaving up your spoof site just isn't an option.
It's like sitting in a shark tank while actively bleeding.
Adam tried everything he could think of
to get the site removed.
At one point, he even contacted Facebook
to see if they could help,
since most of the spoof site's traffic
had been driven by Facebook ads.
In Facebook, they didn't really seem to care.
This was another business to them.
They were earning money on ads.
And they kind of left it at that.
They said, well, there's not really a lot that we can do.
It's not our problem.
So without a formal pathway to removing this website, Adam started looking for ways to
neutralize its impact.
And that's when he had the idea that would eventually lead him to develop Store Lock.
Adam knew that the spoof site was mirroring instantaneously. And he had this theory that it wasn't just the superficial changes that were being mirrored. So he started thinking,
if the scammers are copying our website whole cloth, Maybe we can stitch in a piece of code that exposes their deception.
What if we put in some tiny bit of script that would allow us to say, is it one of these
domains that you're allowed to be on?
If not, then just redirect them right away.
So Adam ran a test.
He wrote out a short script that asks a single question.
Am I on the website I was designed for?
And the next time the spoof site mirrored the real site,
Adam's script sprang into action and said,
wait a minute, I'm in the wrong place.
I should let everybody know.
And the way it did that was via a pop-up on the spoof site.
That was the birth of Adam's store lock app.
And in the years since then, he's
continued to refine and build upon that original idea. The store lock team is small. It's really
just two people at this point. And they've spent no money on marketing this product,
in part because they realize it's the kind of thing you don't really know you need until you
really need it. So for now, they've been hanging out in the subreddits and on Shopify forums,
watching out for people like Jordan
who find their web shops facing attacks
they don't know how to handle.
We don't have a ton of customers yet,
but we've seen that this is a big enough problem
that there's enough market for us to go after
and continue building this.
But for every move Adam makes to protect his customers,
he knows the scammers aren't far behind.
They'll always be searching for a way
to circumvent his defenses,
and he'll always be searching for ways
to block their circumventions.
And maybe this is all that any of us can do.
Maybe this Shopify arms race is the best
that any of us should hope for.
But honestly, I find that very hard to accept.
And so does Adam. Because we still remember the days us should hope for. But honestly, I find that very hard to accept.
And so does Adam.
Because we still remember the days when you could actually stop a scam at its source,
when a reporter like me, or a web developer like Adam, or literally anyone else in the
world could use the who is lookup and find exactly who is perpetrating this attack on
Jordan's site.
And we still don't really understand why we abandoned that system.
And if what Adam's saying is right, and we can't rely on registrars to act as enforcers
on the internet, I would really love for someone to tell me, who exactly is supposed to be
in charge? After the break, we get an answer to that question.
And the answer kinda sucks. I'm Nomi Fry. I'm Vincentomi Frey.
I'm Vincent Cunningham.
I'm Alex Schwartz.
And we are Critics at Large, a podcast from The New Yorker.
Guys, what do we do on the show every week?
We look into the startling maw of our culture and try to figure something out.
That's right.
We take something that's going on in the culture now.
Maybe it's a movie, maybe it's a book, maybe it's just kind of a trend that we see floating in the ether.
And we expand it across culture as kind of a pattern or a template.
We talked about the midlife crisis, starting with a new book by Miranda July, but then we kind of ended up talking about Dante's Inferno.
You know, we talked about Kate Middleton, her so-called disappearance, and from, we moved into right-wing conspiracy theories.
Alex basically promised to explain to me
why everybody likes The Beatles.
You know, we've also noticed that advice is everywhere.
Advice columns, advice giving,
and we kind of want to look at why.
Join us on Critics at Large from The New Yorker.
New episodes drop every Thursday.
Follow wherever you get your podcasts.
Welcome back to the show. So before the break, I learned more about the state of internet scams
than I have in probably the previous two years. I learned that scammers can spoof a website in
real time and that one way to deal with this is to essentially build a Trojan horse into the code
of your website that outwits scammers by making
their own site tell you that they're scammers. And that ever since the WhoIsLookUp redacted the
personal information from its public database, we are often left at the mercy of registrars
who aren't necessarily going to do that much to help you out. But I still walked away from
that conversation with some questions of my own.
The first of which was, why do we no longer have access to that personal identification
information?
So, I reached out to the people responsible for managing the Whois database.
So just to start, could you tell me your name and what you do?
Okay, so my name is John Crane, as spelled here on Zoom.
I am the Senior Vice President and Chief Technology Officer
for something called the Internet Corporation
for Assigned Names and Numbers.
The Internet Corporation of Assigned Names and Numbers
is a mouthful, so we will call it
what everybody else calls it, which is ICANN.
ICANN is a nonprofit organization.
It is based in Southern California.
And among other things, they oversee the global domain system for the entirety of the internet.
What they do is incredibly technical, but the short version is if your computer is trying
to get to a certain domain, like.baseball or.cancerresearch, and yeah, both of those are real top-level domains, ICAN keeps a global
list of these destinations, and it helps route traffic to that domain.
But yeah, it's incredibly technical.
I was getting corrected by John left and right.
So you're like an address book for every website in the world?
No, we are not.
OK.
We are, if you like, the library index card
of where you go to find that information.
We do not hold all the information.
We are the starting point of the path
to go and find that information.
John has been with ICANN since the very beginning,
like the late 90s.
And in the office of the CTO, one of his responsibilities is studying and advising on special policy
issues all over the world.
So I started talking to him about this kind of fraud we've been discussing in this episode,
where people are building websites to impersonate other legitimate websites.
I told him that they are doing it for the purposes of stealing credit card information,
and I told him about how much harder it is to handle these situations now that registrars are the only outlet for remediation.
And then I asked him, why did ICANN decide to redact this personal information from the Whois lookup?
And John was like, we didn't. It's not that ICANN or some like developer policy that said we will no longer share private
data, which is what we call PII, personally identifiable information, is that the laws
changed.
And the reason the laws changed is an event you may remember.
So back in 2013, an NSA intelligence contractor named Edward Snowden walked out of his office
carrying a thumb drive that was loaded to the gills with top-secret government files.
He got on a plane, flew to Hong Kong, and then he sent the files off to WikiLeaks.
And when WikiLeaks started publishing Snowden's secret files, the internet lost its mind.
The most startling revelations contained in those documents were about just how big the
U.S. surveillance apparatus had become.
It was through these leaks that we learned that U.S. intelligence agencies could access
servers at most of the major tech companies.
They were harvesting millions of cell phone records a day.
They were mapping locations based on cell phone information.
They were even collecting AOL instant messenger content lists.
And as the conversation about the way the government was watching us ramped up,
I mean, these days, now that we've been completely captured by the global panopticon,
now that we've got AI facial recognition and half a dozen cameras on every car,
this all seems pretty quaint, but at the time, it freaked everybody out.
And then something happened in the legal sphere. People started caring about privacy.
And not just in the sense that they didn't want the government hijacking their webcams
and looking at their naked butts, which is, you know, like what I say when I'm explaining
this to my kids. People were also concerned about the fact that websites were tracking them around the
internet in order to sell their data to advertisers and to credit agencies.
And in the heat of that terrifying moment, governments all over the world started passing
reactionary laws to protect people's data, the most famous of which were Europe's general
data protection regulations in 2018.
The GDPR basically said,
If you're doing business in Europe or with Europeans, you cannot share their, or even store
in some cases, their data without express permission. And because it is a worldwide web,
and Europe is a powerful and populous continent, the impact of this change was felt all over the
globe.
If you've ever encountered a pop-up asking, would you like to allow cookies on this website,
you have the GDPR to thank for that.
But laws governing the internet, especially when they're reactionary and especially when
they're written by people who don't know a lot about the internet, tend to have some
unintended consequences. And in the case of the GDPR, one of those unintended
consequences was the nerfing of the who is lookup.
Things like who is had to be less open,
specifically with what we call personally identifiable data.
That's things like your name, your address,
or combinations of pieces of data
that put together could identify you as an individual.
Right.
It was done to protect the citizenry.
It was done with completely good intent.
There are some side effects that I think weren't foreseen.
What were the side effects that weren't foreseen?
That people tackling
badness could not necessarily get access to data that they could before.
Apparently, in the earliest days of the GDPR, it was unclear if even law enforcement would
still be entitled to this data.
Today, they're still only able to get their hands on some of it.
But not all of the badness is being fought by law enforcement. A lot of the counter crime activity that happens
online is actually by private organizations. Businesses, for example, that do this for
their clients. If you're a business taking down fraudulent websites, in the past, you
could go and find out who that person was and you could send them a subpoena or you
could send them a cease and desist. You can't really do that as easily now. Now you have to send it to the
registrar. So because of this law that protects my privacy when I make a website, but also protects
the privacy of a scammer if they do the same, the Whois record is off the table. In the past,
when I was able to locate tech support scammers by name to an office in Punjabi Bagh, New Delhi,
when I was able to locate tech support scammers by name to an office in Punjabi Bagh, New Delhi, based on a who is lookup, these days the best I can do is get a site taken down. And that is,
at its very best, just a band-aid. Because it is incredibly easy for a scammer to just switch
registrars and run the whole scam again. So there's hundreds of registrars, and like,
whole scam again. So there's hundreds of registrars and like,
some registrars are more responsive than others in terms of like, actually policing this kind of content. So like, what
is it? What option does a person have if the registrar is not
policing it?
So let's talk about a domain name that is used for a
something called phishing. Now, I think everybody's at least
been attempted to be phished at some point where they send you a link either on your phone. Technically, we call that smishing because
it's SMS phishing. And there's a link and you click on it and you really shouldn't have bad
things happen. That name in the lure, if you like, and the thing that takes you, is being used in a smish.
Now recently, like in the last year, we changed our contracts, working with the registries
and the registrars.
That contract change is meant to ensure more accountability from the registrars.
So now, if someone comes to the registrar with evidence that one of their sites is engaging
in phishing, the registry is obligated to step in and mitigate that abuse.
If they do not mitigate evidence abuse, you can send a report to ICANN along with the
evidence that you shared with them, and we will go and talk to them.
And if they do not change their mechanisms to be within compliance
with our contracts, they will eventually no longer be a registrar.
I mean this is a big deal because if they repeatedly fail to stop this kind of abuse,
they could lose their status as a registrar.
But the thing is that this new policy only covers specific types of malicious activities.
And website spoofing, this specific type of attack we've been talking about in this entire
episode, this scam that's become so prolific that Adam Weiss has built an entirely separate
wing of his business devoted to addressing it, it's not covered by the new ICANN policy.
The ICANN policy is not set by ICANN the the organization, but set by ICANN, the community,
do not cover this.
And it's actually a really interesting conversation that is constantly ongoing at ICANN about
what do we do about these kinds of things and whose role is it?
Is it the role of the naming industry or is this a role for the hosting industry? Or is it both? What
is the role of law enforcement? What is the role of governments?
So it's very easy, it's not the right word, but it's very compelling to find a very cut
and dry case and say, in this scenario, this is what should happen. But most of the cases
you actually see, they're often not that cut and dry. And it's not as easy for somebody
on the outside to make a decision about it. But if it's phishing, if it is used, for example,
for distributing malicious software or malware, and there are a series of other types of abuse, then the
registries and registrars are contractually obligated to mitigate that.
And if they don't, then we like to hear about it and we can go talk to them.
This seemed absolutely bonkers to me, because as near as I can tell, the only difference
between what Jordan scammers are doing and what these phishing scammers are doing is that the phishers are sending texts or emails.
Jordan scammers were buying ads on Facebook directing people to their scam site, but that
isn't enforced by ICANN.
Now, John stressed that just because it isn't covered by the new ICANN policy doesn't
mean that web spoofing is legal.
Most registrars have their own terms of service, most of which should cover this, and they're
beholden to the laws of their country, which should also cover this.
But the thing is, I had just spoken to Adam, a guy who has now encountered multiple spoof
sites with unlisted registration information.
And I wanted to know, one, how this was even possible, and two, what does John think we
should do in this situation?
To the first question, he explained that ICANN enforces policy for all of the domains that are three letters or longer.
So.com,.org,.edu,.pizza,.diamonds, etc., etc., all of those.
But what it does not manage is the two letter domains for countries. So whether it's.uk for England,
.ca for Canada or.ly for Libya, those are managed by the country of origin, and ICANN
has no power to enforce anything for them. As for what to do in a situation like this.
I wish I could just give an easy answer and say, well, you just go here, here and here,
and it will all be solved. Businesses like large corporations suffer from this in the same way that small businesses do.
But they can afford the lawyers and the skill sets to go and track down people and actually
have some effect on the behaviors. As a mom and pop shop or even a sole business owner,
I have a few small businesses myself.
It's very hard.
I'm a big fan of the internet.
Obviously, I wouldn't do my job if I wasn't.
But it comes with some downsides.
It's not all ups.
There are some serious downsides to an open environment that allows for all this ingenuity
and all this growth.
I gotta be honest, I was pretty bummed out about what he was telling me.
It felt like he was saying that this is just the price of doing business on the internet,
and that in exchange for all this information, people without resources to fight are going to
get hurt. And I think he may have sensed that I was feeling that way. Because when I said this, I mean, I guess that's sort of the trade-off, right?
We've got almost the entire history of the world's information at our fingertips.
Sometimes people get scammed.
He immediately responded in the most thoughtful way possible.
And we wish they didn't.
But it's this.
And, you know, as we progress, there will be better regulations from governments.
You could see GDPR as a reaction to internet and information freedom, as governments reacting
to try and balance out the too easy access to people's information.
And we will see more of that in the years going forward.
We will see new regulations and some of them will be good and some of them will be less
good.
And even in the ICANN world, we will see new policy.
We will see the policies change about what we expect from the industry to protect the
registrants and the end
users. And that is an ongoing discussion. If you ever get the chance, you should actually come
and visit an ICAM meeting either in person. If you come in person, I'll buy you a beer or a coffee
or whatever you drink. But if not, go and watch it virtually. It's a really interesting methodology or philosophy for how you manage global infrastructure.
It's not like the typical multilateral government to government that happens everywhere else.
Like everybody kind of gets to have a say. And I'm a big fan of it, obviously.
What John was saying is this.
In the same way that scammers will always be looking for ways to attack your website,
and guys like Adam Weiss will always be looking for ways to defend it, the ICAN community
will always be looking for ways to ensure that the internet's domain name system remains
stable and safe.
And some of the time, they're still going to get it wrong.
Because scammers and other bad actors on the internet are constantly innovating and evolving.
And ICANN is often just reacting to those evolutions.
So even though some of their policies feel pretty unsatisfying to me,
and even though I do think there should be clearer pathways for minimizing harm on the internet,
the idea of writing policy that has to be implemented
fairly and evenly across continents and cultures,
it's something I need to learn a lot more about
before I feel comfortable having a real opinion about it.
And that's why I'm planning to attend
ICANN's next meeting in June.
I'll probably do it virtually because it's in Prague,
but I would love if you all joined me.
Because the way John explains it, ICANN is just an enforcer of rules.
And it's up to us to help make those rules.
So let's do a good job. This episode of Hyperfixed was produced and edited by Emma Cortland, Amor Yates, and Sari
Safar Sukenek.
It was hosted by me, Alex Goldblum.
The music is by the mysterious Breakmaster Cylinder and me.
The show is engineered by Tony Williams, fact checking by me, Amor Yates, and Sari Safar
Sukenek.
You can get bonus episodes, join our Discord, and much more at, Amore Yates, and Sari Sofer-Sukenek.
You can get bonus episodes, join our Discord, and much more at hyperfixpod.com slash join.
And listen, I say this every week, but I truly think that this kind of membership program
is really the only way forward for narrative podcasting.
If you feel like you can support, please think about signing up.
And if you can't afford it, I totally get it.
Everybody is having to make difficult decisions about what they can afford right now, but
if you can think about telling your friends and family about it, you know, sit your parents
down and make them listen to it, that'd be awesome.
Hyperfixed is a proud member of Radiotopia from PRX, a network of independent, creator-owned,
listener-supported podcasts.
Discover audio with vision at radiotopia.fm. Thanks so much for listening. and
the world.