I'm the one running itch.io, so here's some more context for you:
From what I can tell, some person made a fan page for an existing Funko Pop video game (Funko Fusion), with links to the official site and screenshots of the game. The BrandShield software is probably instructed to eradicate all "unauthorized" use of their trademark, so they sent reports independently to our host and registrar claiming there was "fraud and phishing" going on, likely to cause escalation instead of doing the expected DMCA/cease-and-desist. Because of this, I honestly think they're the malicious actor in all of this. Their website, if you care: https://www.brandshield.com/
About 5 or 6 days ago, I received these reports on our host (Linode) and from our registrar (iwantmyname). I expressed my disappointment in my responses to both of them but told them I had removed the page and disabled the account. Linode confirmed and closed the case. iwantmyname never responded. This evening, I got a downtime alert, and while debugging, I noticed that the domain status had been set to "serverHold" on iwantmyname's domain panel. We have no other abuse reports from iwantmyname other than this one. I'm assuming no one on their end "closed" the ticket, so it went into an automatic system to disable the domain after some number of days.
I've been trying to get in touch with them via their abuse and support emails, but no response likely due to the time of day, so I decided to "escalate" the issue myself on social media.
This issue aside, thanks for doing what you do. I was kind of expecting Itch to get sold to some holdings or casino company at some point, as good things tend to go, but I've been happily surprised to see it mature independently throughout the years.
I run a domain registrar. "serverHold" is not a status that iwantmyname could've set. If they had suspended the domain it'd have "clientHold" set. Server Hold means the registry (i.e. .io directly) has suspended the domain. Your best bet would be to contact the Internet Computer Bureau Ltd who run .io at [email protected], or the registry technical support provider Identity Digital at [email protected].
iwantmyname was bought out by a conglomerate, “Team Internet[1]”, a few years ago.
Prices went up, service went down. I’d recommend moving your domains when you can (Porkbun have been good, though I haven’t had any incidents like this).
Best of luck!
I really wish BrandShield didn't use AI as a marketing term. It just looks like it's doing a generic ctrl-F on webpages?
Then things like this happen, and people think "ooh AI is bad, the bubble must burst" when this has nothing to do with that in the first place, and the real issue was that they sent a "fraud/phishing report" rather than a "trademark infringement" report.
Then I also wish that people who knew better, that this really has nothing to do with AI (like, this is obviously not autonomously making decisions any more than a regular program is), to stop blindly parroting and blaming it as a way to get more clicks, support and rage.
I noticed that iwantmyname has very little presence on social media: no bluesky account and a twitter account that posts once or twice a year. That wouldn't necessarily be a problem if they responded to emergencies like this promptly, but they clearly don't so it is.
I also wonder if their "automatically disable" policy takes size/importance of site into account. Is this how they would treat all their domain owners, regardless of significance?
Brandshield is bad for overreacting, and iwantmyname is very bad for hosting such a crucial infrastructure, and having not responded to a paying customer with a good track record. I honestly don't think time of day matters, as long as the nature of the service is that it's provided and used 24/7, support staff should also be there 24/7.
> Because of this, I honestly think they're the malicious actor in all of this.
While I agree, the people who hired them are equally culpable. You don't get to wash your hands of the mess just because someone else is doing your dirty work.
I've had the same thing happening; I run a simple forum, and some years ago people were discussing a manga, posting images of fan translated pages.
My hosting party (Hetzner) forwarded the emails and / or put it in their own system, I removed the offending images / page, replied to the email, and done, right? Wrong, the email said I had to fill in a statement through some online form somewhere; I did that too late and got more and more threatening emails like "pack your shit we're evicting you in 24 hours". Nobody seemed to actually read my replies / explanation, probably because this is so routine for them.
And I get it, nobody can be arsed to read longwinded explanations and the like for routine operations. I hope AI assisted tooling will help the overworked support employees with making decisions in favor of giving people the benefit of the doubt and the help they need; for them it's routine, but for me it was the first time I got anything like that.
It's surprising that this happened at all. Isn't it in most business's best interests to be aware of their most high-profile customers? If this was an automatic process, it's pretty disappointing that it even occurred. If I was running a SaaS, I'd probably want to mark my important accounts so an actual human has to investigate any raised alerts instead of being dealt with by a cron.
Lemme use this opportunity for having your attention to suggest some form of collaboration or even a merger with the Godot game engine:
• itch.io users could launch the Godot Web Editor to quickly make prototypes or simple games right on itch
• Publish from the native Godot editor directly to itch.io
• Godot adopts itch.io as the official asset store for art packs etc.
• Introduce social features for devs and artists to collaborate with each other:
• A publisher could choose to add a “Fork” or similar button on their itch.io game page that downloads and opens the project source in Godot. • All "forks" published that way would include a link to the original game's page, and so on.
I think Godot+itch could/should become the Github of Games :)
> I had removed the page and disabled the account
Did this account violate your ToS or the actual law? While I totally understand where are you coming from and I would probably be forced to do the same, I still tend to believe that closing a fan account is exactly the same thing that your registrar did to you.
Smells like tortious interference to me... and likely some form of perjury. I'd probably stop talking to them now that service is restored and get in touch with legal representation.
Is it possible/worth to hold them financially accountable for this? (them being IWMN or BrandShield)
You really need to get off both .io and this no-name registrar.
I wanted to take the time to thank you for the service you provide. itch.io is unvaluable to the indie community, and I'm perplexed when I see some devs complain about issues like this. Thabks for all your work.
I smell a class action lawsuit. That's a whole lot of lost revenue and time for you and itch.io's creators.
Godspeed!
For what it's worth, I know Namecheap gets a meh rep, but we've been on the receiving end of several phishing/copyright reports and have responded across the spectrum in terms of time span. We've responded immediately. We've responded with an hour or so to go. In all cases, Namecheap has somehow responded quickly and resolved the issue.
You should change registrars. Sort the situation and move to a better one.
(FYI, if you didn't already notice this, you're probably far too busy anyway, but still: https://bsky.app/profile/botherer.bsky.social/post/3lcuitcck...)
Hey, perhaps you can mediate the impact by providing an alternate way to access the site (IP, alternative domain) and posting it somewhere people will see it (bsky, here, ...)? Realistically , this may take days to resolve.
So it sounds like this was DMCA abuse by Funko, aided and abetted by BrandShield, and it resulted in damages to you. Also sounds like iwantmyname just went along with it, they are probably conditioned to do so by the rules.
I would write up a complaint and send it to the incoming FTC Commissioner. Yes, I'm serious. From the signals Trump is sending if there is ever a time when Republicans may support some form of DMCA reform, it's now. He's on record talking about punishing Big Tech and supporting "Little Tech." You're Little Tech. Send copies of your letter to Funko and BrandShield. Also reach out or at least send a copy to Matt Stoller, the guy who publishes a very popular newsletter about monopoly, anti-trust and corporate abuse in America, he will be interested. Go for the throat.
Unfortunately "serverHold" goes above registrars. I learned this the hard way. There's a variety of watchdogs that false flag things all the time, and a handful of tld's that will blindly obey these orders. I'm guessing io is one of these. You'll have to escalate it with them, though I was never successful. Good luck.
I hope you come out of this in good shape. I try to get all my (digital) TTRPGs and indie games through your platform.
Behavior from "iwantmyname" doesn't sound like they deserve your business anymore.
> The BrandShield software is probably instructed to eradicate all "unauthorized" use of their trademark, so they sent reports independently to our host and registrar claiming there was "fraud and phishing" going on, likely to cause escalation instead of doing the expected DMCA/cease-and-desist. Because of this, I honestly think they're the malicious actor in all of this.
I feel like there's also some missing layer of infrastructure here.
itch.io, like a lot of sites (HN being another), is meant to act as a host of user-generated content, over which the site takes a curatorial but not editorial stance. (I.e. the site has a Terms of Use; and has moderators that take things down / prevent things from being posted according to the Terms of Use; but otherwise is not favoring content according to the platform's own beliefs in the way that e.g. a newspaper would. None of the UGC posted "represents the views" of the platform, and there's no UGC that the platform would be particularly sad to see taken down.)
I feel like, for such arms-length-hosted UGC platforms, there should be a mechanism to indicate to these "brand protection" services (and phishing/fraud-detection services, etc) that takedown reports should be directed first-and-foremost at the platform itself. A mechanism to assert "this site doesn't have a vested interest in the content it hosts, and so is perfectly willing to comply with takedown requests pointed at specific content; so please don't try to take down the site itself."
There are UGC-hosting websites that brand-protection services already treat this way (e.g. YouTube, Facebook, etc) — but that's just institutional "human common sense" knowledge held about a few specific sites. I feel like this could be generalized, with a rule these takedown systems can follow, where if there's some indication (in a /.well-known/ entry, for example) that the site is a UGC-host and accepts its own platform-level abuse/takedown reports, then that should be attempted first, before trying to get the site itself taken down.
(Of course, such a rule necessarily cannot be a full short-circuit for the regular host-level takedown logic such systems follow; otherwise pirates, fraudsters, etc would just pretend their one-off phishing domains are UGC platforms. But you could have e.g. a default heuristic that if the takedown system discovers a platform-automated-takedown-request channel, then it'll try that channel and give it an hour to take effect before moving onto the host-level strategy; and if it can be detected from e.g. certificate transparency logs that the current ownership of the host is sufficiently long-lived, then additional leeway could be given, upgrading to a 24-72hr wait before host-takedown triggers.)
So Linode hosts your server, and iwantmyname provides your domain? If they want they can take down your server and your domain? Is there any server provider / domain provider who doesn't hold that kind of power?
It's working again now.
man, this shit is ridiculous.. now we can't even make fan pages?
Will you be moving away from this registrar? It seems like it could very easily be abused again.
I wish brandshield would pull this shit with someone that was large enough to sue them for fraud or tortious interference.
That's extremely disappointing from iwantmyname. While I haven't used it, it was always on my mind as a potential registrar when buying a domain. I think I'll have to reconsider.
I'm pretty sure that the Funko Pop → Funko Fusion → brandshield.com → BrandShield automated software → DMCA → iwantmyname.com (Team Internet) → itch.io path means that it's no one's fault and no one's to blame, and there's no one to appeal to other than the media.
Wonderful how we've constructed our society like this.
[flagged]
Hope you have money to fight them. I stuck to my guns on a wrongful one like this and while Digitalocean and Cloudflare both had my backs (surprisingly before I even asked, both of them got a lot of good will on that - they informed me they already checked and it was spurious!). Google didn't have my back though and immediately caved when they upgraded their sham copyright infringement claim to money laundering and fraud based on nothing - a fully static website with no backend calls. Good luck! I still have the sites exactly as they were just to spite them and will keep running them at a loss until I'm dead. Copyright infringement my ass. This abuse has got to stop sometime.