I got email from the people who run .us domains demanding a photo of my driver's license to prove I'm American. They did not understand why I might think they were scammers and want them to verify their identity first, nor did they understand how to verify their identity.

Are you sure it was them? Having a verified personal identity is not a requirement to have a .us domain. All you need to prove is that you have "a bona fide presence in the United States of America or any of its possessions or territories [Nexus Category 3]."

(It goes into detail claiming that you need to "state" your country of citizenship, but not that you need to "prove" your country of citizenship. An identity document is massively overreaching, IMHO. I never had to prove anything to get jrock.us, and if I have to, I will move the domain.)

I ended up thinking it was not a scam but being uncomfortable. It's possible I had originally put a fake address for my whois info, possibly triggering this, I forget. I'm not 100% sure.

Here's the people, i spoke with them on the phone: http://www.neustar.us

here is their first email in april 2011:

Greetings,

As you may be aware, in November 2001, the United States Department of Commerce ("DOC") selected NeuStar, Inc. ("NeuStar") to be the Administrator of the .US top-level domain ("usTLD"), the official top-level domain for the United States of America. As Administrator of the usTLD, NeuStar has agreed to perform random "spot checks" on registrations in the usTLD to endure that they comply with the usTLD Nexus Requirements which can be found at http://www.neustar.us/content/download/2659/32865/ustld_nexu... ("Nexus Requirements").

Our records indicate that you are the registrant of the domain name CURI.US.

On April 28, 2011, this domain name was selected for Nexus revalidation and confirmation. According to the information you provided with your registration of this Domain Name, you indicated that you qualify under:

Category 1 - You are a US citizen or permanent resident

As part of our verification process, we ask that you provide to us by no later than ten (10) days after the date set forth above, a written response describing how you qualify under the above Nexus category.

In addition, please verify that the name-servers that you have selected to use are also physically located within the United States as required by the Nexus Requirements.

In some instances, we may request additional documentary evidence from you to demonstrate that you meet the Nexus requirements.

You should be aware that if you either (i) do not respond within the ten (10) days, or (ii) are unable to adequately explain or demonstrate through documentary evidence that you meet any of the Nexus Requirements, NeuStar may issue a finding that your entity or organization has failed to meet the Nexus Requirements. Upon such a finding, you will then be given a total of ten (10) days to cure the US Nexus deficiency. If you are able to demonstrate within ten (10) days that your entity or organization has remedied such deficiency, you will be allowed to keep the domain name. If, however, you either (i) do not respond within the ten (10) days of such a finding of noncompliance, or (ii) are unable to proffer evidence demonstration compliance with the Nexus Requirements, the domain name registration will be deleted from the registry database without refund, and the domain name will be placed into the list of available domain names.

Thank you for your cooperation in this matter. Please let us know if you have any questions.

Kind Regards,

John .US Nexus Compliance ___________________________________________ NeuStar .US America's Internet Address Email: nexus-compliance@neustar.us

I would love to hear how that played out, actually, if you don't mind.

Well their SSL cert on their website was invalid (just expired) and there was some kinda mention of them on some government site somewhere that wasn't quite clear enough IMO.

they got bored of trying to prove their identity and just said like "whatever, verify your identity or you'll lose your domain". i ended up phoning them with the number on the site with the invalid SSL certificate, getting the person i'd been emailing with, and she said i could black out the driver's license number on the photo. i ended up sending it that way. i think they were just stupid, not scammers. that was years ago and nothing bad has happened yet to my knowledge.

Is that what they say?

Yes, I have gotten physical mail with exactly that pitch.

Hopefully not since 2003 when the FTC had a court enjoin that specific company from making misleading statements about renewals in their postal mail.

The mails they send out now look like this:

"As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months. When you switch to Domain Registry of America, you can take advantage of our best savings. Your registration for _______ will expire on _____.

You must renew your domain to retain exclusive rights to it on the web, and now is the time to transfer and renew your domain from your current registrar to the Domain Registry of America.

...

This notice is not a bill. (bold) It is rather an easy means of payment should you decide to switch your domain name registration to Domain Registry of America."

Followed by the pricing table and write-in order form. Still junk mail, but not falsely representing themselves as your current registrar.

I get these mails all the time too, and unfortunately I actually have to pay one of them. Some 12 years ago or so, I helped a neighbor who runs a local charity by creating a website for her annual event, pro bono. Even though she paid for the domain, the billing contact info was changed to my address (perhaps by her, when someone asked for a technical contact), and transferred to DROA. I don't live in that area anymore or have contact with this neighbor, and I'd rather not track her down with a bill nor let the domain of her charity expire, so I've been dutifully paying the marked-up DROA renewal every year.

It was past 2003. I think I registered jrock.us in 2004.

But yes, they may have mentioned "this is not a bill", but if they did, the font was so small as to be unreadable. I knew it wasn't a bill because I knew that my domain was registered through someone else.

Yes, I just got one. It's extremely misleading.

There is print that says "this is not a bill" about 6-10 sentences in, but is hardly discoverable without careful consideration. Considering the whole page is covered by text, most people would skim and think "oh shit I owe money don't I?!"