Latest news of the domain name industry

Recent Posts

ICANN offers to split the cost of GAC “safeguards” with new gTLD registries

Kevin Murphy, June 28, 2013, 08:44:51 (UTC), Domain Policy

All new gTLD applicants will have to abide by stricter rules on security and Whois accuracy under government-mandated changes to their contracts approved by the ICANN board.

At least one of the new obligations is likely to laden new gTLDs registries with additional ongoing costs. In another case, ICANN appears ready to shoulder the financial burden instead.

The changes are coming as a result of ICANN’s New gTLD Program Committee, which on on Tuesday voted to adopt six more pieces of the Governmental Advisory Committee’s advice from March.

This chunk of advice, which deals exclusively with security-related issues, was found in the GAC’s Beijing communique (pdf) under the heading “Safeguards Applicable to all New gTLDs”.

Here’s what ICANN has decided to do about it.

Mandatory Whois checks

The GAC wanted all registries to conduct mandatory checks of Whois data at least twice a year, notifying registrars about any “inaccurate or incomplete records” found.

Many new gTLD applicants already offered to do something similar in their applications.

But ICANN, in response to the GAC advice, has volunteered to do these checks itself. The NGPC said:

ICANN is concluding its development of a WHOIS tool that gives it the ability to check false, incomplete or inaccurate WHOIS data

Given these ongoing activities, ICANN (instead of Registry Operators) is well positioned to implement the GAC’s advice that checks identifying registrations in a gTLD with deliberately false, inaccurate or incomplete WHOIS data be conducted at least twice a year. To achieve this, ICANN will perform a periodic sampling of WHOIS data across registries in an effort to identify potentially inaccurate records.

While the resolution is light on detail, it appears that new gTLD registries may well be taken out of the loop completely, with ICANN notifying their registrars instead about inaccurate Whois records.

It’s not the first time ICANN has offered to shoulder potentially costly burdens that would otherwise encumber registry operators. It doesn’t get nearly enough credit from new gTLD applicants for this.

Contractually banning abuse

The GAC wanted new gTLD registrants contractually forbidden from doing bad stuff like phishing, pharming, operating botnets, distributing malware and from infringing intellectual property rights.

These obligations should be passed to the registrants by the registries via their contracts with registrars, the GAC said.

ICANN’s NGPC has agreed with this bit of advice entirely. The base new gTLD Registry Agreement is therefore going to be amended to include a new mandatory Public Interest Commitment reading:

Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.

The decision to include it as a Public Interest Commitment, rather than building it into the contract proper, is noteworthy.

PICs will be subject to a Public Interest Commitment Dispute Resolution Process (PICDRP) which allows basically anyone to file a complaint about a registry suspected of breaking its commitments.

ICANN would act as the enforcer of the ruling, rather than the complainant. Registries that lose PICDRP cases face consequences up to an including the termination of their contracts.

In theory, by including the GAC’s advice as a PIC, ICANN is handing a loaded gun to anyone who might want to shoot down a new gTLD registry in future.

However, the proposed PIC language seems to be worded in such a way that the registry would only have to include the anti-abuse provisions in its contract in order to be in compliance.

Right now, the way the PIC is worded, I can’t see a registry getting terminated or otherwise sanctioned due to a dispute about an instance of copyright infringement by a registrant, for example.

I don’t think there’s much else to get excited about here. Every registry or registrar worth a damn already prohibits its customers from doing bad stuff, if only to cover their own asses legally and keep their networks clean; ICANN merely wants to formalize these provisions in its chain of contracts.

Actually fighting abuse

The third through sixth pieces of GAC advice approved by ICANN this week are the ones that will almost certainly add to the cost of running a new gTLD registry.

The GAC wants registries to “periodically conduct a technical analysis to assess whether domains in its gTLD are being used to perpetrate security threats such as pharming, phishing, malware, and botnets.”

It also wants registries to keep records of what they find in these analyses, to maintain a complaints mechanism, and to shut down any domains found to be perpetrating abusive behavior.

ICANN has again gone the route of adding a new mandatory PIC to the base Registry Agreement. It reads:

Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.

You’ll notice that the language is purposefully vague on how registries should carry out these checks.

ICANN said it will convene a task force or GNSO policy development process to figure out the precise details, enabling new gTLD applicants to enter into contracts as soon as possible.

It means, of course, that applicants could wind up signing contracts without being fully apprised of the cost implications. Fighting abuse costs money.

There are dozens of ways to scan TLDs for abusive behavior, but the most comprehensive ones are commercial services.

ICM Registry, for example, decided to pay Intel/McAfee millions of dollars — a dollar or two per domain, I believe — for it to run daily malware scans of the entire .xxx zone.

More recently, Directi’s .PW Registry chose to sign up to Architelos’ NameSentry service to monitor abuse in its newly relaunched ccTLD.

There’s going to be a fight about the implementation details, but one way or the other the PIC would make registries scan their zones for abuse.

What the PIC does not state, and where it may face queries from the GAC as a result, is what registries must do when they find abusive behavior in their gTLDs. There’s no mention of mandatory domain name suspension, for example.

But in an annex to Tuesday’s resolution, ICANN’s NGPC said the “consequences” part of the GAC advice would be addressed as part of the same future technical implementation discussions.

In summary, the NGPC wants registries to be contractually obliged to contractually oblige their registrars to contractually oblige their registrants to not do bad stuff, but there are not yet any obligations relating to the consequences, to registrants, of ignoring these rules.

This week’s resolutions are the second big batch of decisions ICANN has taken regarding the GAC’s Beijing communique.

Earlier this month, it accepted some of the GAC’s direct advice related to certain specific gTLDs it has a problem with, the RAA and intergovernmental organizations and pretended to accept other advice related to community objections.

The NGPC has yet to address the egregiously incompetent “Category 1” GAC advice, which was the subject of a public comment period.

Tagged: , , , , , , , , ,

Comments (7)

  1. Let’s have some proof that ICM is paying “millions” for malware scans. We already from the public IFFOR Form 990:

    http://www.circleid.com/posts/what_did_we_learn_today_about_xxx_from_iffor_tax_return/

    that apparently only $20,886 was being spent on Content Labelling, which seemed to be $1/yr x 20,886 domains (see comment #6).

    It seems unlikely that ICM would pay for scanning of defensive registrations or reserved names like DonaldTrump.xxx or RodBeckstrom.xxx, which resolve to a placeholder page run by ICM itself.

  2. Actually, I guess there’s a press release claiming the malware scanning was a deal “worth $8 million”, see:

    http://www.prweb.com/releases/2011/6/prweb8605121.htm

    However, I’m skeptical that $8 million changed hands. “Worth” might mean something like “retail value” and might also have been based on domain name registration volume that was never realized.

  3. Just to add some detail to Kevin’s reference to our product, NameSentry,….

    Our intention with NameSentry was to cover exactly the types of requirements depicted here in the new PIC. NameSentry has the ability to conduct real-time ongoing TLD abuse analysis and also engage automated notifications and take-down procedures. Further to that, it can provide rich reporting of its findings and actions taken. While a new product, NameSentry is already shown to actively reduce abuse levels in TLDs, which has a net economic benefit in addition to its ability to satisfy regulatory requirements.

    Michael Young
    CTO, Architelos

  4. “It’s not the first time ICANN has offered to shoulder potentially costly burdens that would otherwise encumber registry operators. It doesn’t get nearly enough credit from new gTLD applicants for this.”

    At the risk of seeming ungrateful, could you point out other instances where ICANN has “shouldered the burden,” even leaving aside the fact that it’s paid for by $185,000 fees for applications that at best cost about half that to process?

    I also find the logic completely screwy. If WordPress calls you up and says something as ridiculous as, “You must rigorously manually police all comment spam on your blog or else we will initiate a PBPDRP (Post Blog Post Dispute Resolution Policy) and take away your blog,” and then announces that they actually have a spam filter that they will graciously allow you to use, did they really “shoulder the burden” for you?

    Antony

    • Kevin Murphy says:

      If WordPress was giving me the opportunity to make millions of dollars selling products that nobody wants, maybe I wouldn’t mind the odd restriction 😉

    • Kevin Murphy says:

      But seriously, the other thing I had in mind was the way ICANN has structured fees for the TMCH, which as I understand it will make things a lot cheaper for registries and registrars.

      My point was that generally people are quick to forget the good stuff ICANN does while they complain, rightly so in many cases, about all the daft stuff it does.

  5. You actually did have the opportunity to sell “products that nobody wants” but you probably didn’t apply because of the price. ICANN is not “giving” registries anything. The TMCH is a net cost to us. I have a bunch of developers (who are not free) putting together systems that will interface with the damn thing. Previously, you would just hire a company, as .XXX did, and they would validate trademarks, and the cost would get passed along to registrants. The TMCH is a cost savings for large corporates, not for registries.

    The TMCH imposes additional costs because it has embedded in it all kinds of nonsense that are effectively policies that no-one agreed to, e.g., that geo TLDs such as .LONDON can’t allocate police.london, fire.london etc. to the police and fire departments unless and until trademark holders get their names first. If you don’t consider this a cost then you have never been in a meeting with incredulous city officials who wonder why there could be any question that the Sting’s former band could get police.london at the expense of the Metropolitan Police Service. (They won’t, but this was not clear until recently.) Perhaps you consider this another favor that ICANN is doing for registries.

    Of course, as Mr. Chehade recently trumpeted, ICANN cares about registrants, not registries or registrars. He’s doing them a huge favor (in your formulation of the word) by pushing all kinds of unenforceable and logic-defying requirements that will inevitably increase prices at the retail level.

    The humbuggery is really endless.

Add Your Comment