ICANN has slapped .feedback operator Top Level Spectrum with a contract breach notice after a huge complaint about alleged fraud filed by a gang of big brands.
The company becomes the third new gTLD to be hit by a breach notice, and the first to receive one as a result of losing a Public Interest Commitments Dispute Resolution Process case.
While TLS dodged the “fraud” charges on a technicality, the breach is arguably the most serious found by ICANN in a new gTLD registry to date.
The three-person PICDRP panel found TLS was in violation of the following commitment from its registry agreement:
Registry Operator will operate the TLD in a transparent manner consistent with general principles of openness and non-discrimination by establishing, publishing and adhering to clear registration policies.
But TLS dodged the more serious charges of “fraudulent” behavior, which it denied, largely on the technicality that its PICs only require it to bar its registrants from such behavior.
There’s nothing in the PICs preventing the registry from behaving fraudulently, so the PICDRP panel declined to rule on those allegations, saying only that they “may be actionable in another forum”.
The complainants, which filed their 1,800-page complaint in October, were MarkMonitor and a bunch of its clients, including Adobe, American Apparel, Best Buy, Facebook, Levi and Verizon.
They’d claimed among other things that 70% of .feedback domains were trademarked names actually registered by the registry, and that TLS had stuffed each site with reviews either paid for or scraped from services such as Yelp!.
They claimed that Free.Feedback, a free domains service hosted by an affiliated entity, had been set up to auto-populate Whois records with the names of brand owners (or whoever owned the matching .com domain) even when the registrant was not the brand owner.
This resulted in brand owners receiving “phishing” emails related to domains they’d never registered, the complainants stated.
TLS denied all all the allegations of fraud, but the PICDRP panel wound up not ruling on many of them anyway, stating:
the Panel finds that Respondent’s Registry Operator Agreement contains no covenant by the Respondent to not engage in fraudulent and deceptive practices.
The only violations it found related to the transparency of .feedback’s launch policies.
The panel found that TLS had not given 90 days notice of policy changes and had not made its unusual pricing model (which included an extra fee for domains that did not resolve to live sites) transparent.
The registry had a number of unusual launch programs, which I outlined in December 2015 but which were apparently not adequately communicated to registrars and registrants.
The panel also found that Free.Feedback had failed to verify the email addresses of registrants and had failed to make it easy for trademark owners to cancel domains registered in their names without their consent.
Finally, it also found that TLS had registered a bunch of trademark-match domain names to itself during the .feedback sunrise period:
self-allocating or reserving domains that correspond to the trademark owners’ marks during the Sunrise period constitutes a failure by the Respondent to adhere to Clause 6 of its Registration and Launch policies, versions 1 and 2. According to the policies, Sunrise period is exclusively reserved for trademark owners
TLS, in its defense, denied that it had self-allocated these names and told the panel it had “accidentally” released them into the zone file temporarily.
As a result of the PIC breaches found by the panel, ICANN Compliance has issued a breach notice (pdf) against the company.
To cure the breach, and avoid having its Registry Agreement taken away, TLD has to, by April 15:
Provide ICANN with corrective and preventative action(s), including implementation dates and milestones, to ensure that Top Level Spectrum will operate the TLD feedback in a transparent manner consistent with general principles of openness and nondiscrimination by establishing, publishing and adhering to clear registration policies;
That seems to me like it’s probably vague enough to go either way, but I’d be surprised if TLS doesn’t manage to comply.