Over 800,000 domain names have been suspended since the beginning of the year as a result of Whois email verification rules in the new ICANN Registrar Accreditation Agreement.
That’s according to the Registrars Stakeholder Group, which collected suspension data from registrars representing about 75% of all registered gTLD domain names.
The actual number of suspended domains could be closer to a million.
The 2013 RAA requires registrars to verify the email addresses listed in their customers’ Whois records. If they don’t receive the verification, they have to suspend the domain.
The RrSG told the ICANN board in March that these checks were doing more harm than good and today Tucows CEO Elliot Noss presented, as promised, data to back up the claim.
“There have been over 800,000 domains suspended,” Noss said. “We have stories of healthcare sites that have gone down, community groups whose sites have gone down.”
“I think we can safely say millions of internet users,” he said. “Those are real people just trying to use the internet. They are our great unrepresented core constituency.”
The RrSG wants to see contrasting data from law enforcement agencies and governments — which pushed hard for Whois verification — showing that the RAA requirement has had a demonstrable benefit.
Registrars asked at the Singapore meeting in March that law enforcement agencies (LEA) be put on notice that they can’t ask for more Whois controls until they’ve provided such data and ICANN CEO Fadi Chehade said “It shall be done by London.”
Noss implied that the majority of the 800,000 suspended names belong to innocent registrants, such as those who had simply changed email addresses since registering their names.
“What was a lovely political win that we said time and time again in discussion after discussion was impractical and would provide no benefit, has demonstrably has created harm,” Noss said.
He was received with cautious support by ICANN board members.
Chair Steve Crocker wonder aloud how many of the 800,000 suspended domains are owned by bad guys, and he noted that LEA don’t appear to gather data in the way that the registrars are demanding.
“We were subjected, all of us, to heavy-duty pressure from the law enforcement community over a long period of time. We finally said, ‘Okay, we hear you and we’ll help you get this stuff implemented,'”, he added. “That creates an obligation as far as I’m concerned on their part.”
“We’re in a — at least from a moral position — in a strong position to say, ‘You must help us understand this. Otherwise, you’re not doing your part of the job'”, he said.
Chehade also seemed to support the registrars’ position that LEA needs to justify its demands and offered to take their data and concerns to the LEA and the Governmental Advisory Committee.
“They put restrictions on us that are causing harm, according to these numbers,” he said. “Let’s take this back at them and say, hey, you ask for all these things, this is what happened.”
“If you can’t tell me what good this has done, be aware not to come back and ask for more,” he said. “I’m with you on this 100%. I’m saying let’s use the great findings you seem to have a found and well-package them in a case and I will be your advocate.”
Director Mike Silber also spoke in support of the RrSG’s position.
“My view is if what you are saying is correct, the LEA’s have blown their credibility,” he said. “They’re going to have to do a lot of work before we impose similar disproportional requirements on actors that are not proven to be bad actors.”
So what does this all mean for registrants?
I don’t think there’s any ongoing process right now to get the Whois verification requirements overturned — that would require a renegotiation of the RAA — but it does seem to mean demands from governments and police are going to have to be much more substantiated in future.
Noss attempted to link the problem to the recommendations of the Whois Expert Working Group (EWG), which propose a completely revamped, centralized Whois system with much more verification and not much to benefit registrants.
To paraphrase: if email verification causes so much harm, what harms could be caused by the EWG proposal?
The EWG was not stuffed with LEA or governments, however, so it couldn’t really be characterized as another set of unreasonable demands from the same entities.
Judging by DI’s traffic spike last night, there’s a lot of interest in Google Domains, Google’s forthcoming entry into the domain name registrar market.
And judging by some of the early commentary, it seems that many people are already assuming that the service will be an overnight success.
Some people already seem to be willing to write off market leader Go Daddy specifically, for some peculiar reason.
I’ve even heard speculation that Google timed its announcement to screw with Go Daddy’s imminent IPO, which strikes me as veering into conspiracy theory territory.
While I’ve no doubt Go Daddy and other mass-market retail registrars will be watching Google’s move with interest and concern — and there are some reasons to be worried — let’s not jump the gun here.
Let’s calm the hyperbole a little. Off the top of my head, here are a handful of reasons not to get excited just yet.
1. It could be a really shitty product
There seems to be an assumption in some quarters that whatever Google brings to market will be automatically incredible, but the company really doesn’t have the track record to support that assumption.
Sure, its search engine may be great and services such as Gmail and Adsense may be pretty good, but have you ever tried Blogger?
Do you actually use Google+, or do you only have an account because Google forced you?
The truth is that lots of Google products fail.
And we haven’t even seen Google Domains yet. Nobody has. Only Google employees and their buddies are going to get beta access, so it seems we’re going to be waiting a while before we can judge.
2. There’s no 24×7 support
Google Domains will launch with support via email and phone from 9am to 9pm US Eastern time, Monday to Friday.
Would you switch to a registrar that doesn’t have round-the-clock support seven days a week? As a small business owner who makes his living from his web site, I sure wouldn’t.
If Google Domains gains traction you can expect support hours to be expanded pretty quickly, but a lack of 24×7 support at launch will keep many customers away.
3. It’s not free
Some people seem to be obsessed with the notion that Google is going to give away free domains, and that kind of commentary is continuing even though we know Google Domains will charge $12 for a .com.
Its email service may come at no additional cost, but its email service is Gmail, and that’s already free. Google could hardly start charging an add-on fee for something that’s always been free.
Google Domains may offer free privacy too, but so do lots of other registrars.
In future, Google registry arm Charleston Road Registry may give away free names in some of its new gTLDs, but if it does so that price will have to be available to all registrars, not just Google Domains.
Google Domains isn’t free. It’s not even the cheapest registrar on the market.
4. Go Daddy is gigantic
According to its recent regulatory filings, Go Daddy has 57 million domains under management and 12 million customers.
How many of those do you think will make the switch to Google? How many will even know that such a switch is possible?
Switching registrars may be relatively straightforward if everything you own is parked, but it becomes more complex when you’re running your web site, email and so forth on your registrar’s platform.
These kinds of small business owners are the customers being targeted by Google and Go Daddy, and if they already have web sites they’re likely already experiencing registrar lock-in.
According to its announcement, Google is targeting greenfield opportunities — the 55% of small businesses it estimates don’t have an online presence today — rather than grabbing market share from rivals.
The “small businesses need to get online” story is common to every press release issued by every web host and domain registrar with a price promotion to plug.
When Google teamed up with Blacknight to give away domains for free — for FREE, so it is, so it is — to Irish small businesses, it managed to sign up 10,000 in one year.
How long do you think it will take Google to get to 57 million names under management?
Google has announced its first foray into the domain name registrar business with Google Domains.
The company tells me that the upcoming service will allow customers to buy or transfer domains for $12 a year.
Privacy protection, up to 100 email addresses and up to 100 subdomains — things existing leading registrars charge extra for — will be included at no additional cost.
Right now, the service is in an invitation-only beta. The first beta users are not expected to get access for a couple of weeks and the beta will likely last a couple of months.
Google says it wants to make domain registration a “simple and transparent experience”.
It’s not entirely clear which TLDs will be supported at first — .com, .net and .eu seem to be three of them — but the company plans to support “many” new gTLDs in future.
The service is unfinished, according to the company, but beta users will be able to buy and transfer domain names.
They’ll also be able to use web site creation tools supplied by the likes of Squarespace, Wix, Weebly and Shopify, which will carry an additional cost.
The $12 a year fee is comparable to market-leader Go Daddy’s annual rate for a .com, but Go Daddy charges about $8 extra per year for privacy and about $5 a month for email.
Google joins the likes of Minds + Machines and Uniregistry as new gTLD registries that have made the move into the registrar side of the business, hoping to bring a fresh approach to the market.
Google has actually been accredited by ICANN as a registrar for years — over a decade if memory serves — but to date has never used its accreditation to sell domains.
With its Google Apps service, the company refers domain buyers to Go Daddy and eNom. While there’s no confirmation from Google yet, I suspect those relationships may be in jeopardy in future.
Go Daddy has filed its S-1 registration form with the US Securities and Exchange Commission, signalling its intention to go public.
The filing reveals the company plans to raise $100 million with the share sale.
Go Daddy’s revenue for 2013 was $1.1 billion, up from $910.9 million in 2012, the filing reveals.
But the company said it uses “bookings” as a measure of its success, due to the way its revenue is collected up-front but recognized on its books over the term of the domain or hosting contract.
Bookings were $1.4 billion in 2013, up from $1.25 billion in 2012.
Go Daddy is loss-making, recording a net loss of $199.8 million in 2013 and $279 million in 2012.
The company has 57 million domains under management and hosts 8.5 million web sites, according to the S-1. Those are spread between 12 million customers, a number that grew by 1.3 in 2013.
A surprising 24% of its sales come via its customer service people; the rest comes through its web site.
Go Daddy planned to IPO in 2006, but subsequently yanked the offering due to “market uncertainties” and then-CEO Bob Parsons’ apparent discomfort with the process.
In 2011 the company was taken over by the investment firms KKR, Silver Lake Partners, and Technology Crossover Ventures, paying a reported $2.25 billion for a 65% stake.
Since then, an eventual IPO has not been a matter of if, but when.
I’m tweeting more nuggets from the S-1 as I find them.
Clear-cut cases of cybersquatting seem to be among those .xyz domain names that Network Solutions has registered to its customers without their explicit request.
Some of the domains I’ve found registered in .xyz, via NetSol to the registrants of the matching .com or .net names, include my-twitter.xyz, facebook-liker.xyz and googledia.xyz.
They’re all registered via NetSol’s Whois privacy service, which lists the registrant’s “real” name in the Whois record, but substitutes mailing address, email and phone number with NetSol-operated proxies.
I think the chance of these names being paid for by the registrant is slim. It seems probable that many (if not all) of the squatty-looking names were registered via NetSol’s promotional program for .xyz.
As previously reported, NetSol has been giving away domain names in .xyz to owners of the matching .com names. Tens of thousands of .xyz names seem to have been registered this way in the last week.
The “registrants” did not have to explicitly accept the offer. Instead, NetSol gave them the option to “opt-out” of having the name registered on their behalf and placed into their accounts.
But it’s not clear how much, if any, support NetSol has received from the registry, XYZ.com. CEO Daniel Negari told Rick Schwartz, in a coy interview last week:
The Registry Operator is unable to “give away” free domain names. I never even saw the email that the registrar sent to its customers until I discovered it on the blogs.
The opt-out giveaway has also prompted speculation about NetSol’s right to register domains without the explicit consent of the registrant, both under the law and under ICANN contract.
Under the Registrar Accreditation Agreement, in order to register a domain name, registrars “shall require” the registrant “to enter into an electronic or paper registration agreement”.
That agreement requires the registrant to agree to, among many other things, the transfer or suspension of their domains if (for example) they lose a UDRP or URS case.
But that doesn’t seem to be happening with the opt-out names,
Barry Shein, president of The World, had shein.xyz registered on his behalf by NetSol on Saturday. He already owns shein.com, also registered with NetSol.
NetSol’s email informing him of the registration, which Shein forwarded to DI, reads as follows:
Dear Valued Network Solutions Customer,
Congratulations, your complimentary SHEIN.XYZ domain has arrived!
Your new .XYZ domain is now available in your Network Solutions account and ready to use. To go along with your new .XYZ domain, you have also received complimentary access to Professional Email and Private Registration for your .XYZ domain.
If you choose not to use this domain no action is needed and you will not be charged any fees in the future. Should you decide to keep the domain after your complementary first year, simply renew it like any other domain in your account.
We appreciate your business and look forward to serving you again.
Network Solutions Customer Support
Importantly, a footnote goes on to describe how NetSol will take a refusal to opt out as “continued acceptance” of its registration agreement:
Please note that your use of this .XYZ domain name and/or your refusal to decline the domain shall indicate acceptance of the domain into your account, your continued acceptance of our Service Agreement located online at http://www.networksolutions.com/legal/static-service-agreement.jsp, and its application to the domain.
So, if you’re a NetSol customer who was picked to receive a free .xyz name but for whatever reason you don’t read every marketing email your registrar sends you (who does?) you’ve agreed to the registration agreement without your knowledge or explicit consent, at least according to NetSol.
I am not a lawyer, but I’ve studied enough law to know that this is a dubious way to make a contract. Lawyers I’ve shown this disclaimer to have laughed out loud.
Of course, because each registrant already owns a matching .com, they’ve already accepted NetSol’s registration agreement and terms of service at least once before.
This may allow NetSol to argue that the initial acceptance of the contract also applies to the new .xyz domains.
But there are differences between .com and .xyz.
Chiefly, as a new gTLD, .xyz registrants are subject to policies that do not apply to .com, such as the Uniform Rapid Suspension policy.
URS differs from UDRP in that there’s a “loser pays” model that applies to complaints involving over 15 domains.
So these .xyz registrants have been opted into a policy that could leave them out of pocket, without their explicit consent.
Of course, we’re talking about people who seem to be infringing famous trademarks in their existing .com names, so who gives a damn, right?
But it does raise some interesting questions.
Who’s the registrant here? Is it the person who owns the .com, or is it NetSol? NetSol is the proxy service, but the .com registrant’s name is listed in the Whois.
Who’s liable for cybersquatting here? Who would Twitter file a UDRP or URS against over my-twitter.xyz? Who would it sue, if it decided to opt for the courts instead?