.eu grows in Q4 after silly growth in Portugal

The .eu ccTLD ended a lumpy 2021 with more domains than at the start, according to the registry’s latest quarterly report.

.eu ended December with 3,713,804 .eu, .ею and .ευ domains under management, up from 3,705,728 at the end of September and 3 684 984 at the end of 2020, according to EURid.

The growth was driven by a ludicrous 23.4% increase in the number of registrations coming from Portugal — .eu domains registered there increased by 30,553 during the quarter, 55,388 during the year, ending the year at 161,283 names.

Portugal had fewer than 50,000 .eu names at the end of 2019. It is believe the Portuguese surge has been driven by registrar pricing promotions and one wonders how sustainable the growth is.

Elsewhere, the number of regs coming from the UK — which is no longer eligible for .eu names due to Brexit — were 3,751, up from 3,714 in September.

The number of domains registered to EU citizens not resident in the EU was 19,591, up from 16,676 at the end of Q3.

Court denies .sucks trademark bid

Vox Populi Registry has lost its ballsy bid to have its .sucks brand trademarked in the US.

The US Court of Appeals for the Federal Circuit yesterday denied Vox’s latest appeal in its fight with the Patent and Trademark Office, which had rejected two .sucks trademark applications in 2018.

Vox had tried to register the string .sucks itself and also its stylized logo, in which “.SUCKS” appears pixelated. Both were rejected, but the registry appealed on the logo application.

It’s one of a great many trademark attempts by actual and wannabe gTLD registries to be rejected by the USPTO, which usually finds that the marks do not act as “source identifiers”.

The court instead found that people and companies, including registrars, “use .SUCKS to refer to a product being sold to the public rather than as an identifier for Vox’s services”.

In this case, Vox tried to show that it had crossed the line into service mark partly on the basis that its two leading registrars filed declarations swearing it is a distinctive service mark.

Showing that Vox’s chutzpah knows no depths, one of those registrars was its own sister company, Rebel, which is also owned by Momentous. The other was Uniregistrar, years prior to its acquisition by GoDaddy.

But the USPTO wasn’t buying it, and the Federal court agreed with its analysis.

The court also agreed that the stylized .sucks logo was not distinctive enough — too “ordinary” — to allow it to be trademarked.

The case has a layer of irony as .sucks’s biggest customer is a serial cybersquatter that some UDRP panels have speculated is connected to the registry itself.

Read the decision (pdf) here.

Over 6,000 Brexit domains snapped up after mass delete

EURid saw about 6,000 .eu domain names that formerly belonged to Brits re-registered in the first day after a mass delete at the start of the month.

“Around 6000 Brexit-related domain names were re-registered during the first day, and around 6500 as of today,” a registry spokesperson said.

EURid had released around 48,000 domains in batches on January 3, so the portion of domains considered valuable enough to snap up was about 13.5%.

The domains had belonged to UK citizens who no longer qualify for .eu after Brexit came into effect a year ago.

Registrants had been given many chances to retain their names by transferring them to an entity in the remaining EU and EEA states, or to an EU/EEA citizen residing in the UK.

There were almost 300,000 .eu domains registered in the UK at the time of the Brexit referendum in 2016.

.xxx shows up in botnet top-five TLDs for the first time

It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.

SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.

From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.

.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.

SpamHaus said:

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.

But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.

While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.

Battle for .web “far from over”, says Afilias lawyer

Altanovo Domains’ fight with Verisign and ICANN for the .web gTLD is not over, despite an adverse ruling late last month, according to a top lawyer for the company.

Altanovo, the company previously known as Afilias Domains No 3, has not thrown in the towel and left the path clear for Verisign to launch .web, Arif Ali of the law firm Dechert told DI last night.

“Bottom line: this matter is far from over and no, Verisign doesn’t ‘get to run .web after all;’ certainly if the Board does its job objectively and fairly,” he said in an email.

He said this just hours before ICANN published its latest, but by no means final, board resolution on the .web case.

Ali represented Afilias in its Independent Review Process complaint against ICANN’s decision to award .web to Verisign following a 2016 auction, which was won by a company called Nu Dot Co, secretly backed by $135 million of Verisign’s money.

Afilias technically won its IRP, with the panel ruling last May that ICANN broke its bylaws by shirking its duty to address Afilias’ claim that NDC broke new gTLD program rules. Afilias said ICANN should have forced NDC to disclose itself a Verisign pawn before the auction went ahead.

ICANN got close to signing a registry agreement for .web with NDC, despite it being an open question as to whether the auction was legit, the panel ruled. It ordered ICANN to pay Afilias its $450,000 in legal fees and $479,458 of IRP costs.

What the IRP did not do was void the Verisign/NDC bid, nor give Afilias rights to .web.

Instead, it instructed ICANN to stay the .web contract-signing until its board has formally “considered and pronounced upon the question of whether the [Verisign-NDC Domain Acquisition Agreement] complied with the New gTLD Program Rules”.

The board had held a secret, undocumented discussion about the case in November 2016 and decided to keep its mouth shut and just let the IRP play out, according to the IRP ruling, which essentially told the board to stop avoiding difficult questions and to actually make a call on the legitimacy of the Verisign play.

Before the board could do so, Afilias/Altanovo filed an unprecedented appeal with the IRP panel. Technically an “application for an additional decision and interpretation”, Afilias asked the IRP panel to definitively answer the question of whether Verisign broke the rules rather than merely passing the hot potato back to ICANN’s board.

But in a December 21 decision (pdf), the IRP panel denied Afilias’ request as “frivolous” in its entirely, writing:

The Panel has dismissed the [Afilias] Application in its entirety. In the opinion of the Panel, under the guise of seeking an additional decision, the Application is seeking reconsideration of core elements of the Final Decision. Likewise, under the guise of seeking interpretation, the Application is requesting additional declarations and advisory opinions on a number of questions, some of which had not been discussed in the proceedings leading to the Final Decision.

In such circumstances, the Panel cannot escape the conclusion that the Application is “frivolous” in the sense of it “having no sound basis (as in fact or law)”. This finding suffices to entitle the Respondent [ICANN] to the cost shifting decision it is seeking and obviates the necessity of determining whether the Application is also “abusive”.

The panel told Afilias to pay ICANN’s $236,884 legal fees and the panel’s costs of $140,335, leaving Afilias out of pocket and back to square one in terms of getting clarity on whether Verisign’s actions were kosher.

Afilias had basically accused the panel of shirking its duties and punting its decision on Verisign’s auction bid in much the same way as the panel decided that ICANN had shirked its duties and punted its decision on Verisign’s auction bid.

Nobody seems to want to make a call on whether the successful Verisign-NDC ploy to win the .web auction with a secretly bankrolled bid was legit.

On Sunday, the full ICANN board met to discuss the outcome of the IRP and — surprise surprise — it punted again, instructing a subcommittee to look more closely at the matter:

the Board asks the Board Accountability Mechanisms Committee (BAMC) to review, consider, and evaluate the IRP Panel’s Final Declaration and recommendation, and to provide the Board with its findings to consider and act upon before the organization takes any further action toward the processing of the .WEB application(s).

There’s not yet a publicly announced date for the next BAMC meeting. It tends to meet as and when needed, so we might not have too long to wait.

Once the committee has made a decision, it would be referred back to the full board for a final rubber stamp, and it seems that only after that would Afilias make its next move.

Ali, in an email sent to DI just a few hours before ICANN published its Sunday board resolution last night, said:

The [IRP] Panel also made it clear that the Board can’t just punt on the matter as it did previously, but must decide it, and that its decision is subject to review by a future IRP panel.

There’s nothing preventing Afilias filing another IRP to challenge the board’s ultimate decision, should it favor Verisign. Likewise, if it favors Afilias, Verisign could use IRP to appeal.

Verisign has been pursuing a counter-claim against Afilias, albeit so far only in the court of public opinion, accusing the company of breaking ICANN’s rules by trying to secretly “rig” the .web auction during a communications blackout period.

Ali calls this a “red herring”, among other things.

In my view, whichever way ICANN’s board goes, it’s going to wind up back in an IRP.

With IRP proceedings typically measured in years, and no indication that Afilias or Verisign are ready to back down, it seems the .web saga may still have some considerable time left on the clock.

If you’re desperate to register a .web domain, don’t hold your breath.

Note: most of Afilias was acquired by Donuts a year ago, but the .web application was not part of the deal. The IRP proceedings have continued to refer to “Afilias” interchangeably with “Altanovo”, and I’m doing the same in my coverage.

CentralNic grows revenue 70% in 2021

CentralNic saw its revenue grow by about 70% last year, a bit more than half of which was organic growth, the company said this morning.

The acquisitive company expects to report revenue of about $410 million and adjusted EBITDA of about $45 million when it reports its final numbers on February 28.

That represents year-on-year organic revenue growth of 37% and a 47% growth in EBITDA, the company said.

Acquisitions closed during the year include Safebrands, Wando and NameAction. Most of its recent growth has come from its newish domain monetization business.

XYZ bosses agree to pay $1.5 million to settle Fed’s loan scam claims

Some of XYZ’s top executives have agreed to pay $1.5 million to settle a US Federal Trade Commission lawsuit alleging they “deceptively” harvested vast amounts of personal data on millions of people and sold it “indiscriminately” to third parties including potential scammers and identity thieves.

The FTC says that the execs, through a network of interlinked companies, deceptively collected loan applications through at least 200 web sites, promising to connect the applicant with verified lenders, but instead sold the personal data willy-nilly to the highest bidder through a lead-generation marketplace.

The data was bought by companies that in the vast majority of cases were not in the business of providing loans, the FTC said. The buyers were not checked out by the XYZ execs and exposed consumers to identity theft and fraud, it added.

The allegations cover activities starting in 2012 and carrying on until recently, the FTC said.

“[They] tricked millions of people into giving up sensitive financial information and then sold it to companies that were not making loans,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in a press release. “The company’s extraction and misuse of this data broke the law in several ways.”

“The FTC’s allegations were wholly without merit,” the defendants’ lawyer, Derek Newman, told DI in an email. “But litigation against the FTC is expensive and resource draining. For that reason, my clients chose to settle the case and move on with their business.”

“In fact, the FTC did not require any changes to my clients’ business practices that they had not already implemented before the case was filed,” he added.

The suit (pdf) named as defendants XYZ.com CEO Daniel Negari, COO Michael Abrose, business development manager Jason Ramin, and general counsel Grant Carpenter. Two other named defendants, Anisha Hancock and Sione Kaufusi, do not appear at first glance to be connected to the domains business.

The settlement (pdf) sees the defendants pay $1.5 million and agree to certain restrictions on their collection and use of data, but they did not admit or deny any liability.

The lead generation business was carried out via at least 17 named companies, including XYZ LLC (which appears to be a different company to the .xyz registry, XYZ.com LLC), Team.xyz LLC and Dev.xyz LLC. The FTC complaint groups them together under the name ITMedia.

Some of the companies are successors to Cyber2Media, the FTC said, a company that in 2011 had to settle a massive typosquatting lawsuit filed by Facebook.

Despite the personnel crossover, nothing in the complaint relates directly to the .xyz domains business, and the only domains listed in the complaint are some pretty nice .coms, including badcreditloans.com, personalloans.com, badcredit.com, fastmoney.com and cashadvance.com.

The complaint alleged deceptive representations and unfair distribution of sensitive information as well as violations of the Fair Credit Reporting Act. It reads:

In numerous instances, Defendants, through ITMedia’s actions, have shared and sold sensitive personal and financial information from consumers’ loan forms — including consumers’ full names, addresses, email addresses, phone numbers, birthdates, Social Security numbers, bank routing and account numbers, driver’s license and state identification numbers, income, status and place of employment, military status, homeownership status, and approximate credit scores—without consumers’ knowledge or consent and without regard for whether the recipients are lenders or otherwise had a legitimate need for the information.

Essentially, the complaint alleged that the defendants bullshitted consumers into handing over personal info thinking they were applying for a legitimate loan, when in fact the info was just being harvested for resale to sometimes dodgy buyers.

The complaint reads:

ITMedia’s practice of broadly disseminating consumer information, including to entities that share information with others whose identities and use of the information are unknown to ITMedia, exposes consumers to the risk of substantial harm from identity theft, imposter scams, unauthorized billing, phantom debt collection, and other misuse of the consumers’ information. Some consumers have complained that, shortly after submitting loan applications to ITMedia, they have received communications using the names of ITMedia websites to present sham loan offers or demands for repayment of counterfeit debt.

The $1.5 million settlement will be paid by “Individual Defendants and Corporate Defendants, jointly and severally”, according to court documents.

UPDATE: This article was updated shortly after publication with a statement from XYZ’s lawyer.

New gTLD pioneer MMX to wind up

MMX, the new gTLD registry also known as Minds + Machines, has decided to close down and de-list.

The company said today that it plans to return its remaining cash to investors through a tender offer and then cancel its remaining shares, which are listed on London’s Alternative Investment Market.

The cancellation plan is subject to shareholder approval at a February 7 general meeting, but the tender does not require approval.

MMX will buy back shares to the tune of £19 million ($26 million) at 10.4 pence per share, a premium of 26.1% on yesterday’s closing price and 24.8% on the last month’s average price.

It follows an $80 million tender offer completed in October.

MMX sold off its major assets — 22 new gTLD registry contracts — to GoDaddy last year in a $120 million deal, and has wound down its legacy registrar businesses.

Now, all that remains is a transition services agreement with GoDaddy, which will soon end.

There had been talk of using the AIM listing as a reverse-takeover vehicle for an operating business seeking quick access to the public markets, but it appears that’s no longer on the table.

If everything goes according to plan, MMX will cease to exist as a public company on February 22. Shareholders have until January 28 to accept the tender offer.

It seems the remaining shareholders will be losing out — if the tender offer is fully subscribed, they’ll only get to sell one share for every 1.485 shares they currently own.

Monte Cahn revealed as third new gTLD buyer

Domain investor Monte Cahn has revealed himself as the third partner in the controversial acquisition of new gTLD .hiphop from UNR.

Cahn Enterprises named itself alongside already-reported consultant Jeff Neuman of JJN Solutions and publicly traded startup Digital Asset Monetary Network (DigitalAMN) as a partner in newly formed registry vehicle Dot Hip Hop LLC.

DHH bought .hiphop privately from Frank Schilling’s UNR last April at around the same time as UNR auctioned off the other 22 gTLDs in its portfolio, exiting the registry business.

Cahn founded the registrar Moniker, aftermarket pioneer SnapNames and gTLD auction coordinator RightOfTheDot.

RightOfTheDot’s Scott Pruitt has also joined DHH to lead marketing, Cahn’s press release revealed.

The new registry plans to lower the price of .hiphip domains, which currently retail for over $150 a year, as part of an effort to get broader adoption in the hip-hop cultural community.

The company is strongly pushing digital empowerment and “financial literacy” in an “underserved” community as a public benefit of its plans for the TLD.

The problem DHH continues to face is ICANN’s ongoing blocking of the transfer of .hiphop, and the other 22 UNR TLD contracts, due to confusion about the ownership status of matching TLDs on the Ethereum Name Service, a blockchain-based alt-root.

ICANN is fearful of alternative DNS roots which, if they ever gain broad appeal, in theory could break internet interoperability as well as eroding ICANN’s own uniquely powerful and uniquely lucrative authority over the DNS.

DHH’s Neuman recently accused ICANN of foot-dragging and retaliation over the delayed transfers, which is costing the DHH partners money while their legal status is in limbo and they are unable to sell any names.

ICANN’s top brass subsequently denied these accusations, saying the Org is merely following its established (and rather convoluted) appeals procedures.

While these procedures could delay approval of .hiphop’s transfer for another few months, forcing DHH to burn more capital, ICANN said it is “considering the potential impact on the requestor as we have been requested to do”, so it may cut DHH some slack.

“National security” cited as registry says you have to ask its CEO if you want to register more than TWO domains

India, a country with some 2.2 million ccTLD domains, has implemented perhaps the strangest and most Draconian restrictions on bulk registration of modern times.

The local registry, NIXI, informed its registrars all over the world in late December that they will have to seek formal written permission directly from the CEO if a customer wishes to register more than two .in domains.

Registrars breaking the rules face losing their accreditation, NIXI said.

A terse notice (pdf) published on the registry’s web site, signed by CEO Anil Kumar Jain, reads:

It is decided that a written approval of CEO, NIXI is required if an individual Registrant submit a request for registering more than two domains.

In case a registered accredited company try to book domains more than 100 than also a written approval of CEO, NIXI is required.

In case any Registrar is booking domains violating the above norms NIXI has right to disallow/disconnect the domains booking under that category. A process may be initiated for de-accreditation of such Registrar.

Approval will be given within 24 hours of a request, regardless of weekends or holidays, the notice reads.

Asked for clarification, Jain told DI in an email that the “new procedure is drawn after reviewing national security concerns” and that “NIXI registry is not stopping any domain registration.”

“An individual can book up to 2 domains and a company can book up to 100 domains without permissions,” he wrote. “Permission sought is given within 24 hrs.”

The new rule has registrars scratching their heads, with one describing it as “crazy”, “very vague” and very difficult to enforce.

NIXI uses GoDaddy Registry as its back-end, but GoDaddy does not appear to be playing a role in the implementation of the new policy. A spokesperson said in a statement:

At this time, the responsibilities are on the registrars and it’s a discussion between NIXI and them. As the back-end provider, we work closely with .in on any changes they would like to make at the registry level.