Google and other members of the New gTLD Applicant Group are happy to let ICANN put their applications on hold in response to security concerns raised by Verisign.
During the ICANN 46 Public Forum in Durban on Thursday, NTAG’s Alex Stamos — CTO of .secure applicant Artemis — said that agreement had been reached that about half a dozen applications could be delayed:
NTAG has consensus that we are willing to allow these small numbers of TLDs that have a significant real risk to be delayed until technical implementations can be put in place. There’s going to be no objection from the NTAG on that.
While he didn’t name the strings, he was referring to gTLDs such as .home and .corp, which were highlighted earlier in the week as having large amounts of error traffic at the DNS root.
There’s a worry, originally expressed by Verisign in April and independent consultant Interisle this week, that collisions between new gTLDs and widely-used internal network names will lead to data leakage and other security problems.
Google’s Jordyn Buchanan also took the mic at the Public Forum to say that Google will gladly put its uncontested application for .ads — which Interisle says gets over 5 million root queries a day — on hold until any security problems are mitigated.
Two members of the board described Stamos’ proposal as “reasonable”.
Both Stamos and ICANN CEO Fadi Chehade indirectly criticised Verisign for the PR campaign it has recently built around its new gTLD security concerns, which has led to somewhat one-sided articles in the tech press and mainstream media such as the Washington Post.
What we do object to is the use of the risk posed by a small, tiny, tiny fraction — my personal guess would be six, seven, eight possible name spaces that have any real impact — to then tar the entire project with a big brush. For contracted parties to go out to the Washington Post and plant stories about the 911 system not working because new TLDs are turned on is completely irresponsible and is clearly not about fixing the internet but is about undermining the internet and undermining new gTLDs.
Later, in response to comments on the same topic from the Association of National Advertisers, which suggested that emergency services could fail if new gTLDs go live, Chehade said:
Creating an unnecessary alarm is equally irresponsible… as publicly responsible members of one community, let’s measure how much alarm we raise. And in the trademark case, with all due respect it ended up, frankly, not looking good for anyone at the end.
That’s a reference to the ANA’s original campaign against new gTLDs, which wound up producing not much more than a lot of column inches about an utterly pointless Congressional hearing in late 2011.
Chehade and the ANA representative this time agreed publicly to work together on better terms.
ICANN has published its weekly run-down of new gTLD Initial Evaluation results and this week 90 applications have passed.
There have also been two withdrawals, both made by Uniregistry. It’s withdrawn its bids for .media and .country, leaving Tucows and Donuts duking it out for .media and Top Level Domain Holdings as the sole remaining applicant for .country.
TLDH and Uniregistry previously inked a deal that would see them go 50:50 on .country, the only question remaining was which applicant would drop out.
These are this week’s passing applications:
.ecom .doctor .cpa .forum .aco .mba .mom .sbs .frogans .rip .changiairport .tirol .homesense .swatch .hotel .ice .realty .web .fun .clubmed .ril .creditcard .datsun .netbank .jmp .ferrero .hockey .contact .avianca .gold .beauty .audi .cheap .bet .uconnect .map .cooking .pics .network .madrid .garden .zone .expert .cfa .trv .review .forum .pizza .dabur .pay .app .bingo .home .ryukyu .agency .tdk .xfinity .nokia .raid .hoteles .tube .school .win .gmbh .faith .show .radio .pizza .wtf .juniper .xerox .rehab .global .cloud .docs .life .fun .brother .intel .place .photo .christmas .wine .dupont .run .home .ping .boutique .mortgage .store
Intellectual property interests got a wake-up call at ICANN 47 in Durban this week, when it became clear that they can no longer rely upon the Governmental Advisory Committee as a natural ally.
The GAC’s decision to file a formal consensus objection against Amazon’s application for the .amazon gTLD prompted a line of IP lawyers to queue up at the Public Forum mic to rage against the GAC machine.
As we reported earlier in the week, the GAC found consensus to its objection to .amazon after the sole hold-out government, the United States, decided to keep quiet and allow other governments to agree.
This means that the ICANN board of directors will now be presented with a “strong presumption” that .amazon should be rejected.
With both previous consensus objections, against .africa and .gcc, the board has rejected the applications.
The objection was pushed for mainly by Brazil, with strong support from Peru, Venezuela and other Latin American countries that share the Amazon region, known locally as Amazonas.
During a GAC meeting on Tuesday, statements of support were also made by countries as diverse as Russia, Uganda and Trinidad and Tobago.
Brazil said Amazon is a “very important cultural, traditional, regional and geographical name”. Over 50 million Brazilians live in the region, he said.
The Brazilian Congress discussed the issue at length, he said.
The Brazilian Internet Steering Committee was also strongly against .amazon, he said, and there was a “huge reaction from civil society” including a petition signed by “thousands of people”.
All the countries in the region also signed the Montevideo Declaration (pdf), which resolves to oppose any attempts to register .amazon and .patagonia in any language, in April.
It doesn’t appear to be an arbitrary decision by one government, in other words. People were consulted.
The objection did not receive a GAC consensus three months ago in Beijing only because the US refused to agree, arguing that governments do not have sovereign rights over geographic names.
But prior to Durban, without changing its opinion, the US said that it would not stand in the way of consensus.
It seems that there may have been bigger-picture political concerns at play. The NTIA, which represents the US on the GAC, is said to have had its hands tied by its superiors in Washington DC.
Did the GAC move the goal posts?
With the decision to object to .amazon already on the public record before the GAC’s Durban communique was formally issued yesterday, Intellectual Property Constituency interests had plenty of time to get mad.
At the Public Forum yesterday, several took to the open mic to slam the GAC’s decision.
Common themes emerged, one of which was the claim that the GAC is retroactively changing the rules about what is and is not a “geographic” string for the purposes of the Applicant Guidebook.
Stacey King, senior corporate counsel with Amazon, said:
Prior to filing our applications Amazon carefully reviewed the Applicant Guidebook; we followed the rules. You are now being asked to significantly and retroactively modify these rules. That would undermine the hard-won international consensus to the detriment to all stakeholders. I repeat, we followed these rules.
It’s true that the string “amazon” is not on any of the International Standards Organization lists that ICANN’s Geographic Names Panel used to determine what’s “geographic”.
The local-language string “Amazonas” appears four times, representing a Brazilian state, a Colombian department, a Peruvian region and a Venezuelan state; Amazon isn’t there.
But Amazon is wrong about one thing.
By filing its objection, the GAC is not changing the rules about geographic names, it’s exercising its entirely separate but equally Guidebook-codified right to object to any application for any reason.
That’s part of the Applicant Guidebook too, and it’s a part that the IPC has never previously objected to.
Amazon was not alone making its claim about retroactive changes. IPC president Kristina Rosette, wearing her hat as counsel for former .patagonia applicant Patagonia Inc, said:
Patagonia is deeply disappointed by and concerned about the breakdown of the new gTLD process. Consistent with the recommendations and principles established in connection with that process, Patagonia fully expected its .patagonia application to be evaluated against transparent and predictable criteria, fully available to applicants prior to the initiation of the process.
Yet, its experience demonstrates the ease with which one stakeholder can jettison rules previously agreed upon after an extensive and thorough consultation.
That’s not consistent with the IPC’s position.
The IPC just last month warmly welcomed (pdf) the GAC’s Beijing advice, stating that the after-the-fact “safeguards” it demanded for all new gTLDs should be accepted.
Apparently, it’s okay for the GAC to move the goal posts for gTLD applicants when its advice is about Whois accuracy, but when it files an objection — perfectly compliant with the GAC Advice section of the Guidebook — that interferes with the business objectives of a big trademark owner, that’s suddenly not cool.
The IPC also did not challenge the GAC Advice process when it was first added to the Applicant Guidebook in the April 2011 draft.
At that time, the GAC had responded to intense lobbying by IP interests and was fighting their corner with the ICANN board, demanding stronger trademark protections in the new gTLD program.
If the IPC now finds itself arguing against the application of the GAC Advice rule, perhaps it should consider whether speaking up earlier might have been a good idea.
Rosette tried to substantiate her remarks by referring back to previous GAC advice, specifically a May 26, 2011 letter in which she said the GAC “formally accepted” the Guidebook’s definition of geographic strings.
However, that letter (pdf) has a massive caveat. It says:
Given ICANN’s clarifications on “Early Warning” and “GAC Advice” that allow the GAC to require governmental support/non-objection for strings it considers to be geographical names, the GAC accepts ICANN’s interpretation with regard to the definition of geographic names.
In other words, “The GAC is happy with your list, as long as we can add our own strings to it at will later”.
Rosette’s argument that the GAC has changed its mind, in other words, does not hold.
It wasn’t just IP interests that stood up against the .amazon decision, however. The IPC found an unlikely ally in the Registries Stakeholder Group, represented at the Public Forum by Verisign’s Keith Drazek.
Drazek sought to link the “retroactive changes” on geographic strings to the “retroactive changes” the GAC has proposed in relation to the so-called Category 1 strings — which would have the effect of demanding that hundreds of regular gTLD bids convert into de facto “Community” applications. He said:
While different stakeholders have different views about particular aspects of the GAC advice, we have a shared concern about the portions of that advice that constitute retroactive changes to the Applicant Guidebook around the issues of sovereign rights, undefined and unexplained geographic sensitivities, sensitive industry strings, regulated strings, etc.
This appears to be one of those rare instances where the interests of registries and the interests of IP owners are aligned. The registries, however, have at least been consistent, complaining about the GAC Advice process as soon as it was published in April 2011.
There’s also a big difference between the substance of the advice that they’re currently complaining about: the objection against .amazon followed the Guidebook rules on GAC Advice almost to the letter, whereas the Category 1 advice came completely out of the left field, with no Guidebook basis to cling to.
The GAC in the case of .amazon followed the rules. The rules are stupid, but the time to complain about that was before paying your $185,000 to apply.
If anyone is trying to change the rules after the fact, it’s Amazon and its supporters.
Is the GAC breaking the law?
Another recurring theme throughout yesterday’s Public Forum commentary was the idea that international trademark law does not support the GAC’s right to object to .amazon.
I’m going to preface my editorializing here with the usual I Am Not A Lawyer disclaimer, but it seems to be a pretty thin argument.
Claudio DiGangi, secretary of the IPC and external relations manager at the International Trademark Association, was first to comment on the .amazon objection. He said:
INTA strongly supports the recent views expressed by the United States. In particular, that it does not view sovereignty as a valid basis for objecting to the use of terms, and we have concerns about the effect of such claims on the integrity of the process.
J Scott Evans, head of domains at Yahoo, who left the IPC for the Business Constituency recently (apparently after some kind of disagreement) was next. He said:
There is no international recognition of country names as protection and they cannot trump trademark rights. So giving countries a block on a name violates international law. So you can’t do it.
There were similar comments along the same lines.
Heather Forrest, a senior lecturer at an Australian university and former AusRegistry employee, said she had conducted a doctoral thesis (available at Amazon!) on the rights of governments over geographic names, with particular reference to the Applicant Guidebook.
She told the Public Forum:
My study was comprehensive. I looked at international trade law, unfair competition law, intellectual property law, geographic indications, sovereign rights and human rights. As the board approved the Applicant Guidebook, I completed my study and found that there is not support in international law for priority or exclusive right of states in geographic names and found that there is support in international law for the right of non-state others in geographic names.
Kiran Malancharuvil, whose job until recently was to lobby the GAC for special protections for her client, the International Olympic Committee, now works for MarkMonitor. Calling for the ICANN board to reject the GAC’s advice on .amazon, she said at the Public Forum:
To date, governments in Latin America including the Amazonas community countries have granted Amazon over 130 trademark registrations that have been in continuous use by Amazon since 1994 without challenge. Additionally, Amazon has used their brand within domain names including some registered by MarkMonitor and including registrations in Amazonas community ccTLDs without objection.
Amazonas community countries and all other nations who have signed the TRIPS agreement have obligated themselves to maintain and protect these trademark registrations. Despite these granted rights, members of the community signed the Montevideo declaration and resolved to reject Amazon and Patagonia in any language as well as any other top-level domains referring to them. This declaration appears inconsistent with national and international law.
Having read TRIPS — the World Trade Organization’s Trade Related Aspects of Intellectual Property Rights treaty — this morning, I’m still none the wiser how it relates to .amazon.
It’s a treaty that sought to create some uniformity in how trademarks and other types of intellectual property are handled globally, and domain names are not mentioned once.
As far as I can tell, nobody is asking Amazon to change its name and nobody’s trying to take away its trademarks. Nobody’s even trying to take away its domain names.
If the international law argument is simply that the GAC and/or ICANN cannot prevent a company with a trademark from getting its mark as a TLD, as Yahoo’s Evans suggested, it seems to me that quite a lot of the new gTLD program would have to be rewritten.
We’re already seeing Legal Rights Objections in which an applicant with a trademark is losing against an applicant without a trademark.
Is that illegal too? Was it illegal for ICANN to create an LRO process that has allowed Donuts (no trademark) to beat Express LLC (with trademark) in a fight over .express?
What about other protections in the Guidebook?
ICANN already bans two-character gTLDs, on the basis that they could interfere with future ccTLDs — protecting the geographic rights of countries that do not even exist — which disenfranchises companies with two-letter trademarks, such as BT and HP.
What about 888, the poker company, and 3, the mobile phone operator? They have trademarks. Should ICANN be forced to allow them to have numeric gTLDs, despite the obvious risks?
The Guidebook already bans country names outright, and says thousands of other geographic terms need government support or will be rejected. Is this all illegal?
If the argument is that trademarks trump all, ICANN may as well throw out half the Guidebook.
Unlike .patagonia, which dropped out of the new gTLD program last week (we’ll soon discover whether that was wise), the objection to .amazon will now go to ICANN’s board of directors for consideration.
While the Guidebook calls for a “strong presumption” that the board will then reject the application, board member Chris Disspain said yesterday that outsiders should not assume that it will simply rubber-stamp the GAC’s advice.
In both previous cases, the outcome has been a rejection of the application, however, so it’s not looking great for Amazon.
New gTLDs could be in jeopardy following the results of a study into the security risks they may pose.
ICANN is likely to be told to put in place measures to mitigate the risk of new gTLDs causing problems, and chief security officer Jeff Moss said “deadlines will have to move” if global DNS resolution is put at risk.
His comments referred to the potential for clashes between applied-for new gTLD strings and non-existent TLDs that are nevertheless already widely used on internal networks.
That’s a problem that has been increasingly highlighted by Verisign in recent months. The difference here is that the study’s author does not have a .com monopoly to protect.
Interisle Consulting, which has been hired by ICANN to look into the problem, today released some of its preliminary findings during a session at the ICANN 47 meeting in Durban, South Africa.
The company looked at domain name look-up data collected from one of the DNS root servers over a 48-hour period, in an attempt to measure the potential scope of the clash problem.
Some of its findings are surprising:
- Of the 1,408 strings originally applied for in the current new gTLD round, only 14 do not currently have any root traffic.
- Three percent of all requests were for strings that have been applied for in the current round.
- A further 19% of requests were for strings that could potentially be applied for in future rounds (that is, the TLD was syntactically well-formed and not a banned string such as .local).
- .home, the most frequently requested invalid TLD, received over a billion queries over the 48-hour period. That’s compared to 8.5 billion for .com
Here’s a list of the top 17 invalid TLDs by traffic, taken from Interisle’s presentation (pdf) today.
If the list had been of the top 100 requested TLDs, 13 of them would have been strings that have been applied for in the current round, Interisle CEO Lyman Chapin said in the session.
Here’s the most-queried applied-for strings:
Chapin was quick to point out that big numbers do not necessarily equate to big security problems.
“Just occurrence doesn’t tell you a lot about whether that’s a good thing, a bad thing, a neutral thing, it just tells you how often the string appears,” he said.
“An event that occurs very frequently but has no negative side effects is one thing, an event that occurs very infrequently but has a really serious side effect, like a meteor strike — it’s always a product of those two factors that leads you to an assessment of risk,” he said.
For example, the reason .ice appears prominently on the list appears to be solely due to an electricity producer in Costa Rica, which “for some reason is blasting .ice requests out to the root”, Chapin said.
If the bad requests are only coming from a small number of sources, that’s a relatively simple problem to sort out — you just call up the guy responsible and tell him to sort out his network.
In cases like .home, where much of the traffic is believed to be coming from millions of residential DSL routers, that’s a much trickier problem.
The reverse is also true, however: a small number of requests doesn’t necessarily mean a low-impact risk.
There may be a relatively small number of requests for .hospital, for example, but if the impact is even a single life support machine blinking off… probably best not delegate that gTLD.
Chapin said that the full report, which ICANN said could be published in about two weeks, does contain data on the number of sources of requests for each invalid TLD. Today’s presentation did not, however.
As well as the source of the request, the second-level domains being requested is also an important factor, but it does not seem to have been addressed by this study.
For example, .home may be getting half a billion requests a day, but if all of those requests are for bthomehub.home — used today by the British ISP BT in its residential routers — the .home registry might be able to eliminate the risk of data leakage by simply giving BT that domain.
Likewise, while .hsbc appears on the list it’s actually been applied for by HSBC as a single-registrant gTLD, so the risk of delegating it to the DNS root may be minimal.
There was no data on second-level domains in today’s presentation and it does not appear that the full Interisle report contains it either. More study may be needed.
Donuts CEO Paul Stahura also took to the mic to asked Chapin whether he’d compared the invalid TLD requests to requests for invalid second-level domains in, say, .com. He had not.
One of Stahura’s arguments, which were expounded at length in the comment thread on this DI blog post, is that delegating TLDs with existing traffic is little different to allowing people to register .com domains with existing traffic.
So what are Interisle’s recommendations likely to be?
Judging by today’s presentation, the company is going to present a list of risk-mitigation options that are pretty similar to what Verisign has previously recommended.
For example, some strings could be permanently banned, or there could be a “trial run” — what Verisign called an “ephemeral delegation” — for each new gTLD to test for impact before full delegation.
It seems to me that if the second-level request data was available, more mitigation options would be opened up.
ICANN chief security officer Jeff Moss, who was on today’s panel, was asked what he would recommend to ICANN CEO Fadi Chehade today in light of the report’s conclusions.
“I am not going to recommend we do anything that has any substantial SSR impact,” said Moss. “If we find any show-stoppers, if we find anything that suggests impact for global DNS, we won’t do it. It’s not worth the risk.”
Without prompting, he addressed the risk of delay to the new gTLD program.
“People sometimes get hung up on the deadline, ‘How will you know before the deadline?’,” he said. “Well, deadlines can move. If there’s something we find that is a show-stopper, deadlines will have to move.”
The full report, expected to be published in two weeks, will be opened for public comment, ICANN confirmed.
Assuming the report is published on time and has a 30-day comment period, that brings us up to the beginning of September, coincidentally the same time ICANN expects the first new gTLD to be delegated.
ICANN certainly likes to play things close to the whistle.
Donuts has successfully fought off another Legal Rights Objection against one of its new gTLD applications.
This time the objector was The Limited, apparently the operator of a large chain of clothing stores in the US, and the applied-for gTLD was .limited, which is uncontested.
Key to the World Intellectual Property Organization panelist’s decision appears to be the fact that the brand and the trademark in question is “The Limited” rather than “Limited”.
The retailer failed to show that it was commonly known by the word “Limited” alone, whereas Donuts made the case that “limited” is a common generic word with multiple uses.
The panelist wrote:
The definite article “the” makes a difference in this case. If the string were <.thelimited>, Applicant’s professed plans for the String would be highly suspect. This is because limited liability businesses do not use the term “the limited” (or an abbreviation or derivation thereof) in their company name.
In the absence of the definite article “the” in the String, however, Applicant’s proposed use of the String is plausible and legitimate, and the likelihood of confusion between Objector’s mark and the String is greatly reduced. There is simply no viable evidence in the record to suggest that significant source confusion – among consumers or non-consumers who use the Internet – will ensue if Applicant carries out its plans.
It’s the sixth LRO to be decided and the sixth finding in favor of the new gTLD applicant.
Donuts also fought off an objection from another clothing retailer, Express, which it is fighting for the .express gTLD.