Domain Security Company CEO Mary Iqbal claims that NCC Group took many of her ideas for a high-security .secure top-level domain following unproductive investment talks.
Iqbal is also hinting at “potential future litigation” over the issue.
The surprising claims, made in emails to DI today, follow the announcement last week that a new NCC subsidiary, Artemis Internet, will also apply to ICANN for .secure.
“NCC Group has taken many of the security measures outlined in the Domain Security Company LLC security plan and incorporated them into the NCC Group’s proposed security measures,” Iqbal said.
Artemis chief technology officer Alex Stamos, a veteran security industry technologist, has dismissed the allegations as “completely ridiculous”.
“The only reason I know she is applying is because we did some Google searches when we were putting together our announcement,” he said.
Iqbal claims she was first contacted by NCC in January this year to talk about signing up for data escrow services – one of the technical services all new gTLD applicants need.
However, she says these talks escalated into discussions about a possible NCC investment in Domain Security Company, during which she shared the company’s security and business plans.
She said in an email:
These disclosures were made based on assurances from the NCC Group that the NCC Group was not then involved with any other applications for a secure Top Level Domain. Specific assurances were also given that the NCC Group was not involved with any other potential application for a .SECURE Top Level Domain.
But Stamos said that he’s been working on .secure at NCC since late last year, and he has no knowledge of any talks about investing in Iqbal’s company.
“All I know is that she talked to one of our salespeople about escrow,” he said. “I’ve never seen a business plan or security plan.”
Emails from an NCC executive sent to Iqbal in January and forwarded to DI by Iqbal today appear to be completely consistent with a sales call.
Iqbal said she has emails demonstrating that the talks went further, but she declined to provide them “since I may have to use it in any potential future litigation”.
Stamos pointed out that if NCC was in the habit with competing with its escrow clients, it would have applied for considerably more gTLDs than just .secure.
Artemis is proposing a significant technology development as part of its .secure bid, he said: the Domain Policy Framework, which he outlines on his personal blog here.
He added that Artemis is happy to compete with other .secure applicants – he evidently expects more to emerge – but on the merits of the application rather than “spurious claims”.
Domain Security Company “already has a very troubling history of using the legal process to overcome problems that should be based on merit”, he said.
That’s a reference to the company’s almost-successful attempt to secure US trademarks on .secure and .bank, in spite of the US trademark office’s rules against granting trademarks on TLDs.
Expect more stories like this to emerge about other gTLDs after ICANN’s Big Reveal of the applicant list next month.
Whether her claims have any merit or not, Iqbal’s not the first to claim that another applicant stole her idea, and she certainly won’t be the last.
International Olympic Committee lawyers have lodged an official appeal of ICANN’s latest decision to not grant it extra-extra special new gTLD protection.
The IOC last week filed a Reconsideration Request asking the ICANN board to rethink an April 10 decision that essentially ignored the latest batch of “.olympic” special pleading.
As previously reported, ICANN’s GNSO Council recently spent a harrowing couple of meetings trying to grant the Olympic and Red Cross trademarks even more protection than they already get.
Among other things, the recommendations would have protected strings confusingly similar to “.olympic” at the top level in the new gTLD program.
But a month ago the ICANN board of directors’ newly created, non-conflicted new gTLD program committee declined to approve the GNSO Council’s recommendations.
The committee pointed out in its rationale that the application window is pretty much closed, making changes to the Applicant Guidebook potentially problematic:
a change of this nature to the Applicant Guidebook nearly three months into the application window – and after the date allowed for registration in the system – could change the basis of the application decisions made by entities interested in the New gTLD Program
It also observed that there was still at that time an open public comment period into the proposed changes, which tended to persuade them to maintain the status quo.
The decision was merely the latest stage of an ongoing farce that I went into much more detail about here.
But apparently not the final stage.
With its Reconsideration Request (pdf), the IOC points out that changes to the Applicant Guidebook have always been predicted, even at this late stage. The Guidebook even has a disclaimer to that effect.
The standard for a Reconsideration Request, which is handled by a board committee, is that the adverse decision was made without full possession of the facts. I can’t see anything in this request that meets this standard.
The IOC reckons the lack of special protections “diverts resources away from the fulfillment of this unique, international humanitarian mission”, stating in its request:
The ICANN Board Committee’s failure to adopt the recommended protection at this time would subject the International Olympic Committee and its National Olympic Committees to costly and burdensome legal proceedings that, as a matter of law, they should not have to rely upon.
Forgive me if I call bullshit.
The Applicant Guidebook already protects the string “.olympic” in over a dozen languages – making it ineligible for delegation – which is more protection than any other organization gets.
But let’s assume for a second that a cybersquatter applies for .olympics (plural) which isn’t specially protected. I’m willing to bet that this isn’t going to happen, but let’s pretend it will.
Let’s also assume that the Governmental Advisory Committee didn’t object to the .olympics application, on the IOC’s behalf, for free. The GAC definitely would object, but let’s pretend it didn’t.
A “costly and burdensome” Legal Rights Objection – which the IOC would easily win – would cost the organization just $2,000, plus the cost of paying a lawyer to write a 20-page complaint.
It has already spent more than this lobbying for special protections that it does not need.
The law firm that has been representing the IOC at ICANN, Silverberg, Goldman & Bikoff, sent at least two lawyers to ICANN’s week-long meeting in Costa Rica this March.
Which client(s) paid for this trip? How much did it cost? Did the IOC bear any of the burden?
How much is the IOC paying Bikoff to pursue this Reconsideration Request? How much has it spent lobbying ICANN and national governments these last few years?
What’s the hourly rate for sitting on the GNSO team that spent weeks coming up with the extra special protections that the board rejected?
How much “humanitarian” cash has the IOC already pissed away lining the pockets of lawyers in its relentless pursuit of, at best, a Pyrrhic victory?
The proposed .secure generic top-level domain is now officially contested, after NCC Group, best known in the domain industry for its data escrow services, announced a bid.
Newly formed NCC subsidiary Artemis Internet Inc, based in San Francisco, is the official applicant.
According to Artemis chief technology officer Alex Stamos, who co-founded security testing firm iSEC Partners and sold it to NCC for $22.8 million two years ago, this is a hard security play.
The .secure gTLD would be all about enforcing strict security policies on registrants, he said.
“Right now there are a lot of interesting security technologies out there, but they’re generally not very effective because they’re optional,” he said.
As well as premium pricing and a manual registrant verification process expected to take about two weeks – complete with mailing address confirmation and two-factor authentication tokens – Artemis plans to force registrants to adhere to certain baseline security policies.
For example, all .secure web sites would have to be completely HTTPS, Stamos said. The only permissible use of a standard port 80 URL would be to redirect to the encrypted site.
The same would go for mail servers – they’d all have to use TLS to encrypt email as standard.
“When you go to bank.secure you’ll know that the software and servers at the other end are going to make the most secure decisions possible,” Stamos said.
Artemis would scan its registrants’ sites for compliance with these baseline rules, looking out for things such as botched SSL implementations.
But Artmeis wants to take it a step further. It is also proposing a new protocol, Domain Policy Framework, which would let registrants publish their security policies in the DNS.
Stamos said the company has set up a Domain Policy Working Group to develop the spec, which it plans to submit to the IETF for standardization before the end of the year.
The other members of the working group, which promise to include some “influential” names in financial services, software and social media, will be announced in July.
DPF would work alongside the existing DNSSEC and DANE protocols to enable registrants to specify, for example, which Certificate Authorities browsers should trust when accessing their .secure domain, preventing certain types of attacks, Stamos said.
Obviously, this system is not going to work without support from browser software, but Stamos said he’s hopeful that the big vendors will embrace the DPF spec.
“The most innovative and forward-leaning browsers will support it first,” he said.
Domains in .secure would still be accessible by non-compliant browsers, he said.
ARI Registry Services has been hired to manage the back-end registry, but Artemis is also building a secondary registry system for storing the DPF records, which it plans to offer to other TLD registries.
NCC plans to invest up to £6 million ($9.7 million) in Artmeis over the next 15 months, according to a press release.
Another firm, Domain Security Company, also plans to apply for .secure.
Go Daddy reportedly plans to apply for three new generic top-level domains, including the dot-brand .godaddy.
CEO Warren Adelman confirmed the bids to CNet’s Paul Sloan today.
The other two strings were not revealed, presumably because they could still be contested.
Yesterday, Demand Media, owner of Go Daddy’s primary registrar competitor eNom, revealed an $18 million investment in the new gTLD program, suggesting it has more ambitious plans.
Like Demand, Go Daddy subsidiaries have a history of adverse UDRP decisions, which could complicate the background checks ICANN plans to conduct on all applicants.
Despite sending out hundreds of notifications to new gTLD applicants today, it looks rather like ICANN’s analysis of the TLD Application System bug is not yet complete.
(MAY 10 UPDATE — in a statement today, ICANN provided significantly more information about the notification process, rendering much of the speculation originally in this post moot. Read it here.)