Latest news of the domain name industry

Recent Posts

Domain firms plan “Trusted Notifier” takedown rules

Kevin Murphy, June 23, 2021, Domain Policy

Domain name registries and registrars are working on a joint framework that could speed up the process of taking down domain names being used for behavior such as movie piracy.

Discussed last week at the ICANN 71 public meeting, the Framework on Trusted Notifiers is a joint effort of the Registrar Stakeholder Group and Registries Stakeholder Group — together the Contracted Parties House — and is in the early stages of discussion.

Trusted Notifiers are third parties who often need domain names taken down due to activity such as copyright infringement or the sale of counterfeit pharmaceuticals, and are considered trustworthy enough not to overreach and spam the CPH with spurious, cumbersome, overly vague complaints.

It’s not a new concept. Registries in the gTLD space, such as Donuts and Radix, have had relationships with the Motion Picture Association for over five years.

ccTLD operator Nominet has a similar relationship with UK regulators, acting on behalf of Big Copyright and Big Pharma, taking down thousands of .uk domains every year.

The joint RrSG-RySG effort doesn’t appear to have any published draft framework yet, and the discussions appear to be being held privately, but members said last week that it is expected to describe a set of “common expectations or common understandings”, establishing what a Trusted Notifier is and what kind of cooperation they can expect from domain firms.

It’s one of several things the industry is working on to address complaints about so-called “DNS Abuse”, which could lead to government regulations or further delays to the new gTLD program.

It obviously veers into content policing, which ICANN has disavowed. But it’s not an ICANN policy effort. Whatever framework emerges, it’s expected to be non-contractual and voluntary.

Trusted Notifier relationships would be bilateral, between registry and notifier, with no ICANN oversight.

Such deals are not without controversy, however. Notably, free speech advocates at the Electronic Frontier Foundation have been complaining about Trusted Notifier for years, calling it “content policing by the back door” and most recently using it as an argument against Ethos Capital’s acquisition of Donuts.

Locked-down .music could launch this year

One of the most heavily contested new gTLDs, .music, could launch this year after new registry DotMusic finally signed its Registry Agreement with ICANN.

The contract was signed over two years after DotMusic prevailed in an auction against Google, Amazon, Donuts, Radix, Far Further, Domain Venture Partners and MMX.

It seems the coronavirus pandemic, along with ICANN bureaucracy, was at least partly to blame for the long delay.

I speculated in April 2019 that .music could launch before year’s end, but this time DotMusic CEO Constantinos Roussos tells me a launch in 2021 is indeed a possibility.

The contract the company has signed with ICANN contains some of the most stringent restrictions, designed to protect intellectual property rights, of any I’ve seen.

First off, there’s going to be a Globally Protected Marks List, which reserves from registration the names of well-known music industry companies and organizations, and platinum-selling recording artists.

Second, registrants are going to have to apply for their domains, proving they are a member of one of the registry’s pre-approved “Music Community Member Organizations”, rather than simply enter their credit card and buy them.

DotMusic will verify both the email address and phone number of the registrant before approving applications.

There’s also going to be a unique dispute resolution process, a UDRP for copyright, administered by the National Arbitration Forum, called the .MUSIC Policy & Copyright Infringement Dispute Resolution Process (MPCIDRP).

Basically, any registrant found to be infringing .music’s content policies could be slung out.

The content policies cover intellectual property infringement as you’d expect, but they also appear to cover activities such as content scraping, a rule perhaps designed to capture those sites that aggregate links to infringing content without actually infringing themselves.

The registry is also going to ban second-level domains that have been used to infringe copyright in other TLDs, to prevent the kind of “TLD-hopping” outfits like The Pirate Bay have engaged in in the past.

In short, it’s going to be one of the least rock-n-roll TLDs out there.

Tightly controlled TLDs like this tend to be unpopular with registrars. Despite the incredibly strong string, my gut feeling is that .music is going to be quite a low-volume gTLD. There’s no word yet on pricing, but I’d err towards the higher end of the spectrum.

Pirate Bay founder says ICANN won’t let him be a registrar

Peter Sunde, co-founder of the controversial Pirate Bay file-sharing web service, says ICANN is unfairly refusing him a registrar accreditation and he’s not happy about it.

Sunde told DI at the weekend that his application for his new registrar, Sarek.fi, to obtain accreditation was recently denied after over 18 months on the grounds that he lied about his criminal convictions on his application form.

He denies this, saying that his crimes were not of the type ICANN vets for, and in any event they happened over a decade ago.

He thinks ICANN is scared about doing business with a disruptive and “annoying” “pain in the ass” with a history of criticizing the intellectual property industry.

Would-be registrars have to select “Yes” or “No” to the question of whether any officer or major shareholder of the company has:

within the past ten (10) years, has been convicted of a felony or of a misdemeanor related to financial activities, or has been judged by a court to have committed fraud or breach of fiduciary duty, or has been the subject of a judicial determination that is similar or related to any of these;

Sunde was convicted by a Swedish court of enabling copyright infringement via the Pirate Bay in 2009, and was sentenced to a year in prison — later reduced to eight months on appeal — and hundreds of thousands of dollars of fines.

The Pirate Bay was a web site that collected links to BitTorrent files, largely copyrighted movies and music.

Because he was not based in Sweden, Sunde avoided jail for several years despite an Interpol arrest warrant.

He eventually served five months of his sentence after being arrested in 2014.

He checked “No” on his registrar accreditation application form, on the basis that he had not been convicted of fraud or any of the other listed financial crimes, and certainly not within the last 10 years.

But ICANN took a broader interpretation, and refused him accreditation due to the Pirate Bay conviction and his Interpol status in 2014, he says.

Since then, the Org, including CEO Göran Marby (with whom he had a brief email exchange) have been ignoring his emails, he says.

Sarek.fi has already been accredited to sell ccTLD domains by the likes of Nominet, Verisign and Donuts, but ICANN’s rejection means the company won’t be able to sell gTLD names.

Sunde says he’s now faced with the likelihood of having to leave his own company in order to secure accrediation, though he’s not ruled out pursuing ICANN through its own appeals process.

He says he suspects ICANN just doesn’t want to do business with him due to his reputation as a disrupter. He’s attended ICANN meetings in the past but wants to get more involved in the policy process.

“it’s really a way for ICANN to make sure that an annoying person with media influence and with a dislike for centralised organisations and monopolies to be there to raise concerns — that they just proved valid,” he told DI in an email.

I take quite an offence to their denial. Not just on the basis of their interpretation of the law (copyright infringement is not fraud, i would have been convicted of fraud then…) Not just because it seems that it’s ok to be a murderer the past 10 years. Or a wife beater. Or a neonazi. These things that are a bit worse than being an internet activist, caring about the free and open internet. The biggest offence I take is to their obligation to the general public to have a broader membership than what they allow today.

Sarek.fi’s business model is to charge a flat fee above wholesale cost for every domain registered.

It’s Sunde’s second domain business. He launched Njalla, a Tucows reseller with a focus on protecting the privacy of registrants, in 2017.

Ethos promises to keep .org for many many many many years

Kevin Murphy, December 6, 2019, Domain Services

Ethos Capital doesn’t plan to flip .org manager Public Interest Registry any time soon, according to its CEO.

Erik Brooks said that private equity firm Ethos, which intends to buy PIR from the Internet Society for over a billion dollars, plans to keep hold of the company for “many, many, many, many years”.

He was talking last night during a public conference call organized by NTEN, which also included the CEOs of ISOC and PIR, as well as critics from the Electronic Frontier Foundation, the the National Council of Nonprofits and the Irish chapter of ISOC.

The call was set up because many believe .org’s transition back into for-profit hands, coupled with its recently gained ability to raise prices arbitrarily, means .org’s non-profit registrants are in for a hard time as Ethos profit-takes.

While Brooks and chief purpose officer Nora Abusitta made all the right noises to settle such concerns, promising to not unreasonably raise prices and to stick with PIR’s commitment to non-profits, some participants remained skeptical.

Brooks said that his vision for Ethos, which he founded earlier this year, is “fundamentally broader and more expansive than traditional investing” where “success is defined as success for all participants, success for customers, employees, vendors, the community impacted by the company”.

PIR CEO Jon Nevett said he was initially concerned about the deal — which was negotiated between ISOC and Ethos without PIR’s participation — he is now “convinced that they’re here to do the right thing”.

He said that rather than funneling all of PIR’s spare .org reg cash to ISOC as happens currently, it will now be able to invest some of it in improving .org instead.

Brooks said he understand the community concerns about price increase.

“We are absolutely committed to staying within the spirit of how PIR has operated with the price system they have operated with before,” he said. That means 10% a year on average, as Ethos has stated before.

He added that “working on some mechanisms and some ideas that will give registrants more assurance” that this is just not PR spin, and that these will be communicated publicly over the coming weeks.

The fact that ICANN lifted the previous 10% contractual price cap just a few months before the deal was sealed did not factor into Ethos’ thinking, he said.

While what Ethos is describing is all well and good, there’s no telling what a future owner of PIR would do, should Ethos sell it or float it on the public markets.

That looked like a possibility, especially given that some say that Ethos is under-paying by a considerable margin for the registry.

But Brooks, asked what Ethos’ exit runway for PIR looked like, said that the company was committed to owning the registry “for an extraordinarily long period of time… dramatically outside the normal window of somebody owning a business… many, many, many, many years”.

Ethos’ own backers — which apparently include investment vehicles linked to Mitt Romney and the late Ross Perot — are on board with this long-term plan, he said.

So, assuming Brooks is a man of his word, .org registrants only have to look forward to price increases of no more than 10% a year for some time to come, which is kinda the situation they were in at the start of the year.

But not everyone is as trusting/gullible as me.

The EFF’s Mitch Stoltz, who was on the call, later published a blog post that seemed to shift gears somewhat away from pricing concerns towards the potential for future censorship of .org domains.

“Ethos Capital has a financial incentive to engage in censorship—and, of course, in price increases,” he wrote.

He alluded to that PIR had briefly toyed with the idea of a “UDRP for copyright” a few years ago, but had backed down under community pressure, something that he doesn’t believe Ethos would necessarily do.

Asked about the censorship issue by Stotlz during the call, Brooks said he had not given the issue a great deal of consideration but that he expected PIR’s practices on this kind of thing to continue on as they are today.

Criminal .uk suspensions down this year

Kevin Murphy, November 26, 2019, Domain Registries

Nominet suspended fewer .uk domain names due to reports of criminality in the last 12 months that in did in the prior period.

The registry said last week that is suspended 28,937 domains in the year to the end of October, down from 32,813 in the 2018 period.

That’s 0.22% of all .uk names, Nominet said.

As usual, complaints about intellectual property infringement — filed by copyright owners to the IP cops and handed to Nominet — account for the vast majority of takedowns, some 28,606 in the period.

The rest were suspended due to complaints about fraud, trading standards, financial conduct and healthcare products.

Only 16 requests were denied by Nominet, down from 114 in the previous year, and only five false-positive suspensions were reversed.

The controversial ban on “rape” domains resulted in 1,600 new regs getting automatically flagged, but zero getting suspended.

There were no requests from the Internet Watch Foundation to take down child sexual abuse material.

Nominet’s newish automated anti-phishing system, which uses pattern recognition to flag potential phishing domains at point of registration, saw 2,668 domains suspended before going live, of which 274 were released after the registrant passed due diligence checks.

Three big changes could be coming to .uk

Kevin Murphy, October 9, 2019, Domain Registries

Nominet wants to know what you thinking about three significant policy changes that could be implemented in the next year or so.

The .uk registry today published a consultation document covering two security-related changes and one related to expired domains.

First, Nominet wants to know if it should be allowed to preemptively block resolution on newly registered domains where it has “identified a high risk the domain will be used for phishing”.

It looks like more of a cosmetic policy change, given that the company is already blocking suspected phishing domains where the registrant fails to adequately verify their identity.

About 1,500 domains were blocked like this in the 12 months ending July 2019, Nominet says, on the basis of its Domain Watch program, which combines technical and manual oversight to identify phishy-looking names.

Second, Nominet want to know if it should display an standard informational web page when it blocks a domain on the basis of fraud, copyright infringement, and counterfeiting.

Currently, the company takes down tens of thousands of names every year on this basis, but the names are simply removed from the zone file and refuse to resolve.

Nominet’s friends in law enforcement reckon that allowing the the domains to instead resolve to a standard web page instead could help victims of fraudulent sites help with police investigations, and Nominet wants to know if you agree.

A side-effect of this would be that the names would remain in the zone, so we’d be able to see for the first time which names get suspended for fraud.

Third, Nominet wants to know whether it should start openly publishing drop-lists, the list of domains that have expired registrations and are about to become available.

This appears to be bad news for those registrars currently “excessively” pinging the registry to compile their own lists and get the jump on competitors when it comes to drop-catching valuable names for resale.

Nominet seems to want to see fewer dropped domains winding up in the hands of domainers, saying currently “not all dropping domains are registered and actively used by the new registrant, reducing the vibrancy of .UK domains”.

It’s proposing to give drop-lists just to registrars, or to publish them openly.

All three questions are open for comment until December 15.

Nominet takes down 32,000 domains for IP infringement

Kevin Murphy, November 21, 2018, Domain Registries

The number of .uk domains suspended by Nominet has doubled over the last year, almost entirely due to takedown requests concerning intellectual property.

The .uk registry said this week that it suspended 32,813 domains in the 12 months to October 31, up from 16,632 in the year-ago period.

It’s the fourth year in a row that the number of suspensions has more than doubled. In 2014, it was a paltry 948.

While Nominet has trusted notifier relationships with 10 law enforcement agencies, it’s the Police Intellectual Property Crimes Unit that is responsible for almost all of the takedown requests, 32,669 this year.

No court order or judicial review is required. Nominet simply carries out unspecified “administrative checks” then suspends the domain.

Only 114 domains did not make the cut this year, Nominet said, but that’s up considerably from 32 last year.

There’s an appeals mechanism that can be used by registrants to restore their domains, for example if they’ve removed the infringing content. It was used successfully 16 times in the year, up by one on last year.

The registry also reported that no domains were suspended due to its ban on incitement-to-rape domains, down from two last year, but that staff had to manually review 2,717 new registrations containing suspect strings.

US and EU call for Whois to stay alive

Kevin Murphy, January 31, 2018, Domain Policy

Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.

The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.

Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.

David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.

Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.

Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”

“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”

He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.

The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.

For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.

It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.

The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.

While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.

Two weeks ago it called for comments on three possible Whois models that could be used from May.

That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.

Big changes at DomainTools as privacy law looms

Kevin Murphy, January 11, 2018, Domain Services

Regular users of DomainTools should expect significant changes to their service, possibly unwelcome, as the impact of incoming European Union privacy law begins to be felt.

Professional users such as domain investors are most likely to be impacted by the changes.

The company hopes to announce how its services will be rejiggered to comply with the General Data Protection Regulation in the next few weeks, probably in February, but CEO Tim Chen spoke to DI yesterday in general terms about the law’s possible impact.

“There will be changes to the levels of service we offer currently, especially to any users of DomainTools that are not enterprises,” Chen said.

GDPR governs how personal data on EU citizens is captured, shared and processed. It deals with issues such as customer consent, the length of time such data may be stored, and the purposes for which it may be processed.

Given that DomainTools’ entire business model is based on capturing domain registrants’ contact information without their explicit consent, then storing, processing and sharing that data indefinitely, it doesn’t take a genius to work out that the new law represents a possibly existential threat.

But while Chen says he’s “very concerned” about GDPR, he expects the use cases of his enterprise customers to be protected.

DomainTools no longer considers itself a Whois company, Chen said, it’s a security services company now. Only about 20% of its revenue now comes from the $99-a-month customers who pay to access services such as reverse Whois and historical Whois queries.

The rest comes from the 500-odd enterprise customers it has, which use the company’s data for purposes such as tracking down network abuse and intellectual property theft.

DomainTools is very much aligned here with the governments and IP lawyers that are pressing ICANN and European data protection authorities to come up with a way Whois data can still be made available for these “legitimate purposes”.

“We’re very focused on our most-important goal of making sure the cyber security and network security use cases for Whois data are represented in the final discussions on how this legislation is really going to land,” he said.

“There needs to be some level of access that is retained for uses that are very consistent with protecting the very constituents that this legislation is trying to protect from a privacy perspective,” he said.

The two big issues pressing on Chen’s mind from a GDPR perspective are the ability of the company to continue to aggregate Whois records from hundreds of TLDs and thousands of registrars, and its ability to continue to provide historical, archived Whois records — the company’s most-popular product after vanilla Whois..

These are both critical for customers responding to security issues or trying to hunt down serial cybersquatters and copyright infringers, Chen said.

“[Customers are] very concerned, because their ability to use this data as part of their incident response is critical, and the removal of the data from that process really does injure their ability to do their jobs,” he said.

How far these use cases will be protected under GDPR is still an open question, one largely to be determined by European DPAs, and DomainTools, like ICANN the rest of the domain industry, is still largely in discussion mode.

“Part of what we need to help DPAs understand is: how long is long enough?” Chen said. “Answering how long this data can be archived is very important.”

ICANN was recently advised by its lawyers to take its case for maintaining Whois in as recognizable form as possible to the DPAs and other European privacy bodies.

And governments, via the Governmental Advisory Committee, recently urged ICANN to continue to permit Whois access for “legitimate purposes”.

DomainTools is in a different position to most of the rest of the industry. In terms of its core service, it’s not a contracted party with ICANN, so perhaps will have to rely on hoping whatever the registries and registrars work out will also apply to its own offerings.

It’s also different in that it has no direct customer relationship with the registrants whose data it processes, nor does it have a contractual relationship with the companies that do have these customer relationships.

This could make the issue of consent — the right of registrant to have a say in how their data is processed and when it is deleted — tricky.

“We’re not in a position to get consent from domain owners to do what we do,” Chen said. “I think where we need to be more thoughtful is whether DomainTools needs to have a process where people can opt out of having their data processed.”

“When I think about consent, it’s not on the way in, because we just don’t have a way to do that, it’s allowing a way out… a mechanism where people can object to their data being processed,” he said.

How DomainTools’ non-enterprise customers and users will be affected should become clear when the company outlines its plans in the coming weeks.

But Chen suggested that most casual users should not see too much impact.

“The ability of anyone who has an interest in using Whois data, who needs it every now and then, for looking up a Whois record of a domain because they want to buy it as a domain investor for example, that should still be very possible after GDPR,” he said.

“I don’t think GDPR is aimed at individual, one-at-a-time use cases for data, I think it’s aimed at scalable abuse of the data for bad purposes,” he said.

“If you’re running a business in domain names and you need to get Whois at significant scale, and you need to evaluate that many domains for some reason, that’s where the impact may be,” he said.

Disclosure: I share a complimentary DomainTools account with several other domain industry bloggers.

EFF recommends against new gTLDs

Kevin Murphy, July 28, 2017, Domain Policy

The Electronic Frontier Foundation has recommended that domain registrants concerned about intellectual property “bullies” steer clear of new gTLDs.

The view is expressed in a new EFF report today that is particularly critical of policies in place at new gTLD portfolio registries Donuts and Radix.

The report (pdf) also expresses strong support for .onion, the pseudo-TLD available only to users of the Tor browser and routing network, which the EFF is a long-term supporter of.

The report makes TLD recommendations for “security against trademark bullies”, “security against identity theft and marketing”, “security against overseas speech regulators” and “security against copyright bullies”.

It notes that no one TLD is “best” on all counts, so presents a table explaining which TLD registries — a broad mix of the most popular gTLD and ccTLD registries — have which relevant policies.

For those afraid of trademark “bullies”, the EFF recommends against 2012-round new gTLDs on the basis that they all have the Uniform Rapid Suspension service. It singles out Donuts for special concern due to its Domain Protected Marks List, which adds an extra layer of protection for trademark owners.

On copyright, the report singles out Donuts and Radix for their respective “trusted notifier” schemes, which give the movie and music industries a hotline to report large-scale piracy web sites.

These are both well-known EFF positions that the organization has expressed in previous publications.

On the other two issues, the report recommends examining ccTLDs for those which don’t have to kowtow to local government speech regulations or publicly accessible Whois policies.

In each of the four areas of concern, the report suggests taking a look at .onion, while acknowledging that the pseudo-gTLD would be a poor choice if you actually want people to be able to easily access your web site.

While the opinions expressed in the report may not be surprising, the research that has gone into comparing the policies of 40-odd TLD registries covering hundreds of TLDs appears on the face of it to be solid and possibly the report’s biggest draw.

You can read it here (pdf).

  • Page 1 of 2
  • 1
  • 2
  • >