Latest news of the domain name industry

Recent Posts

ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off

Kevin Murphy, October 21, 2018, Domain Policy

Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.

Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.

Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.

They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.

Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.

Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.

The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.

The main sticking point was the extent to which these third parties get a mention in the language.

Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.

The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.

Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.

GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.

It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.

The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.

The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.

While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.

All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.

One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.

Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).

But, yeah, they may have a point.

It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.

They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.

They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.

AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.

The IP crowd and registrars are not the only ones fighting in the corridors, though.

The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.

Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.

I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.

UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.

Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.

AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.

UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.

Registrars still not responding to private Whois requests

Kevin Murphy, October 18, 2018, Domain Policy

Registrars are still largely ignoring requests for private Whois data, according to a brand protection company working for Facebook.

AppDetex wrote to ICANN (pdf) last week to say that only 3% of some 9,000 requests it has made recently have resulted in the delivery of full Whois records.

Almost 60% of these requests were completely ignored, the company claimed, and 0.4% resulted in a request for payment.

You may recall that AppDetex back in July filed 500 Whois requests with registrars on behalf of client Facebook, with which it has a close relationship.

Then, only one registrar complied to AppDetex’s satisfaction.

Company general counsel Ben Milam now tells ICANN that more of its customers (presumably, he means not just Facebook) are using its system for automatically generating Whois requests.

He also says that these requests now contain more information, such as a contact name and number, after criticism from registrars that its demands were far too vague.

AppDetex is also no longer demanding reverse-Whois data — a list of domains owned by the same registrant, something not even possible under the old Whois system — and is limiting each of its requests to a single domain, according to Milam’s letter.

Registrars are still refusing to hand over the information, he wrote, with 11.4% of requests creating responses demanding a legal subpoena or UDRP filing.

The company reckons this behavior is in violation of ICANN’s Whois Temporary Specification.

The Temp Spec says registrars “must provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party”.

The ICANN community has not yet come up with a sustainable solution for third-party access to private Whois. It’s likely to be the hottest topic at ICANN 63 in Barcelona, which kicks off this weekend.

Whois records for gTLD domains are of course, post-GDPR, redacted of all personally identifiable information, which irks big brand owners who feel they need it in order to chase cybersquatters.

Book review — “Domain Names: Strategies and Legal Aspects”

Kevin Murphy, October 18, 2018, Domain Policy

I’ve only ever read two books about the domain name industry.

The first one was Kieren McCarthy’s excellent Sex.com, the 2007 barely believable non-fictional tech-thriller that seemed to deliberately eschew inside-baseball policy talk in favor of a funny and rather gripping human narrative.

The second, Domain Names – Strategies and Legal Aspects, by Jeanette Soderlund Sause and Malin Edmar, is pretty much the diametrical opposite.

The book, published in its second edition in June, instead seems bent on explaining the complex intersection of domain names and intellectual property rights in as few words as it is able.

Coming in at a brisk 150 pages, it’s basically been engineered to funnel as much information into your brain as possible in as short a space of time as possible.

I blazed through my complimentary review copy during a three-hour train journey a couple months ago.

About half-way through, I realized I had done absolutely no background reading about the authors or publisher, and had no idea who the intended reader was.

The introduction, written for the 2014 first edition by a Swedish civil servant then on the GAC, gives the misleading impression that the book has something to say about multistakeholderism, DNS fragmentation, or new gTLD controversies.

It doesn’t. If the authors have any political opinions, you will not learn them from Domain Names.

What you will get is a competent reference work geared primarily towards IP lawyers and brand management folk who are newbies to the world of domain names.

The authors are both Swedish IP lawyers, though Soderland Sause is currently marketing VP for the .global gTLD registry.

The first half of their book deals with introducing and briefly explaining the high-level technical aspects of the DNS and the basic structure of the market, then discussing the difference between a trademark and a domain name.

An occasionally enlightening middle section of about 30 pages deals with strategies for selecting and obtaining domains, either as fresh registrations or from third parties such as cybersquatters, investors or competitors.

But the second half of the book — which deals with UDRP and related dispute resolution procedures — is evidently where the authors’, and presumably readers’, primary interest lies.

It goes into comparative depth on this topic, and I actually started to learn a few things during this section.

As a newcomer to the work, I cannot definitively say whether the new and updated content — which I infer covers developments in new gTLDs and such over the last four years — is worth the £120 upgrade for owners of the first edition.

It also seems to have gone to the printers before it was fully clear how ICANN was going to deal with GDPR; a third edition will likely be needed in a couple of years after the smoke clears.

I’d be lying if I said I had any fun reading Domain Names, but I don’t think I was supposed to.

I can see myself keeping it near my desk for occasional reference, which I think is what it’s mainly there for.

I can see IP lawyers or ICANN policy wonks also keeping copies by their desks, to be handed out to new employees as a primer on what they need to do to get their hands on the domains they want.

These juniors can then absorb the book over a weekend and keep it by their own desks for future reference, to be eventually passed on to the next n00b.

If that’s what it’s for, I think the authors have done a pretty good job of it.

Domain Names – Strategies and Legal Aspects, 2nd edition, by Jeanette Soderlund Sause and Malin Edmar, is published by Sweet & Maxwell.

Donuts says DPML now covers “millions” of trademark variants as price rockets again

Kevin Murphy, October 1, 2018, Domain Registrars

Donuts has added more than a third to the price of its Domain Protected Marks List service, as it adds a new feature it says vastly increases the number of domains trademark owners can block.

The company has added homograph attack protection to DPML, so trademark-owning worrywarts can block variations of their brand that contain confusing non-Latin characters in addition to all the domain variants DPML already takes out of the available pool.

An example of a homograph, offered by Donuts, would be the domain xn--ggle-0nda.com, which can display as “gοοgle.com” and which contains two Cyrillic o-looking characters but is pretty much indistinguishable from “google.com”.

Donuts reckons this could mean “millions” of domains could be blocked, potentially preventing all kinds of phishing attacks, but one suspects the actual number per customer rather depends on how many potentially confusable Latin characters appear in the brands they want to protect.

DPML is a block service that prevents others from registering domains matching or closely matching customers’ trademarks. Previous additions to the service have included typo protection.

The new feature supports Cyrillic and Greek scripts, the two that Donuts says most homograph attacks use.

The company explained it to its registrars like this:

The Donuts system will analyze the content of each SLD identified in a DPML subscription, breaking it down to its individual characters. Each character is then “spun” against Unicode’s list of confusable characters and replaced with all viable IDN “glyphs” supported by Donuts TLDs. This spinning results in potentially millions of IDN permutations of a brand’s trademark which may be considered easily confusable to an end user. Each permutation is then blocked (removed from generally available inventory) just like other DPML labels, meaning it can only be registered via an “Override” by a party holding a trademark on the same label.

While this feature comes at no additional cost, Donuts is increasing its prices from January 1, the second big increase since DPML went live five years ago.

Donuts declined to disclose its wholesale price when asked, but I’ve seen registrars today disclose new pricing of $6,000 to $6,600 for a five-year block.

That compares to retail pricing in the $2,500 to $3,000 range back in 2013.

Hexonet said it will now charge its top-flight resellers $6,426 per create, compared to the $4,400 it started charging when DPML prices last went up at the start of last year. OpenProvider has also added two grand to its prices.

Donuts said the price increase also reflects the growth of its portfolio of gTLDs over the last few years. It now has 241, 25% more than at the last price increase.

Cybersquatting cases up because of .com

Kevin Murphy, March 23, 2018, Domain Services

The World Intellectual Property Organization handled cybersquatting cases covering almost a thousand extra domain names in 2017 over the previous year, but almost all of the growth came from complaints about .com names, according to the latest WIPO stats.

There were 3,074 UDRP cases filed with WIPO in 2017, up about 1.2% from the 3,036 cases heard in 2016, WIPO said in its annual roundup last week.

That’s slower growth than 2016, which saw a 10% increase in cases over the previous year.

But the number domains complained about in UDRP was up more sharply — 6,370 domains versus 5,374 in 2016.

WIPO graph

WIPO said that 12% of its 2017 cases covered domains registered in new gTLDs, down from 16% in 2016.

If you drill into its numbers, you see that 3,997 .com domains were complained about in 2017, up by 862 domains or 27% from the 3,135 seen in 2016.

.com accounted for 66% of UDRP’d domains in 2016 and 70% in 2017. The top four domains in WIPO’s table are all legacy gTLDs.

As usual when looking at stats for basically anything in the domain business in the last few years, the tumescent rise and meteoric fall of .xyz and .top have a lot to say about the numbers.

In 2016, they accounted for 321 and 153 of WIPO’s UDRP domains respectively, but they were down to 66 and 24 domains in 2017.

Instead, three Radix TLDs — .store, .site and .online — took the honors as the most complained-about new gTLDs, with 98, 79, and 74 domains respectively. Each of those three TLDs saw dozens more complained-about domains in 2017 than in 2016.

As usual, interpreting WIPO’s annual numbers requires caution for a number of reasons, among them: WIPO is not the only dispute resolution provider to handle UDRP cases, rises and falls in UDRP filings do not necessarily equate to rises and falls in cybersquatting, and comparisons between .com and new gTLDs do not take into account that new gTLDs also have the URS as an alternative dispute mechanism.