Latest news of the domain name industry

Recent Posts

Floodgates, open! Trademark Clearinghouse now supports .com

Kevin Murphy, September 15, 2020, Domain Services

The Trademark Clearinghouse has added .com to the roster of TLDs supported by its infringement notification service.

The Deloitte-managed service recently announced the change to its Ongoing Notification Service, which came into effect late last month.

The update means TMCH subscribers will receive alerts whenever a .com domain is registered that contains their trademark, helping them to decide whether to pursue enforcement actions such as UDRP.

Unlike the ICANN-mandated 90-day Trademark Claims period that accompanies the launch of each new gTLD, the registrant herself does not receive an alert of possible infringement at point of registration.

The service, which is not regulated by ICANN, is still free to companies that have their marks registered in the TMCH, which charges an extra dollar for every variation of a mark the holder wishes to monitor.

Such services have been commercially available from the likes of MarkMonitor for 20 years or more. The TMCH has been offering it for new gTLDs since they started launching at the end of 2013.

With the .com-shaped gaping hole now plugged, two things could happen.

First, clients may find a steep increase in the number of alerts they receive — .com is still the biggest-selling and in volume terms the most-abused TLD.

Second, commercial providers of similar services now find themselves competing against a free rival with an ICANN-enabled captive audience.

The upgrade comes at the tail end of the current wave of the new gTLD program. With the .gay launch out of the way and other desirable open TLDs tied up in litigation, there won’t be much call for TMCH’s core services for the next few years.

It also comes just a couple months after the .com zone file started being published on ICANN’s Centralized Zone Data Service, but I expect that’s just a coincidence.

It’s a CONSPIRACY! Canadian registrant “sues” pretty much everybody

Kevin Murphy, August 20, 2020, Domain Policy

Canadian domain registrant and noted industry troll Graham Schreiber has sued, or at least claims to have sued, just about every notable figure in the ICANN community.

A document purporting to be a lawsuit is being circulated today among some of the dozens of named defendants, which include several people who’ve not been involved with ICANN for many years.

It names 27 volunteers from ICANN’s Intellectual Property Constituency, 21 current and former senior executives of registries and registrars, several members of the US and UK governments, an FBI agent, an unnamed “White House Conspirator”, as well as lawyers for LinkedIn, Facebook, Twitter, ICANN, Google and the UK Intellectual Property Office.

It’s my job to tell you in simple terms what the alleged lawsuit alleges, but I’m afraid I’m at an utter loss with this one. It reads like the fever dream of a conspiracy theorist that would make the average Qanon believer appear the model of reason and clarity.

Schreiber variously refers to his defendants as “Kingpins” involved in a “Cartel” or “Conspiracy”, the factual details of which he never quite gets to.

Here’s a representative sample paragraph, unedited:

If and when, the “Defensive Registrations” obliged by ICANN’s R[r]egistry & R[r]egistrar “Stakeholders” = “Kingpins” and specifically CentralNic [ weren’t purchased ] assailants would strike; and Infringe, Dilute, Blur and Pass-Off as our online business, individually with identical and confusingly similar domain name, faking to be appointed or an authorized agent of the primary Registrant, in a country’s entrepreneurs Intellectual Property may or may not have been protectable at Common Law Trademark, under Madrid Protocol Rules, as it / they fulfilled the obligations of local National laws, to become a Registered Trademark, as I secured in the USA with USPTO, after the CIPO did their work.

At one point, he admits to trolling the defendants on social media since 2012, and points to their failure to sue him as evidence of a conspiracy:

I’ve made statements via those Social Media resources which would, if they were untrue, subject me to a singular lawsuit or multiple lawsuits from the Defendants listed, for: Defamation, Slander and Libel.

As yet, these well taunted Defendants have all conspired together, in collective silence, anticipating that their grandeur and my insignificance would, maintain safe passage, for them to continue.

As the vast majority of the Defendants are well schooled, powerful U.S. Attorneys, it’s my expectation that the Court oblige them to address the charges here stated, or collectively for their defence, they must File a lawsuit with this Court, charging me for what could be [ but aren’t ] remarks constituting Defamation, Slander & Libel against them, which again, I’ve posted on some of the Defendants own clients, Social Media Platforms

Schreiber was once a regular fixture in DI’s comments section too. Thankfully, we’ve not heard from him in years.

The root cause of the “lawsuit” appears to be an old beef Schreiber has with CentralNic.

He says he owns what he calls a “common law trademark” on the term “Landcruise” and he once used the matching .com domain to operate a motor-home rental business.

At some point in 2011, he became aware that a British registrant had registered landcruise.co.uk and landcruise.uk.com.

At the time, CentralNic was primarily in the business of selling domains at the third level in pseudo-gTLDs such as uk.com, gb.com and us.com.

Schreiber tried and failed (twice) to get the .uk domain transferred under Nominet’s Dispute Resolution Service, and then he took his beef to the courts.

In 2012, he sued CentralNic, ICANN, Verisign, eNom, and Network Solutions in a complaint that barely made much more sense than the “lawsuit” being circulated today.

That case was thrown out of court in 2013.

I expect the same fate to befall the current lawsuit, if indeed it has even been filed in a court.

Schreiber wants $5 million from every defendant.

If you want to check whether you’re one of them, read the PDF “complaint” here.

ICANN throws out “Ugly Houses” UDRP appeal

Kevin Murphy, July 20, 2020, Domain Policy

ICANN has rejected an unprecedented attempt to get a UDRP decision overturned using the Reconsideration process.

The Board Accountability Mechanisms Committee late last week summarily dismissed a Request for Reconsideration filed by a group called the Emily Rose Trust.

Emily Rose had lost a UDRP case in May concerning the domain name uglyhousesri.com, which it had been using for the last couple of years to run a home renovation-and-resale service in Rhode Island.

The complainant was a company called HomeVestors, which has been running a near-identical service called We Buy Ugly Houses (a phrase it has trademarked) for substantially longer.

The National Arbitration Forum panelist had decided that the domain was confusingly similar to the mark, and that the similarity of the services constituted bad faith use.

In filing the rather poorly-written RfR, Emily Rose argued among other things that “Ugly Houses” is a generic term not protected by the mark.

But ICANN did not consider the merits of its request, instead rejecting the RfR for being outside the scope of the process.

The BAMC said that UDRP decisions do not involved the action or inaction of the ICANN board or staff, and are therefore not subject to board Reconsideration.

While UDRP decisions are often contested in court, this RfR makes it clear that ICANN is not an avenue for appeal in individual cases.

Facebook WILL sue more registrars for cybersquatting

Kevin Murphy, March 13, 2020, Domain Registrars

Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.

Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.

In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.

In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.

Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.

The complaint is very similar to one filed against OnlineNIC (pdf) in October.

And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.

Speaking at the second public forum at ICANN 67 yesterday, she said:

This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.

Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.

Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.

The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:

We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.

UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.

Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.

Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.

The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.

Verisign pays ICANN $20 million and gets to raise .com prices again

Kevin Murphy, January 3, 2020, Domain Registries

Verisign is to get the right to raise the price of .com domains by 7% per year, under a new contract with ICANN.

The deal, announced this hour, will also see Verisign pay ICANN $20 million over five years, starting in 2021, “to support ICANN’s initiatives to preserve and enhance the security, stability and resiliency of the DNS”.

According to ICANN, the pricing changes mean that the maximum price of a .com domain could go as high as $10.26 by October 2026.

Verisign getting the right to once more increase its fees — which is likely to be worth close to a billion dollars to the company’s top line over the life of the contract — was not unexpected.

Pricing has been stuck at $7.85 for years, due to a price freeze imposed by the Obama-era US National Telecommunications and Information Administration, but this policy was reversed by the Trump administration in late 2018.

The amendment to the .com registry agreement announced today essentially takes on the terms of the Trump appeasement, so Verisign gets to up .com prices by 7% in the last four years of the six-year duration of the contract.

ICANN said:

ICANN org is not a price regulator and will defer to the expertise of relevant competition authorities. As such, ICANN has long-deferred to the [US Department of Commerce] and the United States Department of Justice (DOJ) for the regulation of pricing for .COM registry services.

But ICANN will also financially benefit from the deal over and above what it receives from Verisign under the current .com contract.

First, the two parties have said they will sign a binding letter of intent (pdf) committing Verisign to give ICANN $4 million a year, starting one year from now, to help fund ICANN’s activities:

conducting, facilitating or supporting activities that preserve and enhance the security, stability and resiliency of the DNS, which may include, without limitation, active measures to promote and/or facilitate DNSSEC deployment, Security Threat mitigation, name collision mitigation, root server system governance and research into the operation of the DNS

That’s basically describing one of ICANN’s core missions, which is already funded to a great extent by .com fees, so quite why it’s being spun out into a separate agreement is a little bit of a mystery to me at this early stage.

Don’t be surprised if you hear the words “bung” or “quid pro quo” being slung around in the coming hours and days by ICANN critics.

The second financial benefit to ICANN comes from additional payments Verisign will have to make when it sells its ConsoliDate service.

This is the service that allows .com registrants, via their registrars, to synchronize the renewal dates of all of the domains in their portfolio, so they only have to worry about renewals on a single day of the year. It’s basically a partial-year renewal.

Under the amended .com contract, ICANN will get a piece of that action too. Verisign has agreed to pay ICANN a pro-rated fee, based on the $0.25 per-domain annual renewal fee, for the number of days any given registration is extended using ConsoliDate.

I’m afraid to say I don’t know how much money this could add to ICANN’s coffers, but another amendment to the contract means that Verisign will start to report ConsoliDate usage in its published monthly transaction reports, so we should get a pretty good idea of the $$$$ value in the second half of the year.

The amended contract — still in draft form (pdf) and open for public comment — also brings on a slew of new obligations for Verisign that bring .com more into line with other gTLDs.

There’s no Uniform Rapid Suspension policy, so domain investors and cybersquatters can breath a sigh of relief there.

But Verisign has also agreed to a new Registry-Registrar Agreement that contains substantial new provisions aimed at combating abuse, fraud and intellectual property infringement — including trademark infringement.

It has also agreed to a series of Public Interest Commitments, along the same lines as all the 2012-round new gTLDs, covering the same kinds of dodgy activities. The texts of the RRA addition and PICs are virtually identical, requiring:

a provision prohibiting the Registered Name Holder from distributing malware, abusively operating botnets, phishing, pharming, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law and providing (consistent with applicable law and any related procedures) consequences for such activities, including suspension of the registration of the Registered Name;

There are also many changes related to how Verisign handles data escrow, Whois/RDAP and zone file access. It looks rather like users of ICANN’s Centralized Zone Data Service, including yours truly, will soon have access to the humongous .com zone file on a daily basis. Yum.

The proposed amendments to the .com contract are now open for public comment here. You have until February 14. Off you go.

ICANN throws out second .org appeal, so URS stays

Kevin Murphy, December 18, 2019, Domain Registries

The Uniform Rapid Suspension process is to stay in .org, after the ICANN board of directors rejected an appeal from the Electronic Frontier Foundation.

The EFF had challenged the inclusion of URS in the recently renegotiated .org Registry Agreement, on the basis that the anti-cybersquatting system was designed for post-2012 new gTLDs and was never supposed to be deployed in legacy gTLDs such as .org.

In a Request for Reconsideration, the EFF had argued that ICANN had ignored the many commenters opposed to its inclusion in the contract, and that the board had shirked its duties by delegating the renegotiation to ICANN’s executive leadership.

But the board disagreed on both of these counts, saying in its resolution and accompanying 36-page analysis (pdf) that at no point had the organization broken its bylaws.

ICANN did not ignore the anti-URS comments, the board said, it simply decided that on balance the public interest was better served by having URS in the contract.

The Requestor has not demonstrated that ICANN Staff failed to seek or support broad participation, ascertain the global public interest, or act for the public benefit. To the contrary, ICANN org’s transparent processes reflect the Staff’s continuous efforts to ascertain and pursue the global public interest by migrating the legacy gTLDs to the Base RA.

Additionally, the board was well within its rights to delegate negotiation and approval of the RA to the CEO, the board decided. The fact that the EFF disagrees with that position does not amount to a basis of reconsideration, it found.

Since the EFF filed its RfR back in August, we’ve had the news of the $1.135 billion acquisition of .org manager Public Interest Registry by Ethos Capital, which will see it convert from a non-profit to a for-profit concern.

The EFF has since had the chance to put allegations to ICANN that its staff was aware of the deal before it was announced, and that the acquisition should have factored into its consideration of the RA renewal.

But ICANN flatly denies that it knew about the deal, which was announced four months after the renewal:

Since neither the Board nor ICANN Staff were aware of the PIR acquisition when the decision to renew the .ORG RA was made, there was no material information not considered, and therefore this is not a proper basis for reconsideration.

The Ethos Capital acquisition of PIR, which was announced more than four months after the execution of the .ORG Renewed RA, did not impact ICANN Staff’s determination that ICANN’s Mission and Core Values were best served by migrating the .ORG RA to the Base RA.

In conclusion, like almost all filers of RfRs, the EFF is SOL.

Another RfR, filed by the registrar NameCheap and related primary to .org pricing, was similarly rejected by ICANN’s board a few weeks ago.

ICANN is, however, currently quizzing Ethos and PIR seller ISOC for more details about the acquisition before it approves the change of contractor.

Porn-block retail prices revealed. Wow.

Kevin Murphy, August 20, 2019, Domain Registrars

The first retail prices for MMX’s porn-blocking AdultBlock services have been revealed, and they ain’t cheap.

The registrar 101domain yesterday announced that it has started offering AdultBlock and sister service AdultBlock+, and published its pricing.

Trademark owners wanting to block a single string across .sex, .porn, .adult and .xxx will pay $349 per year with the vanilla, renew-annually service.

If they want the AdultBlock+ service, which also blocks homographs, they’ll pay $799 a year or $7,495 for the maximum 10-year term.

Compare this to the Sunrise B offer that ICM Registry made to trademark owners in 2011, where a string in .xxx cost roughly $200 to $300 for a 10-year block.

The two services are not directly comparable, of course. AdultBlock covers three additional TLDs and the AdultBlock+ service covers confusingly similar variants.

But trademark owners are buying peace of mind that their brands won’t be registered as porn sites, and the cost of that peace of mind just increased tenfold.

AdultBlock domains don’t resolve, and are a lot cheaper than domain registrations.

Renewing a single string in all four gTLDs at 101domain prices would cost around $480 a year, so customers will pay about 27% less buying a block instead.

The cost of the first year for those four domains would be $360, just $11 more than the AdultBlock price, according to 101domain’s price list.

MMX, which acquired the gTLD portfolio from ICM last year, is offering a discount on the AdultBlock+ service for customers buying before the end of 2019.

101domain is offering 10 years of AdultBlock+ for $3,999, a saving of $3,500.

101domain is not known as a particularly expensive registrar, so prices elsewhere in the industry could go higher.

EFF becomes second to appeal new .org contract

Kevin Murphy, August 7, 2019, Domain Registries

The Electronic Frontier Foundation has appealed ICANN’s decision to add stronger trademark protection rules to .org.

The civil liberties organization has filed a Request for Reconsideration with ICANN, saying that the new .org contract should not oblige Public Interest Registry to implement the Uniform Rapid Suspension policy.

URS is a swifter, cheaper version of the anti-cybersquatting UDRP policy. It can lead to clear-cut cases of trademark-infringing domains being relatively quickly suspended, but not transferred.

But the EFF is worried that it could be abused to curtail free speech.

It said URS is “particularly dangerous for the many .org registrants who are engaged in an array of noncommercial work, including criticism of governments and corporations”.

URS was created via ICANN’s bottom-up, community-led policy-making process to apply to new gTLDs applied for in 2012, not legacy gTLDs such as .org, EFF argues,

Adding more rights protection to a legacy gTLD “should be initiated, if at all, through the multistakeholder policy development process, not in bilateral negotiations between a registry operator and ICANN staff”, the RfR states.

The EFF is also concerned that the new contract allows PIR to unilaterally create its own additional rights protection mechanisms.

I don’t think this is a new power, however. Remember when PIR proposed a “Copyright UDRP” a couple of years ago, evidently as a way to turf out The Pirate Bay? That plan was swiftly killed off after protests from, among others, the EFF.

The EFF’s reconsideration request (pdf) does not address the issue of price increase caps, which were removed in the new contract.

That more-controversial provision is already the subject of an RfR, filed by NameCheap last month.

Both RfRs will be dealt with by ICANN’s Board Accountability Mechanisms Committee before being passed to the full board.

Porn blocks could be worth millions to MMX

Minds + Machines could find itself making millions of dollars a year out of non-resolving defensive registrations in its recently acquired portfolio of porn-themed gTLDs.

The company recently announced the launch of AdultBlock and AdultBlock Plus, which will enable trademark owners to prevent anyone else registering their marks, and variants thereof, for up to 10 years.

Running the numbers, and taking into account MMX’s already substantial established client base for such services, AdultBlock could bring in as much as $11 million a year. But it’s almost certainly going to be much less than that.

The company won’t disclose it’s exact pricing for AdultBlock, or its revenue estimates, but it’s possible to do some back-of-the-envelope calculations and come to some ball-park guesses.

MMX has said that it’s pricing the service such that customers should be able to see a 35% saving compared to the cost of registering a single string across all four of its porn TLDs

The company acquired .xxx, .porn, .adult and .sex when it bought ICM Registry last year.

The wholesale fee for each of the four is believed to be about $68 a year. From this, we can calculate that the wholesale price of AdultBlock may well be around the $175-a-year mark.

There’s some room for error here, as MMX hasn’t revealed precisely how it came to its 35% number, but I think we can safely say we’re looking at $150 to $200 a year. For the purposes of this envelope, let’s split the difference and assume it’s $175.

It’s quite a high number, a bit like a recurring sunrise fee for a domain that you don’t even get to use.

But how many domains can MMX expect to be blocked?

A low-ball estimate could be modeled on the .porn/.adult/.sex sunrise periods.

.porn launched in 2015 and gathered 2,091 sunrise registrations, according to ICANN records, making it one of the largest new gTLD sunrise periods. The other two TLDs weren’t far behind.

If that’s a good guide for AdultBlock uptake, we’re talking about a piddling $360,000-a-year business.

But MMX has a secret weapon that it inherited from .xxx.

When .xxx launched back in 2011, it kicked off with two sunrise periods. Sunrise A was for trademark owners in the porn business who wanted to use their .xxx names. Sunrise B was for everyone else, who didn’t.

In Sunrise B, brand owners paid $162 (plus their registrar’s markup) to block their domains for a flat period of 10 years.

Customers couldn’t use their domains. They were registered to ICM and used specially designated ICM name servers to resolve to a standard, non-monetized placeholder page stating “This domain has been reserved from registration.”

There are over 80,000 domains using these name servers, but about 15,000 of those represent names of celebrities, cities, and religiously and culturally sensitive terms that ICM culled from Wikipedia and unilaterally reserved to help avoid a tabloid crucifixion if mileycyrus.xxx ever started bouncing children to something pornographic, such as one of her music videos.

(As an aside, I think it’s worth mentioning that the .xxx zone file only has 93,000 names in it. These means about nine out of 10 live .xxx domains are reserved by the registry.)

So we’ve got 65,000 trademarks that are currently blocked in .xxx, and they’re all going to expire in 2021 because ICM only sold blocks for the duration of its original 10-year ICANN contract.

If all 65,000 domains are upgraded to AdultBlock, the service would be worth over $11 million a year, to a company currently reporting annual revenue around $15 million.

But they won’t.

You don’t have to scroll too far down the .xxx zone file (and I didn’t) to discover some absolute garbage, no doubt the result of scaremongering around the 2011 .xxx launch.

I mean, seriously, look at some of this Sunrise B guff:

100percentwholewheatthatkidslovetoeat.xxx, 101waystoleaveagameshow.xxx, 1firstnationalmergersandacquisitions.xxx, 1stchoiceliquorsuperstore.xxx, 2bupushingalltherightbuttons.xxx, 247claimsservicethesupportyouneed30minutesguaranteed.xxx, 3pathpowerdeliverysystembypioneermagneticsinc.xxx

I think we’re going to be looking at a significant junk drop of blocked domains come 2021.

That said, I think MMX may have a psychological advantage here, when it comes to persuading Sunrise B users to “renew”.

Who hasn’t renewed a domain name they strongly suspect they will never use or sell, simply because they couldn’t bear the thought of somebody else owning “their” domain?

An additional consideration for brand owners is that these Sunrise B names are going to show up on drop-lists when they are eventually deleted from the .xxx zone file, perhaps giving inspiration to cybersquatters.

This is a fantastic opportunity for MMX and brand protection registrars to put the hard sell on its Sunrise B customers to “renew” their blocks by upgrading to the new and improved AdultBlock service, which could cost literally 10 times more than what they originally signed up for.

AdultBlock is of course more comprehensive than Sunrise B. It covers three additional TLDs, for starters, and customers can pay a little more for potentially thousands of potential homographs (non-Latin-script domains that look almost identical to the original) to also be blocked.

MMX isn’t waiting until 2021, however. It’s currently offering companies that buy a 10-year-block before the end of 2019 the AdultBlock+ service for the price of the vanilla, no-variants offering.

Existing Sunrise B customers have until the same deadline to purchase the new service without having to have their trademarks re-verified, which carries an additional fee.

For those that miss this early-bird offer, come December 2021, the holders of up 65,000 trademarks are going to face a stark choice: sign up to pay a couple hundred bucks a year, or risk their brands being snapped up by pornsquatters.

Cybersquatting cases down a bit in the UK

The number of cybersquatting complaints filed with Nominet declined slightly in 2018, according to the registry.

Nominet’s Dispute Resolution Service, which is a bit like the UDRP, handled 671 cases last year, compared to 712 in 2017.

The number of domains at issue was down from 783 to 763.

The slight decline appears to be because fewer complaints were filed against .org.uk, .me.uk and plain .uk domains.

The number of .co.uk registrations challenged was flat between 2017 and 2018 at 617 domains.

Only 49% of cases resulted in the disputed domain being transferred, according to the registry’s annual report (pdf).