Whois “killer” is a recipe for a clusterfuck

An ICANN working group has come up with a proposal to completely replace the current Whois system for all gTLDs.
Outlined in 180 recommendations spread over 166 pages (pdf), it’s designed to settle controversies over Whois that have raged for 15 years or more, in one fell swoop.
But it’s a sprawling, I’d say confusing, mess that could turn domain name registration and the process of figuring out who owns a domain name into an unnecessarily bureaucratic pain in the rear.
That’s if the proposal is ever accepted by the ICANN community, which, while it’s early days, seems like a challenge.
The Expert Working Group, which was controversially convened by ICANN president Fadi Chehade in December 2012, proposes a Registration Data Service that would ultimately replace Whois.
It’s a complex document, which basically proposes rebuilding Whois from the ground up based on ideas first explored by George Orwell, Franz Kafka and Douglas Adams.
Having read it, I’ll do my best in this post to explain what the proposed Registration Data Service seems to entail and why I think it seems like a lot of hard work for very little benefit.
I note in advance as a matter of disclosure that the RDS as proposed would very possibly disenfranchise me professionally, making it harder for me to do my job. I explain why later in this post.
I also apologize in advance for, and will correct if notified of, any errors. It’s taken me a week from its publication to read and digest the proposal and I’m still not sure it’s all sunk in.
Anyway, first:
What’s RDS?
RDS would be a centralized Whois database covering all domains in all gTLDs, new and old, operated by a single entity.
What’s in an RDS record?
Under the hood, RDS records wouldn’t look a heck of a lot different than Whois records look today, in terms of what data they store.
There would be some new optional elements, such as social media user names, but otherwise it’s pretty much the same data as we’re used to seeing in Whois records today.
The big difference is which of these elements would be visible by default to an anonymous internet user doing a regular Whois look-up somewhere.
Some fields would be “public” and some would be “gated” or hidden. Some fields would always be public and some could be toggled between public and gated by the registrant.
Gated fields would not be visible to people doing normal Whois look-ups. To see gated data, you’d need to be accredited to a certain role (cop, trademark owner, etc) and have an RDS account.
By default, much of the data about the “registrant” — including their name, physical address, country, and phone number — would be gated.
No, you’re not reading that wrong — the name of the registrant would be hidden from regular Whois users by default. Their email address, however, would be always be public.
There would also be up to six “Purpose Based Contacts” — an Admin Contact, a Legal Contact, a Technical Contact, an Abuse Contact, a Privacy/Proxy Contact and a Business Contact.
So, for example, a registrant could specify his registrar as his technical PBC and his lawyer as his legal PBC.
The admin, legal, technical and abuse contacts would be mandatory, and would default to the registrant’s own personal contact info.
A newly registered domain would not be activated in the DNS until the mandatory PBCs had been provided.
Each of these four mandatory PBCs would have different levels of disclosure for each data element.
For example, the Admin PBC would be able to hide their mailing address and phone number (both public by default) but not their name, email address or country.
The Legal PBC would not be able to opt out of having their mailing address disclosed, but the Technical and Abuse PBCs would be able to opt out of disclosing pretty much everything including their own name.
Those are just examples. Several tables starting on page 49 of the report (pdf) give all the details about which data fields would be disclosed and which could be hidden.
I think it’s expected by the EWG that most registrants would just accept the defaults and publish the same data in each PBC, in much the same way as they do today.
“This PBC approach preserves simplicity for Registrants with basic contact needs and offers additional granularity for Registrants with more extensive contact needs,” the EWG says.
Who gets the see the hidden stuff?
In order to see the hidden or “gated” elements, you’d have to be an accredited user of the centralized RDS system.
The level of access you got to the hidden data would depend on the role assigned to your RDS account.
The name of the registrant, for example, would be available to anyone with an RDS account.
If you wanted access to the registrant’s mailing address or phone number, you’d need an RDS account that accredited you for one or more of seven defined purposes:

• Domain Name Control (ie, the registrant herself)
• Domain Name Certification (ie SSL Certificate Authorities)
• Business Domain Name Purchase/Sale (anyone who says they might be interested in buying the domain in question)
• Academic/Public Interest DNS Research
• Legal Actions (eg lawyers investigating fraud or trademark infringement)
• Regulatory/Contractual Enforcement (could be ICANN-related, such as UDRP, or unrelated stuff like tax investigations)
• Criminal Investigation/DNS Abuse Mitigation

Hopefully this all makes sense so far, but it gets more complicated.
Beware of the leopard!
In today’s gTLD environment, Whois records are either stored with the registry or the registrar. You can do Whois lookups on the registrar/y’s site, or via a third-party commercial service.
As a registrant, you need only interact with your registrar. As a Whois user, you don’t need to sign up for an account anywhere, unless you want value-added services from a company such as DomainTools.
Under RDS, a whole lot of other entities start to come into play.
First, there’s RDS itself — a centralized Whois replacement.
It’s basically two databases. One contains contact details, each record containing a unique Contact ID identifier. The other database maps Contact IDs to the PBCs for each gTLD domain name.
It’s unclear who’d manage this service, but it looks like IBM is probably gunning for the contract.
Second, there would be Validators.
A Validator’s job would be to collect and validate contact information from registrants and PBCs.
While registrars and registries could also act as Validators — and the EWG envisages most registrars becoming Validators — this is essentially a new entity/role in the domain name ecosystem.
Third and Fourth, we’ve got newly created Accrediting Bodies and Accreditation Operators.
These entities would be responsible for accrediting users of the RDS system (that is, people who want to do a simple goddamn Whois lookup).
The EWG explains that an Accrediting Body “establishes membership rules, terms of service, and application and enforcement processes, etc., for a given RDS User community.”
An Accreditation Operator would “create and manage RDS User accounts, issue RDS access credentials, authenticate RDS access requests, and provide first-level abuse handling”.
Because it’s not complicated enough already, each industry (lawyers, academics, police, etc) would have their own different combination of Accrediting Bodies and Accreditation Operators.
Who benefits from all this?
The reason the EWG was set up in the first place was to try to resolve the conflict between those who think Whois accuracy should be more strictly enforced (generally law enforcement and IP owners) and those who think there should be greater registrant privacy (generally civil society types).
In the middle you’ve got the registries and registrars, who are generally resistant to anything that adds friction to their shopping carts or causes even moderate implementation costs.
The debate has been raging for years, and the EWG was told to:

1) define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data, and 2) provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data.

So the EWG proposal could be seen as successful if a) privacy advocates are happy and b) trademark lawyers and the FBI are happy, c) registrars/ries are happy and d) Whois users are happy.
Are the privacy dudes happy?
No, they’re not.
The EWG only had one full-on privacy advocate: Stephanie Perrin, who’s a bit of a big deal when it comes to data privacy in Canada, having held senior privacy roles in public and private sectors there.
Perrin isn’t happy. Perrin thinks the RDS proposal as it stands won’t protect regular registrants’ privacy.
She wrote a Dissenting Report that seems to have been intended as an addendum to the EWG’s official report, but it was not published by the EWG or ICANN. The EWG report makes only a vague, fleeting reference, in a footnote, to the fact that the was any dissent at all.
Milton Mueller at the Internet Governance Project got his hands on it regardless and put it out there earlier this week.
Perrin disagrees with the recommendation (outlined above) that each domain name must have a Legal Contact (or Legal PBC) who is not permitted to hide their name and mailing address from public view.
She argues, quite reasonably I think, that regular registrants don’t have lawyers they can outsource this function to, which means their own name and mailing address will comprise their publicly visible Legal PBC.
This basically voids any privacy protection they’d get from having these details “gated” in the “registrant” record of the RDS. Perrin wrote:

the purpose of the gate is to screen out bad actors from harassing innocent registrants, deter identity theft, and ensure that only legitimate complaints arrive directly at the door of the registrants. It is also to protect the ability of registrants to express themselves anonymously. Placing all contact data outside the gate defeats certain aspects of having a gate in the first place.

The EWG report envisages the use of privacy/proxy services for people who don’t want their sensitive data published publicly.
But we already have privacy/proxy services today, so I’m unclear what benefit RDS brings to the table in terms of privacy protection.
It’s also worth noting that there are no circumstances under which a registrant’s email address is protected, not even from anonymous RDS queries. So there’s no question of RDS stopping Whois-based spam.
Are the trademark dudes going to be happy?
I don’t know. They do seem to be getting a better deal out of the recommendations than the other side (there were at least three intellectual property advocates on the EWG) but if you’re in the IP community the report still leaves much to be desired.
The RDS proposal would create a great big centralized repository of domain registrant information, which would probably be located in a friendly jurisdiction such as the US.
That would make tracking down miscreants a bit easier than in today’s distributed Whois environment.
RDS would also include a WhoWas service, so users can see who has historically owned domain names, and a Reverse Query service, so that users can pull up a list of all the other domains that share the same contact field(s).
Both services (commercially available via the likes of DomainTools already) would prove valuable when collating data for a UDRP complaint or cybersquatting lawsuit.
But it’s important to note that while the EWG report says all contact information should be validated, it stops short of saying that it should be authenticated.
That’s a big difference. Validation would reveal whether a mailing address actually exists, but not whether the registrant actually lives there.
You’d need authentication — something law enforcement and IP interests have been pushing for but do not seem to have received with the EWG proposal — for that.
The EWG suggests that giving registrants more control over which bits of their data are public will discourage them from providing phony contact information for Whois/RDS.
The RDS proposes a lot more carrot than stick on this count.
But if Perrin is correct that it’s a false comfort (given that your name and address will be published as Legal PBC anyway) then wouldn’t a registrant be just as motivated to call themselves Daffy Duck, or use a proxy/privacy service, as they are today?
Are the registrar dudes going to be happy?
If the EWG’s recommendations become a reality registrars could get increased friction in their sales path, depending on how disruptive it is to create a “Contact ID” and populate all the different PBCs.
I think it’s certainly going to increase demand on support channels, as customers try to figure out the new regime.
Remember, the simple requirement to click on a link in an email is causing registrants and registrars all kinds of bother, including suspended domains, under recently introduced rules.
And there’s obviously going to be a bunch of (potentially costly) up-front implementation work registrars will need to do to hook themselves into RDS and the other new entities the system relies on.
I doubt the registrars are going to wholeheartedly embrace the proposal en masse, in other words.
Is Kevin Murphy happy?
No, I’m not happy.
It bugs me, personally, that the EWG completely ignored the needs of the media in its report. It strikes me as a bit of a slap in the face.
The “media” and “bloggers” (I’m definitely in one of those categories) would be given the same rights to gated RDS data as the “general public”, under the EWG proposal.
In other words, no special privileges and no ability to access the registrant name and address fields of an RDS record.
RDS may well give somebody who owns a trademark (such as a reverse domain name hijacker or a sunrise gamer) more rights to Whois records than the New York Times or The Guardian.
That can’t be cool, can it?
Murphy, brah, why you gotta cuss in your headline?
Good question. I do use swearwords on DI occasionally, but only to annoy people who don’t like them, and usually only in posts dated April 1 or in stories that seem to deserve it.
This post is dated June 13.
I think I’ve established that the EWG’s proposal as it stands today is a pretty big overhaul of the current system and that it’s not immediately obvious how the benefits to all sides warrant the massive effort that will have to be undertaken to get RDS to replace Whois.
But the clusterfuckery is going to begin not with the implementation of the proposal, but with the attempt to pass it through the ICANN process.
The proposal has to pass through the ICANN community before becoming a reality.
The Expert Working Group has no power under the ICANN bylaws.
It was created by Chehade while he was still relatively new to the CEO’s job and did not yet appreciate how seriously community members take their established procedures for creating policy.
I think it was a pretty decent idea — getting a bunch of people in a room and persuading them to think outside the box, in an effort to find radical solutions to a a long-stagnant debate.
But that doesn’t change the fact that the EWG’s proposals don’t become law until they’ve been subject to the Generic Names Supporting Organization’s lengthy Policy Development Process.
Some GNSO members were not happy when the EWG was first announced — they thought their sovereignty was being usurped by the uppity new CEO — and they’re probably not going to be happy about some of the language the EWG has chosen to use in its final report.
The EWG said:

The proposed RDS, while not perfect, reflects carefully crafted and balanced compromises with interdependent elements that should not be separated.
…
The RDS should be adopted as a whole. Adopting some but not all of the design principles recommended herein undermines benefits for the entire ecosystem.

It’s actually quite an audacious turn of phrase for a working group with no actual authority under ICANN bylaws.
It sounds a bit like “take it or leave it”.
But there’s no chance whatsoever of the report being adopted wholesale.
It’s going into the GNSO process, where the same vested interests (IP, LEA, registry, registrar, civil society) that have kept the debate stagnant for the duration of ICANN’s existence will continue to try (and probably fail) to come to an agreement about how Whois should evolve.

How NetSol opts you in to cybersquatted .xyz names

Clear-cut cases of cybersquatting seem to be among those .xyz domain names that Network Solutions has registered to its customers without their explicit request.
Some of the domains I’ve found registered in .xyz, via NetSol to the registrants of the matching .com or .net names, include my-twitter.xyz, facebook-liker.xyz and googledia.xyz.
Domains including other brands, such as Rolex, Disney, iPhone, Amazon and Pepsi can also be found registered to third parties, via NetSol, in .xyz’s zone today.
They’re all registered via NetSol’s Whois privacy service, which lists the registrant’s “real” name in the Whois record, but substitutes mailing address, email and phone number with NetSol-operated proxies.
I think the chance of these names being paid for by the registrant is slim. It seems probable that many (if not all) of the squatty-looking names were registered via NetSol’s promotional program for .xyz.
As previously reported, NetSol has been giving away domain names in .xyz to owners of the matching .com names. Tens of thousands of .xyz names seem to have been registered this way in the last week.
The “registrants” did not have to explicitly accept the offer. Instead, NetSol gave them the option to “opt-out” of having the name registered on their behalf and placed into their accounts.
The effect of this has been to propel .xyz into the leading spot in the new gTLD league table. It had 82,236 names in today’s zone file. a clear 15,000 names ahead of second-place .club.
But it’s not clear how much, if any, support NetSol has received from the registry, XYZ.com. CEO Daniel Negari told Rick Schwartz, in a coy interview last week:

The Registry Operator is unable to “give away” free domain names. I never even saw the email that the registrar sent to its customers until I discovered it on the blogs.

The opt-out giveaway has also prompted speculation about NetSol’s right to register domains without the explicit consent of the registrant, both under the law and under ICANN contract.
Under the Registrar Accreditation Agreement, in order to register a domain name, registrars “shall require” the registrant “to enter into an electronic or paper registration agreement”.
That agreement requires the registrant to agree to, among many other things, the transfer or suspension of their domains if (for example) they lose a UDRP or URS case.
But that doesn’t seem to be happening with the opt-out names,
Barry Shein, president of The World, had shein.xyz registered on his behalf by NetSol on Saturday. He already owns shein.com, also registered with NetSol.
NetSol’s email informing him of the registration, which Shein forwarded to DI, reads as follows:

Dear Valued Network Solutions Customer,
Congratulations, your complimentary SHEIN.XYZ domain has arrived!
Your new .XYZ domain is now available in your Network Solutions account and ready to use. To go along with your new .XYZ domain, you have also received complimentary access to Professional Email and Private Registration for your .XYZ domain.
If you choose not to use this domain no action is needed and you will not be charged any fees in the future. Should you decide to keep the domain after your complementary first year, simply renew it like any other domain in your account.
We appreciate your business and look forward to serving you again.
Sincerely,
Network Solutions Customer Support
www.networksolutions.com
http://www.networksolutions.com/help/index.jsp

Importantly, a footnote goes on to describe how NetSol will take a refusal to opt out as “continued acceptance” of its registration agreement:

Please note that your use of this .XYZ domain name and/or your refusal to decline the domain shall indicate acceptance of the domain into your account, your continued acceptance of our Service Agreement located online at http://www.networksolutions.com/legal/static-service-agreement.jsp, and its application to the domain.

So, if you’re a NetSol customer who was picked to receive a free .xyz name but for whatever reason you don’t read every marketing email your registrar sends you (who does?) you’ve agreed to the registration agreement without your knowledge or explicit consent, at least according to NetSol.
I am not a lawyer, but I’ve studied enough law to know that this is a dubious way to make a contract. Lawyers I’ve shown this disclaimer to have laughed out loud.
Of course, because each registrant already owns a matching .com, they’ve already accepted NetSol’s registration agreement and terms of service at least once before.
This may allow NetSol to argue that the initial acceptance of the contract also applies to the new .xyz domains.
But there are differences between .com and .xyz.
Chiefly, as a new gTLD, .xyz registrants are subject to policies that do not apply to .com, such as the Uniform Rapid Suspension policy.
URS differs from UDRP in that there’s a “loser pays” model that applies to complaints involving over 15 domains.
So these .xyz registrants have been opted into a policy that could leave them out of pocket, without their explicit consent.
Of course, we’re talking about people who seem to be infringing famous trademarks in their existing .com names, so who gives a damn, right?
But it does raise some interesting questions.
Who’s the registrant here? Is it the person who owns the .com, or is it NetSol? NetSol is the proxy service, but the .com registrant’s name is listed in the Whois.
Who’s liable for cybersquatting here? Who would Twitter file a UDRP or URS against over my-twitter.xyz? Who would it sue, if it decided to opt for the courts instead?

How much are new gTLDs really costing trademark owners? We have some numbers.

If there’s one thing we’ve learned from the last six months of new gTLDs, it’s that predictions about massive levels of defensive registrations were way off the mark.
New gTLDs are not seeing anywhere near the same numbers of sales during sunrise periods as their predecessors.
I have managed to collate some data that I think gives a pretty accurate picture of how many sunrise registrations are being made and therefore how much new gTLDs are costing trademark owners.
About 128 gTLDs have finished their sunrise periods to date, and I have the sunrise sales figures for 101 of them. All of these numbers were provided by the respective registry operator.
The biggest sunrise, per these numbers, was for .clothing, which had 675 registrations. That’s 5.97% of the 11,301 overall names in the .clothing zone file today, over three months after launch.
At the other end of the scale is شبكة. (“.shabaka” or “.web” in Arabic), which sold just five names during its sunrise, the first of the program, which was restricted to Arabic trademarks.
The total number of sunrise sales across across all 101 gTLDs is 14,567, making for an average of 144.2 domains per new gTLD sunrise.
Sunrise currently accounts for 1.87% of all names in these 101 gTLDs, but that’s an artificially high number because some of the gTLDs I have sunrise numbers for are not yet in general availability.
But compare the real numbers to .co, which sold over 11,000 names at sunrise when it launched in summer 2010, or .xxx, which took 80,000 sunrise applications in late 2011.
Trademark owners are not defensively registering with anywhere near the same fervor as they once did.
If that 144.2 average names holds true for all 128 gTLDs that have completed sunrise, we can approximate that 18,461 names have been sold during sunrise periods to date.
I should point out that I’m assuming in these calculations that all sunrise registrations are “defensive” and that brand owners are not defensively registering during general availability.
Neither of those assumptions will be fully true.
Not all sunrise sales are made to genuine brand owners, of course. Some number of generic dictionary domains have been registered by people who obtained trademarks just in order to get the matching domain.
And only a psychic could know whether a GA registration is “defensive” or not at this stage.
But let’s assume that every sunrise reg went to a genuine brand owner. How much have they had to pay for these names?
It’s difficult to calculate a precise dollar value because each registry has a different pricing scheme and sometimes the price of a name can vary even within a specific given TLD.
I looked to the prices listed at 101domain, which has pretty exhaustive coverage of new gTLDs, for a guide.
The average first-year cost for a sunrise registration in the 75 or so new gTLDs currently being sold to trademark owners at 101domain is a little shy of $165.
Assuming that’s a good guide for pricing in sunrise periods that have already closed, we can calculate that 18,461 names at $165 a pop equals $3,046,089 out of the pockets of trademark owners in the first year.
But the sunrise fees are not the only costs, of course. In order to participate in a sunrise you must first register your mark in the Trademark Clearinghouse.
There are 30,251 marks registered in the TMCH, according to the TMCH itself. At $150 a pop — the minimum you can pay for a TMCH registration — that’s $4,537,650 spent on defensive measures.
Add in the cost of the sunrise registrations and a generous $100,000 to cover the cost of the 50 Uniform Rapid Suspension cases that have been filed to date and the total cost to brand owners so far over the first 128 new gTLDs comes to $7,683,739.
Whether this is “a lot” or not probably depends on your perspective.
It’s certainly not the billions of dollars that were being predicted by some as recently as last year.
In September the Better Business Bureau and the Coalition Against Domain Name Abuse speculated that 600 “open” new gTLDs could lead to $10 billion being spent on defensive registrations.
That statement was made in a press release calling for stronger cybersquatting legislation in the US.
But if 101 open gTLDs leads to $3,046,089 being spent, 600 such gTLDs should lead to a total cost of about $18 million, not including the fixed TMCH costs (which probably won’t grow very fast in future).
That’s not the same ballpark, not the same league, not even the same sport.

ICANN muddles through solution to IGO conflict

ICANN may have come up with a way to appease both the GNSO and the GAC, which are at conflict over the best way to protect the names and/or acronyms of intergovernmental organizations.
At the public forum of the ICANN 49 meeting in Singapore last Thursday, director Bruce Tonkin told the community that the ICANN board will consider the GNSO’s recommendations piecemeal instead of altogether.
It will also convene a meeting of the GNSO, GAC, IGOs, international nongovernmental organizations and the At-Large Advisory Committee to help reach a consensus.
The issue, you may recall from a DI post last week, is whether the names and acronyms of IGOs and INGOs should be blocked in all new gTLDs.
The GNSO is happy for the names to be protected, but draws the line at protecting acronyms, many of which are dictionary words or have multiple uses. The GAC wants protection for both.
Both organizations have gone through their respective processes to come to full consensus policy advice.
This left ICANN in the tricky situation of having to reject advice from one or the other; its bylaws did not make a compromise easy.
By splitting the GNSO’s 20 or so recommendations up and considering them individually, the ICANN board may be able to reconcile some with the GAC advice.
It would also be able to reject bits of GAC advice, specific GNSO recommendations, or both. Because the advice conflicts directly in some cases, rejection of something seems probable.
But ICANN might not have to reject anything, if the GAC, GNSO and others can come to an agreement during the special talks ICANN has in mind, which could happen as soon as the London meeting in June.
Even if those talks lead to nothing, this proposed solution does seem to be good news for ICANN perception-wise; it won’t have to blanket-reject either GNSO or GAC policy advice.
This piecemeal or ‘scorecard’ approach to dealing with advice hasn’t been used with GNSO recommendations before, but it is how the board has dealt with complex GAC advice for the last few years.
It’s also been used with input from non-GNSO bodies such as the Whois Review Team and Accountability and Transparency Review Team.
Judging by a small number of comments made by GNSO members at the public forum on Thursday, the solution the board has proposed seems to be acceptable.
ICANN may have dodged a bullet here.
The slides used by Tonkin during the meeting can be found here.

Dodgy domainer owns 40% of .ceo’s new names

What do Mark Zuckerberg, Oprah Winfrey, Donald Trump, Jeff Bezos and the Saudi royal family have in common?
Their .ceo domain names all belong to the same guy, a registrant from Trinidad and Tobago who as of last night was responsible for 40% of hand-registered .ceo domains.
Andrew Davis has registered roughly 100 of the roughly 250 .ceo names sold since the new gTLD went into general availability on March 28, spending at least $10,000 to do so.
I hesitate to call him a cyberquatter, but I have a feeling that multiple UDRP panels will soon be rather less hesitant.
Oh, what the hell: the dude’s a cyberquatter.
Here’s why I think so.
According to Whois records, Davis has registered dozens of common given and family names in .ceo — stuff like smith.ceo, patel.ceo, john.ceo, wang.ceo and wolfgang.ceo.
So far, that seems like fair game to me. There are enough CEOs with those names out there that to register matching domains in .ceo, or in any TLD, could easily be seen as honest speculation.
Then there are domains that start setting off alarm bells.
zuckerberg.ceo? zuck.ceo? oprah.ceo? trump.ceo? bezos.ceo?
Sure, those are names presumably shared by many people, but in the context of .ceo could they really refer to anyone other than Mark Zuckerberg, Oprah Winfrey, Donald Trump and Jeff Bezos?
I doubt it.
Then there are a class of names that seem to have been registered by Davis purely because they show up on lists of the world’s wealthiest families and individuals.
The domains slim.ceo, walton.ceo, and adelson.ceo match the last names of three of the top ten wealthiest people on the planet; arnault.ceo matches the name of France’s second-richest businessman.
getty.ceo, rockefeller.ceo, hearst.ceo, rothschild.ceo… all family names of American business royalty.
Then there’s the names of members of actual royalty, the magnificently wealthy Saudi royal family: alsaud.ceo, saud.ceo and alwaleed.ceo.
Still, if Davis had registered any single one of these names he could make a case that it was a good faith registration (if his name was Walton or Al Saud).
Collectively, the registration strategy looks very dodgy.
But where any chance of a good-faith defense falls apart is where Davis has registered the names of famous family-owned businesses where the name is also a well-defended trademark.
bacardi.ceo… prada.ceo… beretta.ceo… mars.ceo… sennheiser.ceo… shimano.ceo… swarovski.ceo… versace.ceo… ferrero.ceo… mahindra.ceo… olayan.ceo…
There’s very little chance of these surviving a UDRP if you ask me.
Overall, I estimate that at least half of Davis’ 100 registrations seem to deliberately target specific high net worth individuals or famous brands that are named after their company’s founder.
The remainder are generic enough that it’s difficult to guess what was going through his mind.
On his under construction web site at andrewdavis.ceo, Davis says:

I am the owner of Hundreds of the Best .CEO Domains available on the web.
My collection comprises of the Top Premium .CEO Domains (in my opinion).
My list of domains contains the First or Last names of well over 1 Billion people around the world.
I offer Email and Web Link Services on each of these sites, so that these Domains can be shared with many people around the world, particularly CEOs, Business Owners and Leaders, or those aspiring to become one.

On each of Davis’ .ceo sites, he offers to sell email addresses (eg contact@bacardi.ceo) for $10 a month and third-level domain names (eg blog.walton.ceo) for $5 a month.
A UDRP panelist is going to take this as evidence of bad faith, despite Davis’ disclaimer, which appears on each of his web sites. Here’s an example from bacardi.ceo:

This Website (Bacardi.CEO) is NOT Affiliated with, nor refers to, any Trademark or Company named “Bacardi”, that may or may not exist.
This Website does NOT refer to any Specific Individual Person(s) named “Bacardi”.
This Website aims to provide Services for ANY Person named “Bacardi”, particularly: CEOs, Business Owners and Leaders.
Bacardi.CEO is an Independent and Personal Project/Service of Andrew Davis.

I must admit I admire his entrepreneurship, but I fear he has stepped over the line into cybersquatting that a UDRP panelist will have no difficulty at all recognizing.
Davis has already been hit with a Uniform Rapid Suspension complaint on mittal.ceo, presumably filed on behalf of billionaire Indian steel magnate Lakshmi Mittal and/or his company ArcelorMittal.
It’s not clear from the name alone whether mittal.ceo is a losing domain under URS’ higher standard of evidence, but I reckon the pattern of registrations described in this blog post would help make for a pretty convincing case that would put it over the line.
I should add, in fairness to .ceo registry PeopleBrowsr, that the other 60% of its zone, judging by Whois records, looks pretty clean. Small, but clean.

Under global spotlight, ICANN forced to choose between GAC and the GNSO

ICANN has angered the Generic Names Supporting Organization and risks angering the Governmental Advisory Committee as it prevaricates over a controversial rights protection mechanism.
It looks like the ICANN board of directors is going to have decide whether to reject either a hard-won unanimous consensus GNSO policy recommendation or a piece of conflicting GAC advice.
ICANN is “stuck in a bind”, according to chairman Steve Crocker, and it’s a bind that comes at a time when the bottom-up multi-stakeholder process is under the global microscope.
The issue putting pressure on the board this week at the ICANN 49 public meeting here in Singapore is the protection of the names and acronyms of intergovernmental organizations.
IGOs pressured the GAC a few years ago into demanding protection in new gTLDs. They want every IGO name and acronym — hundreds of strings — blocked from registration by default.
For example, the Economic Cooperation Organization would have “economiccooperationorganization” and “eco” blocked at the second level in all new gTLDs, in much the same way as country names are reserved.
Other IGO acronyms include potentially useful dictionary-word strings like “who” and “idea”. As I’ve said before, protecting the useful acronyms of obscure IGOs that never get cybersquatted anyway is just silly.
But when ICANN approved the new gTLD program in 2011, for expediency it placed a temporary block on some of these strings and asked the GNSO to run a formal Policy Development Process to figure out a permanent fix.
In November 2012 it added hundreds more IGO names and acronyms to the list, while the GNSO continued its work.
The GNSO concluded its PDP last year with a set of strong consensus recommendations. The GNSO Council then approved them in a unanimous vote at the Buenos Aires meeting last November.
Those recommendations would remove the IGO acronyms from the temporary reserved names list, but would enable IGOs to enter those strings into the Trademark Clearinghouse instead.
Once in the TMCH, the acronyms would be eligible for the standard 90-day Trademark Claims mechanism, which alerts brand owners when somebody registers a name matching their mark.
The IGOs would not, however, be eligible for sunrise periods, so they wouldn’t have the special right to register their names before new gTLDs go into general availability.
The PDP did not make a recommendation that would allow IGOs to use the Uniform Rapid Suspension service or UDRP.
Unfortunately for ICANN, the GNSO recommendations conflict with the GAC’s current advice.
The GAC wants (pdf) the IGOs to be eligible for Trademark Claims on a “permanent” basis, as opposed to the 90-day minimum that trademark owners get. It also wants IGOs — which don’t generally enjoy trademark protection — to be made eligible for the URS, UDRP or some similar dispute resolution process.
Since Buenos Aires, the ICANN board’s New gTLD Program Committee has been talking to the GAC and IGOs about a compromise. That compromise has not yet been formally approved, but some initial thinking has been circulated by Crocker to the GAC and GNSO Council.
ICANN proposes to give IGOs the permanent Trademark Claims service that the GAC has asked for, as well as access to the URS. Both policies would have to be modified to allow this.
It would also create an entirely new arbitration process to act as a substitute for UDRP for IGOs, which are apparently legally unable to submit to the jurisdiction of national courts.
The compromise, while certainly overkill for a bunch of organizations that could hardly be seen as ripe cybersquatting targets, may seem like a pragmatic way for the board to reconcile the GNSO recommendations with the GAC advice without pissing anyone off too much.
But members of the GNSO are angry that the board appears to be on the verge of fabricating new policy out of whole cloth, ignoring its hard-won PDP consensus recommendations.
That’s top-down policy-making, something which is frowned upon within ICANN circles.
Under the ICANN bylaws, the board is allowed to reject a GNSO consensus recommendation, if it is found to be “not in the best interests of the ICANN community or ICANN”. A two-thirds majority is needed.
“That’s not what happened here,” Neustar’s vice president of registry services Jeff Neuman told the board during a meeting here in Singapore on Tuesday.
“Instead, the board on its own developed policy,” he said. “It did not accept, it did not reject, it developed policy. But there is no room in the ICANN bylaws for the board to do this with respect to a PDP.”
He said that the GNSO working group had already considered elements of ICANN’s compromise proposal and specifically rejected them during the PDP. Apparently speaking for the Registries Stakeholder Group, Neuman said the compromise should be taken out of consideration.
Bret Fausett of Uniregistry added: “The process here is as important to us as the substance. We think procedure wasn’t followed here and we detect a lack of understanding at the board level that process wasn’t followed.”
The GNSO Council seems to agree that the ICANN board can either accept or reject its recommendations, but what it can’t do is just write its own policies for the sake of a quiet life with the GAC.
To fully accept the GNSO’s recommendations would, however, necessitate rejecting the GAC’s advice. That’s also possible under the bylaws, but it’s a lengthy process.
Director Chris Disspain told the GNSO Council on Sunday that the board estimates it would take at least six months to reject the GAC’s advice, during which time the temporary reservations of IGO acronyms would remain active.
He further denied that the board is trying to develop policy from the top.
“It is not top-down, it’s not intended to be top-down, I can’t really emphasis that enough,” he told the Council.
He described the bylaws ability to reject the GNSO recommendations as a “sledgehammer”.
“It would be nice to be able to not have to use the sledgehammer,” he said. “But if we did have to use the sledgehammer we should only be using it because we’ve all agreed that’s what we have to do.”
Chair Steve Crocker summed up the board’s predicament during the Sunday meeting.
“We always do not want to be in the position of trying to craft our own policy decision,” he said. “So we’re stuck in this bind where we’re getting contrary advice from sources that feel very strongly that they’ve gone through their processes and have spoken and so that’s the end of it from that perspective.”
The bind is especially tricky because it’s coming at a time when ICANN is suddenly becoming the focus of a renewed global interest in internet governance issues.
The US government has said that it’s willing to walk away from its direct oversight of ICANN, but only if what replaces it is a “multi-stakeholder” rather than “intergovernmental” mechanism
If ICANN were to reject the proceeds of a two-year, multi-stakeholder, bottom-up, consensus policy, what message would that send to the world about multistakeholderism?
On the other hand, if ICANN rejects the advice of the GAC, what message would it send about governments’ ability to effectively participate as a stakeholder in the process?
Clearly, something is broken when the procedures outlined in ICANN’s bylaws make compromise impossible.
Until that is fixed — perhaps by getting the GAC involved in GNSO policy-making, something that has been talked about to no end for years — ICANN will have to continue to make these kinds of hard choices.
Fielding a softball question during a meeting with the GNSO Council on Saturday, ICANN CEO Fadi Chehade said that “to value the process as much as I value the result” is the best piece of advice he’s received.
“Policies get made here,” Chehade told the Council, “they should not be made at the board level, especially when a consensus policy was made by the GNSO. Akram [Atallah, Generic Domains Division president] today was arguing very hard at the board meeting that even if we don’t think it’s the right thing, but it is the consensus policy of the GNSO, we should stick with it.”
Will the board stick with it? Director Bruce Tonkin told the registries on Monday that the board would try to address their concerns by today, so we may not have to wait long for an answer.

Panel doesn’t consider TLD in the first-ever new gTLD UDRP case

The first new gTLD domain name has been lost to a UDRP complaint.
The famous German bike maker Canyon Bicycles won canyon.bike from a registrant who said he’d bought the name — and others — in order to protect the company from cybersquatters.
The panelist in the case, WIPO’s Andrew Lothian, declined to consider the fact that the TLD was related to Canyon’s business in making his decision. Finding confusing similarity, he wrote:

The Panel finds that, given the advent of multiple new gTLD domain names, panels may determine that it is appropriate to include consideration of the top-level suffix of a domain name for the purpose of the assessment of identity or similarity in a given case, and indeed that there is nothing in the wording of the Policy that would preclude such an approach. However, the Panel considers that it is not necessary to do so in the present case.

Canyon had argued that the fact that it’s a .bike domain reinforced the similarity between the domain and the mark, but it’s longstanding WIPO policy that the TLD is irrelevant when determining confusing similarity.
The domain was registered under Whois privacy but, when it was lifted, Canyon looked the registrant up on social media and discovered he was very familiar with the world of bikes.
The registrant told WIPO that he’s registered Canyon’s mark “with the best of intentions”.
Apparently, he’s registered more than one famous brand in a new gTLD in the belief that the existence of the program was not wildly known, in order to transfer the domains to the mark holders.
He claimed “that many companies have been content with his actions” according to the decision.
But the fact that he’d asked for money from Canyon was — of course — enough for Lothan to find bad faith.
He also chose to use the fact that the registrant had made no attempt to remove the default Go Daddy parking page — which the registrar monetizes with PPC — as further evidence of bad faith.
The domain is to be transferred.

Common first name lost to URS complaint

The first controversial Uniform Rapid Suspension decision? Probably not.
An self-described “entrepreneur” from Texas has lost control of the domain dana.holdings after a URS complaint filed by Dana Holding, a vehicle component supplier. The domain has been suspended.
It’s the first URS case where the second-level string, in this case “dana”, has a hypothetical multitude of uses not related to the trademark holder’s brand.
The respondent, one Farris Nawas, said in his URS response:

Dana is a common Middle Eastern female name. My family is of Middle Eastern descent. My intention is to establish a holding company in my native country and not in the United States. Upon my registration of the domain name www.Dana.Holdings, I discovered that Dana Holdings is nationally registered in the United states. Out of Courtesy, I approached Dana Limited corporation myself to let them know that I have registered the domain name with the intention of starting my own holding company.

The National Arbitration Forum URS examiner, Darryl Wilson, didn’t buy it
While Nawas was not wrong about Dana being a common first name, I feel I’m on pretty safe ground saying the excuse about starting his own holding company was utter nonsense.
Nawas owns over 200 domains, most of which were registered during the first days of new gTLDs general availability and many of which appear to be cut-and-dried cases of outright cybersquatting.
He was called out by Forbes for registering tommyhilfiger.clothing. I’ve discovered he also owns such as names 4san.ventures and akfen.holdings, among others, which also seem to match company names.
Evidence of a pattern of cybersquatting can be used by URS panels to find bad faith, but that doesn’t seem to have happened in this case.
Rather, Wilson seems to have taken Nawas’ offer to sell the domain to Dana for “an unspecified amount” as evidence that he’s a wrong ‘un. Wilson found his explanation “dubious at best”.

Will .exposed see a big sunrise?

Donuts’ new gTLD .exposed goes into sunrise today, but will it put the fear into trademark owners?
It’s arguably the first “ransom” TLD to go live in the current round and the first since .xxx, which scared mark holders into blocking over 80,000 domains back in late 2011.
Most new gTLD sunrise periods to date — most of which have been focused on vertical niches — have had sunrise registrations measured in tens or hundreds rather than thousands.
But .exposed, I would say, is in the same free speech zone as yet-to-launch .sucks and .gripe, which lend themselves well to having a company, product or personal name at the second level.
Brand protection registrars are encouraging their clients to pay special attention to this type of gTLD.
Will this cause a spike in sunrise sales for Donuts over the next 60 days?
It might be difficult to tell, given that Donuts also offers brand owners a blocking mechanism via the Domain Protected Marks List service, so the domains don’t show up in the zone files.
But DPML blocks can be overturned by others with matching trademarks, so some trademark owners may decide to register the name instead for an overabundance of caution.

Go Daddy risking Oscars wrath with .buzz premium domains?

The new gTLD registry Dot Strategy included many famous brands on its list of premium .buzz names, including two that could get its partner, Go Daddy-owned Afternic, in hot water.
Until a couple of hours ago, nic.buzz carried what appeared to be thousands of premium listings, organized by category and carrying prices of $1,000 and up, some of which seemed to target brands.
The names of several sports teams, such as 49ers.buzz and blackhawks.buzz, were listed for sale in the sports category (hat tip: Valideus‘ Brian Beckham).
I also spotted listings for domains such as photoshop.buzz (an Adobe software brand) in the technology category and hobbit.buzz (believe it or not, “Hobbit” is a trademark) in an entertainment category.
But the ones that really caught my attention were academyaward.buzz and academyawards.buzz, which carried prices of $1,900 each.

That’s surprising because if you try to buy these domains you’ll be instructed to contact Afternic, which is handling the premium process. And as of September, Go Daddy owns Afternic.
The Academy of Motion Picture Arts and Sciences, which hands out the Oscars and owns “Academy Award” and “Academy Awards” trademarks, has been locked in litigation with Go Daddy for the last four years.
The Academy claims that Go Daddy is cybersquatting due to its practice of making money parking its customers’ domains, including domains containing Academy trademarks such as academyawardz.com.
Most recently, Go Daddy tried to get the appointed judge in the case kicked out, alleging that she’s in the Academy’s pocket.
While the lawsuit is certainly controversial, attempting to sell $3,800 worth of domain names matching the Academy’s marks probably wouldn’t help Go Daddy look less cybersquatty to its opponent.
It could be argued that many of the premium names that match brands are also generic — Black Hawks could be helicopters and I’m sure there are plenty of academies in the world that hand out awards.
A legitimate registrant could buy many of these trademark-matching listed names and fight off a UDRP, I reckon.
But when somebody lists the name for sale in a category appropriate to the class of trademark, I’d say that makes the name look a lot less generic.
Bieber is a surname presumably shared by many people, but when you list bieber.buzz for sale in a category related to entertainment it can only really refer to one person.
Somebody yanked the premium listings section from the nic.buzz web site after I requested comments from Dot Strategy and Go Daddy a few hours ago. This post will be updated should I receive said comments.
.buzz is currently in its sunrise period and is due to go to general availability in mid-April. As I’ve said before, it’s one of my favorite new gTLD strings and I wouldn’t be surprised if sells quite well.
UPDATE: Go Daddy said: “Afternic is working with dotStrategy, Co. (the .BUZZ registry) to review the list and revise as appropriate.”