Latest news of the domain name industry

Recent Posts

Kevin Spacey among first .sucks buyers

Kevin Spacey, Google, Apple and Microsoft are among the first to buy .sucks domains in apparent attempts to protect their reputations.

Vox Populi Registry, which took .sucks to its sunrise period on Monday, has started publishing the names of sunrise registrants on its web site.

Names scrolling past on a ticker stream this morning include kevinspacey.sucks, gmail.sucks, siri.sucks and windowsphone.sucks.

Other brands to register so far include Instagram, WordPress, Bank of America, Wells Fargo and Wal-Mart.

The dominant registrars on the ticker are MarkMonitor, CSC and LexSynergy, which all specialize in brand protection.

It’s notable that some of the registered strings are secondary brands covering products and services, rather than merely the company’s name.

That could suggest that trademark owners are being somewhat aggressive in their defensive registrations in .sucks.

Actor Kevin Spacey, the only celebrity I spotted on the ticker, has a track record of protecting his personal brand online.

In 2002, he won a cybersquatting complaint over kevinspacey.com, which is now his official web site.

Spacey… well, let’s just say he has been the subject of many speculative media reports over the years. We have mutual acquaintances and from what I hear I can see why he wouldn’t want his brand in third-party hands.

UPDATE: Taylor Swift’s people, who made headelines a few weeks ago by buying taylorswift.porn, have also acquired taylorswift.sucks via MarkMonitor.

Will Vox Populi eat its own .sucks dog food?

Kevin Murphy, March 30, 2015, Domain Registries

Vox Populi has yet to decide whether it will put its mouth where its money is and open up its own brand for the .sucks treatment.

In a radio interview with the Canadian Broadcasting Corporation’s Day 6 show broadcast on Friday, registry CEO John Berard was asked whether the company would register voxpopuli.sucks and allow it to be used as a third-party criticism site.

Vox Populi is positioning .sucks as a space where big brands and others register names in order to solicit useful commentary, criticism and conversation from their customers.

So the correct answer to the question would have been: “Yes, of course we will do that.”

But Berard was more ambiguous in his response:

HOST: What will you do with the voxpopuli.sucks web site? Will you put it up or will you hold it?

BERARD: My instinct would be to put it up.

HOST: But there’s a possibility that you won’t?

BERARD: It’s a business decision we’ll have to make and I think it’s probably the smarter business decision to put it up.

In my view, the company would be mad to sit on voxpopuli.sucks and related names.

By eating its own dog food, it would send the message that it actually believes its own marketing line.

I’m frankly surprised that Vox Pop has not already enthusiastically confirmed it will open itself up to the same kind of treatment as its sunrise period customers.

The full 15-minute CBC piece, which includes four minutes of yours truly busting his radio cherry and five of domain investor Rick Schwartz bitching about how “corrupt” ICANN is, can be streamed here.

The .sucks sunrise period begins today, with a controversial recommended retail price of $2,500 per year.

Chehade tries to explain domain “hogging” comments

Kevin Murphy, March 30, 2015, Gossip

ICANN CEO Fadi Chehade has distanced himself from comments in which he seemed to equate domain investing with “cybersquatting”.

In January, Chehade said in a Huffington Post interview that new gTLDs would help prevent domain “hogging”, which was widely interpreted as his taking a dim view of domaining.

When asked about his remarks last month, he did not backtrack.

Now he has backtracked, responding to an angry letter from the Internet Commerce Association, which represents many of the largest domainers.

In March 24 letter (pdf) published over the weekend, Chehade said that he interpreted the HuffPo interviewer’s question to refer to the practice of registries holding back premium domains, rather than secondary market activity:

I regret that the ICA interpreted some of my comments in the interview as expressing a “disdainful view” of domain investing. As you might have gathered from the reporter’s questions, some people have asked whether the new gTLD program might have created an opportunity for “land grabb[ing]” by industry insiders. It was not my impression that the question being asked referred to established practices in the secondary market; rather, I believe the reporter was inquiring about some of the very practices by registries you cited in your letter. My response — that alternatives are available in different gTLDs — was intended to try to allay the concern that the program was creating artificial scarcity of domains, not to criticize participants in the marketplace.

Was this a fair interpretation of the interviewer’s question? Is this just a misunderstanding?

Watch the two-minute video above to make up your own mind.

Addressing the ICA’s concerns that he had equated domain investing with cyberquatting, Chehade wrote:

We are in complete agreement that there is a very important legal distinction between registering generically-termed domain names and cybersquatting.

“Halt perverted .sucks shakedown now!” demands IPC

Kevin Murphy, March 27, 2015, Domain Registries

Intellectual property interests have asked ICANN to put an immediate stop to the roll-out of the .sucks new gTLD.

A letter to Global Domains Division president Akram Atallah, sent by the Intellectual Property Constituency this evening and seen by DI, calls the registry’s plans, which include an “exorbitant” $2,500 sunrise fee, a “shakedown scheme”.

It’s also emerged that Vox Populi, the .sucks registry, has agreed to pay ICANN up to a million dollars in mysterious fees that apply to no other new gTLD registry.

The IPC letter states.

the Intellectual Property Constituency is formally asking ICANN to halt the rollout of the .SUCKS new gTLD operated by Vox Populi Registry Inc. (“Vox Populi”), so that the community can examine the validity of Vox Populi’s recently announced plans to: (1) to categorize TMCH-registered marks as “premium names,” (2) charge exorbitant sums to brand owners who seek to secure a registration in .SUCKS, and (3) conspire with an (alleged) third party to “subsidize” a complaint site should brand owners fail to cooperate in Vox Populi’s shakedown scheme.

Vox Populi intends to take .sucks to sunrise on Monday, so the IPC wants ICANN to take immediate action.

The high price of registration, the IPC believes, will discourage trademark owners from using the sunrise period to defensively register their marks.

Meanwhile, the registry’s plan to make the domains available for $10 under a “Consumer Advocate Subsidy”, will encourage cybersquatting, the IPC says.

by discouraging trademark owners from using a key RPM, we believe that the registry operator’s actions in establishing this predatory scheme are complicit in, and encourage bad faith registrations by third parties at the second level of the .SUCKS gTLD, and thus drastically increase the likelihood of trademark infringement, all for commercial gain

The letter goes on to say that Vox Populi may be in violation of its registry contract and the Post-Delegation Dispute Resolution Policy, which was created to prevent registries turning a blind eye to mass cybersquatting.

There’s also a vague threat of legal action for contributory trademark infringement.

The IPC has particular beef with the registry’s Sunrise Premium program. This is a list of strings — mostly trademarks — that have been defensively registered in earlier sunrise periods.

Sunrise Premium names will always cost $2,500, even after sunrise, when registered by the trademark owner.

The IPC says:

Vox Populi is targeting and punishing brand owners who have availed themselves of the RPMs or shown that they are susceptible to purchasing defensive registrations… This will have a chilling effect on TMCH registrations and consequently discredit all of the New gTLD Program RPMs in the eyes of brand owners, whose buy-in and adoption of new gTLDs is widely acknowledged to be critical to the success of the new gTLD program.

Finally, and perhaps more disturbingly, the IPC has discovered that the .sucks registry agreement calls for Vox Populi to pay ICANN up to a million dollars in extra fees.

As well as the usual $25,000-a-year fee and $0.25 per-transaction fee, .sucks has already paid ICANN a $100,000 “registry access fee” and has promised to pay a $1 “registry administration fee” per transaction on its first 900,000 domains.

Its contract states:

Registry Operator shall also pay ICANN (i) a one-time fixed registry access fee of US$100,000 as of the Effective Date of this Agreement, and (ii) a registry administration fee of US$1.00 for each of the first 900,000 Transactions. For the avoidance of doubt, the registry administration fee shall not be subject to the limitations of the Transaction Threshold.

This makes ICANN look absolutely terrible.

What the hell is a “registry access fee”? What’s a “registry administration fee”?

One guess would be that it’s ICANN stocking up its legal defense fund, suspecting the kerfuffle .sucks is going to cause.

But by taking the Vox Pop shilling, ICANN has opened itself up to accusations that it’s complicit in the “shakedown”.

If it does not block .sucks (which was probably the most likely outcome even without mysterious fees) the IPC and other .sucks critics will be able to point to the $1 million as a “bribe”.

The behavior is not without precedent, however.

There’s a reason ICM Registry pays ICANN a $2 fee for every .xxx registration, rather than the much lower fees charged to other gTLD registries.

Read the IPC letter here.

Could you survive a .sucks UDRP?

Kevin Murphy, March 17, 2015, Domain Policy

If you register a .sucks domain matching a brand, could you survive a subsequent UDRP complaint? Opinion is mixed.

In my view, how UDRP treats .sucks registrants will be a crucial test of Vox Populi Registry’s business model.

Vox Populi Registry clearly envisages — and is actively encouraging with its policies — genuine critics, commentators and consumer advocates to register .sucks domains that match famous trademarks.

I really like this idea. Power to the people and all that.

But will UDRP panelists agree with me and Vox Pop? Cybersquatting case law under UDRP says, very firmly: “It depends.”

Statistics generally favor mark owners

To date, there have been exactly 100 resolved UDRP complaints against domains that end in “sucks.com”.

Of those, 47 cases ended up with a full transfer of the domain to the trademark owner. Only 30 resulted in a the complaint being denied.

Another 19 cases were withdrawn or terminated; the remainder were split decisions.

So it seems, based on historical “sucks” cases, that the odds favor trademark owners.

But each case is, theoretically at least, judged on its merits. So it does not necessarily hold that most .sucks UDRP complaints will be successful.

What does WIPO say?

The World Intellectual Property Association, which administers most UDRP cases, published a set of guidelines for its panelists.

Some guidelines specifically addresses “sucks” sites, but the advice is not always clear-cut.

There are three elements to UDRP. First, the complainant must show that the domain name in question is identical or confusingly similar to its trademark.

According to WIPO, it’s the “consensus view” of UDRP panelists that adding “sucks” to a trademark at the second level does NOT stop a domain being confusiningly similar. WIPO says:

Generally, a domain name consisting of a trademark and a negative or pejorative term (such as [trademark]sucks.com) would be considered confusingly similar to the complainant’s trademark for the purpose of satisfying the standing requirement under the first element of the UDRP (with the merits of such cases typically falling to be decided under subsequent elements). Panels have recognized that inclusion of a subsidiary word to the dominant feature of a mark at issue typically does not serve to obviate confusion for purposes of the UDRP’s first element threshold requirement, and/or that there may be a particular risk of confusion among Internet users whose first language is not the language of the domain name

Some panels have disagreed with this prevailing view, however.

It remains to be seen whether moving the string “sucks” to the right of the dot would affect the outcome, but it’s established UDRP case law that the dot in a domain can be pretty much ignored when testing for similarity.

The TLD a domain uses can be taken into account if it’s relevant or disregarded if it is not, according to precedent.

The second test under UDRP is whether the registrant of the domain has legitimate rights or interests.

Panelists disagree on this point. WIPO says:

The right to criticize does not necessarily extend to registering and using a domain name that is identical or confusingly similar to the complainant’s trademark. That is especially the case if the respondent is using the trademark alone as the domain name (i.e., [trademark.tld]) as that may be understood by Internet users as impersonating the trademark owner.

That view would seem to apply specifically to the use cases Vox Pop has in mind — the registry wants critics to own [trademark].sucks domains in order to criticize the trademark owner.

In the 2003 case of natwestbanksucks.com, the WIPO panel drew on earlier precedent to find that the registrant had no rights to the domain.

Respondents’ can very well achieve their objective of criticism by adopting a domain name that is not identical or substantially similar to Complainants’ marks. Given the free nature of the media which is the Internet and the chaotic spamming that has become epidemic, it does not appear that one can be at full liberty to use someone else’s trade name or trademark by simply claiming the right to exercise a right to freedom of expression”.

In other words: you may have a right to free speech on the internet, but you do not have the right to exercise it simply by adding “sucks” to a famous trademark.

But other UDRP panelists have disagreed. WIPO says that some panelists have found:

Irrespective of whether the domain name as such connotes criticism, the respondent has a legitimate interest in using the trademark as part of the domain name of a criticism site if such use is fair and noncommercial.

The third element of UDRP is bad faith. Complainants have to show that the registrant is up to something dodgy.

Some panelists have a pretty low threshold for what constitutes bad faith. Merely having the page parked — even if you did not park it yourself — can point to bad faith, especially in “sucks” cases.

WIPO says that “tarnishment” of a trademark — such as posting porn, which is banned under Vox Pop’s AUP anyway — can be bad faith, but legitimate criticism would not usually:

While it would not normally extend to the mere posting of information about a complainant, or to the posting of genuine, non-commercial criticism regarding the trademark holder, it may extend to commercially motivated criticism by (or likely on behalf of) a competitor of such trademark holder.

So, with all that in mind, here are some tips for improving your odds of surviving a .sucks UDRP.

How to beat a .sucks UDRP

Poring over dozens of “sucks.com” decisions, it quickly becomes clear that there are certain things you should definitely do and not do if you want to keep a hold of your brand-match .sucks domain.

Given the volume of precedent, you’ll have a hard time showing that your domain is not identical or confusingly similar to the trademark in question — strike one — but there are ways to show legitimate interests and rebut claims of bad faith.

1. Respond

To show you lack legitimate interests, the complainant only needs to make a face-value argument that you do not. Then the burden of proof to show rights switches to you.

If you don’t respond to the UDRP, the panel will find you lack rights. Panelists rarely try to fight the corner of a registrant who has not responded.

That’s strike two.

2. Don’t allow your domain to be parked

If a domain is parked, UDRP panelists in “sucks.com” cases invariably find that the registrant lacks legitimate interests and has shown bad faith.

Parking is considered a commercial activity, so you won’t be able to argue convincingly that you’re exercising your right to non-commercial free speech if your domain is splashed with links to the trademark owner’s competitors.

This holds true even if the domain was automatically parked by your registrar.

Dozens (hundreds?) of UDRP cases have been lost because Go Daddy parked the newly registered domain automatically, enabling the complainant to show commercial use.

Panelists are usually happy to overlook the lack of direct bad faith action by the registrant in such cases.

Parking will usually lead to strikes two and three.

In the case of .sucks, parking is actually banned by Vox Populi’s acceptable use policies (pdf).

But the registry will only enforce this policy if it receives a complaint. I don’t know if the Registry-Registrar Agreement, which isn’t public, prohibits registrars auto-parking new domains.

3. Develop a site as soon as possible

In some “sucks.com” cases, respondents have argued that they had intended to put up a criticism site, but could not provide evidence to back up the claims.

If you register a .sucks matching a trademark, you’ll want to put up some kind of site ASAP.

In the case of kohlersucks.com, the registrant had merely framed a Better Business Bureau web page, which was found to show non-commercial criticism use.

4. Don’t offer to sell the domain

It should go without saying that offering to sell the domain to the trademark owner shows bad faith; it looks like extortion.

Panelists regularly also find that registrants give up their legitimate rights to a domain as soon as they make it available to buy.

5. Don’t make any money whatsoever

The second you start making money from a domain that matches a trademark, you’re venturing into the territory of commercial use and are much more likely to fail the WIPO test of “genuine, non-commercial criticism”.

6. Be American

Depressingly, you stand a better chance of fighting off a UDRP on free speech grounds if both the case involves US-based parties and a US-based panelist.

Panelists are more likely to draw on the US Constitution’s First Amendment and associated non-UDRP case law when determining rights or legitimate interests, when the registrant is American.

Merely registering with a US-based registrar is not enough to confer First Amendment rights to a registrant living outside of the US, according to UDRP panels.

Even though freedom of speech is a right in most of the world, in the universe of UDRP it seems the rest of us are second-class citizens compared to the yanks.

Chehade declines to backtrack on domain “hogging” comments

Kevin Murphy, February 10, 2015, Domain Policy

ICANN CEO Fadi Chehade responded yesterday to anger from domain investors over recent comments in which he talked about “hogging” domain names and implied a link to cybersquatting.

But he did not, at least as far as I understood his explanation, backtrack on his original remarks.

Chehade was cheekily asked his current thoughts on domain “hoggers” by blogger David Goldstein during a press conference at the ICANN 52 meeting in Singapore yesterday.

This is the entirety of his reply:

I think the statement I made to a different media outlet about that was conflated to signify I was including in this all those who are in the domain name business. And that’s not true. There are those that do this as a business and do it very well and actually enhance the market and there are those that do it and make the business and the market less attractive and less desirable. So I think any insinuation that that statement engulfs everyone that is in this business is not true. As you know very well I’ve a very big supporter of the industry groups and was one of the people who was frankly very happy when the Domain Name Association was created and I attended their first formation meeting. This is where we stand and we continue to feel good about how this market is evolving and how these players are making this a good market that serves the public interest.

Having listened to it a few times, I wonder whether Chehade deliberately didn’t backtrack on his original remarks, or whether he doesn’t quite understand why they caused offense in the first place.

A couple of weeks back, Chehade was talking to the Huffington Post about new gTLDs during an interview at the World Economic Forum in Davos.

The interviewer asked about “concerns about a land-grab going on” among domain speculators.

It was a bit of a silly question, if you ask me. A speculative land-grab is pretty low down the list of concerns held by critics of the new gTLD program. Regardless, Chehade replied:

The reality is, the more there are names, the less people will actually be hogging names in order to charge a lot for them. Because if somebody took your name on dot X, you can go get another name on dot Y now.

I’d personally agree with that characterization of the program. It’s meant to make finding a good name at a cheap price easier. “Hogging” was probably a poor choice of words, but Chehade was talking off the cuff so I could give him a pass.

But later in the same reply, he used the term “cybersquatting” in such a way as to make it easy to infer he was conflating domain investing with cybersquatting. That’s a loaded term that is usually reserved for trademark infringement, at least when used inside the industry.

Obviously this was guaranteed to get investors’ hackles up.

First up with the hackles was Mike Berkens, who called Chehade out on The Domains, saying he “throws large domain investors under the bus and then backs up the bus and rolls over them again”.

Berkens pointed out, quite reasonably I thought, that ICANN is funded to a great extent by domain investors. He estimates that he alone pays ICANN about $15,000 a year in the fees that are collected at the point of registration and renewal.

By some estimates, which may even be conservative, about a third of new gTLD registrations to date have been made to speculators.

Berkens made the even better point that many of the people who have pumped hundreds of millions of dollars into the new gTLD program — Uniregistry’s Frank Schilling, XYZ.com’s Daniel Negari and multiple Donuts executives, for example — made their fortunes investing in second-level domains.

He concluded:

All and all some pretty ignorant statements in our opinion made by the CEO of ICANN and an insult to those domain investors that are some of the biggest buyer’s of new gTLD’s domain names who have paid ICANN a small fortune over the years allowing them to travel the world, pay millions a year in salary and other benefits.

Phil Corwin Jeremiah Johnston of the Internet Commerce Association followed up a few days ago with an open letter to Chehade which explained the outrage in slightly more formal and lawyerly way, with all the apostrophes in the right places. He wrote:

The ICA objects to your statement as it expresses a disdainful view towards the legitimate activity of domain investing, a hostile view of domain investors who are significant ICANN stakeholders who are deeply affected by its policies, a lack of awareness of the market realities of domains as an asset class, and an unwarranted promotion of new gTLD domains over those at legacy gTLDs.

Domain investors are not “hogs” and they most certainly are not deliberate trademark infringers, or “cybersquatters”. It is not clear what you intended by your reference to “cybersquatting”, though it is concerning that you used this pejorative term just after making disparaging remarks about domain investors.

With all these criticisms in mind, let’s go back and parse what Chehade said in Singapore yesterday.

First, he said his remarks had been wrongly “conflated to signify I was including in this all those who are in the domain name business”.

I’m not sure that’s what happened. I’m pretty certain Berkens and his commenters, and then Corwin Johnston, got the hump purely because Chehade dismissed domain investing as “hogging” and then implied a link between investing and trademark infringement.

Who is Chehade talking about when he draws a distinction between those who “enhance the market” and those who “make the business and the market less attractive”?

Is the line drawn between the trademark infringers and the legitimate investors, or its it drawn somewhere else?

Why did Chehade go on to express his support for the DNA, a sell-side trade group funded largely by registries and registrars? Was he drawing the line between regular second-level domainers (hogging) and those that in many cases are essentially just top-level domainers (enhancing)?

Chehade was given the opportunity to backtrack and he didn’t take it.

I’m not a domainer, but if I were I don’t think I’d be particularly satisfied about that.

.xyz press release yanked for “encouraging cybersquatting”

Kevin Murphy, January 13, 2015, Domain Registries

XYZ.com has withdrawn a month-old press release following allegations that it encouraged cybersquatting in .xyz.

The December 3 release concerned the release of 18,000 .xyz domains that were previously blocked due to ICANN’s policy on name collisions.

The release highlighted “trademarked names such as Nike, Hulu, Netflix, Skype, Pepsi, Audi and Deloitte” that were becoming available, according to World Trademark Review, which reported the story yesterday.

Five of the seven brands highlighted have since been registered by apparent cybersquatters, WTR reported.

The .xyz press release has since been withdrawn from the web sites on which it appeared, and registry production manager Shayan Rostam told WTR that the intention was to encourage brand owners to register, rather than cybersquatters.

“Cybersquatting has a negative effect on our business and we would never take any action to encourage cybersquatting,” he reportedly said.

Read the WTR article here.

“Cyberflight” rules coming to UDRP next July

Kevin Murphy, November 18, 2014, Domain Policy

It will soon be much harder for cybersquatters to take flight to another registrar when they’re hit with a UDRP complaint.

From July 31 next year, all ICANN-accredited registrars will be contractually obliged to lock domain names that are subject to a UDRP and trademark owners will no longer have to tip off the registrant they’re targeting.

Many major registrars lock domain names under UDRP review already, but there’s no uniformity across the industry, either in terms of what a lock entails or when it is implemented. Under the amended UDRP policy, a “lock” is now defined as:

a set of measures that a registrar applies to a domain name, which prevents at a minimum any modification to the registrant and registrar information by the Respondent, but does not affect the resolution of the domain name or the renewal of the domain name.

Registrars will have two business days from the time they’re notified about the UDRP to put the lock in place.

Before the lock is active, the registrants themselves will not be aware they’ve been targeted by a complaint — registrars are banned from telling them and complainants no longer have to send them a copy of the complaint.

If the complaint is dismissed or withdrawn, registrars have one business day to remove the lock.

Because these change reduce the 20-day response window, registrants will be able to request an additional four calendar days (to account for weekends, I assume) to file their responses and the request will be automatically granted by the UDRP provider.

The new policy was brought in to stop “cyberflight”, a relatively rare tactic whereby cybersquatters transfer their domains to a new registrar to avoid losing their domains.

The policy was approved by the Generic Names Supporting Organization in August last year and approved by the ICANN board a month later. Since then, ICANN staff has been working on implementation.

The time from the first GNSO preliminary issue report (May 27, 2011) to full implementation of the policy (July 31, 2015) will be 1,526 days.

You can read a redlined version of the UDRP rules here (pdf).

Former pop star is .uk’s 10,000th cybersquatting case

Kevin Murphy, October 27, 2014, Domain Registries

Nominet has processed its 10,000th cybersquatting dispute, according to the company.

Conveniently for the .uk registry’s public relations department, the complainant in the case was Aston Merrygold, a well-known former member of the pop group JLS.

He won astonmerrygold.co.uk, which was registered to London-based Martyn O’Brien, using Nominet’s 12-year-old Dispute Resolution Service.

Merrygold does not have a trademark covering his name, but the DRS panelist found that he had rights anyway, due to his relative fame and numerous TV appearances.

O’Brien registered the name in 2008, along with the names of Merrygold’s band-mates, after JLS appeared in the final of TV talent show The X Factor.

JLS had a brief but successful pop career before breaking up last year. Merrygold currently intends to go solo, which presumably inspired the DRS complaint.

Nominet also announced today that Tony Willoughby, who has been chair of the DRS panel since 2002, has stepped aside and will be replaced by DRS appeals panelist Nick Gardner.

Whois “killer” is a recipe for a clusterfuck

Kevin Murphy, June 13, 2014, Domain Policy

An ICANN working group has come up with a proposal to completely replace the current Whois system for all gTLDs.

Outlined in 180 recommendations spread over 166 pages (pdf), it’s designed to settle controversies over Whois that have raged for 15 years or more, in one fell swoop.

But it’s a sprawling, I’d say confusing, mess that could turn domain name registration and the process of figuring out who owns a domain name into an unnecessarily bureaucratic pain in the rear.

That’s if the proposal is ever accepted by the ICANN community, which, while it’s early days, seems like a challenge.

The Expert Working Group, which was controversially convened by ICANN president Fadi Chehade in December 2012, proposes a Registration Data Service that would ultimately replace Whois.

It’s a complex document, which basically proposes rebuilding Whois from the ground up based on ideas first explored by George Orwell, Franz Kafka and Douglas Adams.

Having read it, I’ll do my best in this post to explain what the proposed Registration Data Service seems to entail and why I think it seems like a lot of hard work for very little benefit.

I note in advance as a matter of disclosure that the RDS as proposed would very possibly disenfranchise me professionally, making it harder for me to do my job. I explain why later in this post.

I also apologize in advance for, and will correct if notified of, any errors. It’s taken me a week from its publication to read and digest the proposal and I’m still not sure it’s all sunk in.

Anyway, first:

What’s RDS?

RDS would be a centralized Whois database covering all domains in all gTLDs, new and old, operated by a single entity.

What’s in an RDS record?

Under the hood, RDS records wouldn’t look a heck of a lot different than Whois records look today, in terms of what data they store.

There would be some new optional elements, such as social media user names, but otherwise it’s pretty much the same data as we’re used to seeing in Whois records today.

The big difference is which of these elements would be visible by default to an anonymous internet user doing a regular Whois look-up somewhere.

Some fields would be “public” and some would be “gated” or hidden. Some fields would always be public and some could be toggled between public and gated by the registrant.

Gated fields would not be visible to people doing normal Whois look-ups. To see gated data, you’d need to be accredited to a certain role (cop, trademark owner, etc) and have an RDS account.

By default, much of the data about the “registrant” — including their name, physical address, country, and phone number — would be gated.

No, you’re not reading that wrong — the name of the registrant would be hidden from regular Whois users by default. Their email address, however, would be always be public.

There would also be up to six “Purpose Based Contacts” — an Admin Contact, a Legal Contact, a Technical Contact, an Abuse Contact, a Privacy/Proxy Contact and a Business Contact.

So, for example, a registrant could specify his registrar as his technical PBC and his lawyer as his legal PBC.

The admin, legal, technical and abuse contacts would be mandatory, and would default to the registrant’s own personal contact info.

A newly registered domain would not be activated in the DNS until the mandatory PBCs had been provided.

Each of these four mandatory PBCs would have different levels of disclosure for each data element.

For example, the Admin PBC would be able to hide their mailing address and phone number (both public by default) but not their name, email address or country.

The Legal PBC would not be able to opt out of having their mailing address disclosed, but the Technical and Abuse PBCs would be able to opt out of disclosing pretty much everything including their own name.

Those are just examples. Several tables starting on page 49 of the report (pdf) give all the details about which data fields would be disclosed and which could be hidden.

I think it’s expected by the EWG that most registrants would just accept the defaults and publish the same data in each PBC, in much the same way as they do today.

“This PBC approach preserves simplicity for Registrants with basic contact needs and offers additional granularity for Registrants with more extensive contact needs,” the EWG says.

Who gets the see the hidden stuff?

In order to see the hidden or “gated” elements, you’d have to be an accredited user of the centralized RDS system.

The level of access you got to the hidden data would depend on the role assigned to your RDS account.

The name of the registrant, for example, would be available to anyone with an RDS account.

If you wanted access to the registrant’s mailing address or phone number, you’d need an RDS account that accredited you for one or more of seven defined purposes:

  • Domain Name Control (ie, the registrant herself)
  • Domain Name Certification (ie SSL Certificate Authorities)
  • Business Domain Name Purchase/Sale (anyone who says they might be interested in buying the domain in question)
  • Academic/Public Interest DNS Research
  • Legal Actions (eg lawyers investigating fraud or trademark infringement)
  • Regulatory/Contractual Enforcement (could be ICANN-related, such as UDRP, or unrelated stuff like tax investigations)
  • Criminal Investigation/DNS Abuse Mitigation

Hopefully this all makes sense so far, but it gets more complicated.

Beware of the leopard!

In today’s gTLD environment, Whois records are either stored with the registry or the registrar. You can do Whois lookups on the registrar/y’s site, or via a third-party commercial service.

As a registrant, you need only interact with your registrar. As a Whois user, you don’t need to sign up for an account anywhere, unless you want value-added services from a company such as DomainTools.

Under RDS, a whole lot of other entities start to come into play.

First, there’s RDS itself — a centralized Whois replacement.

It’s basically two databases. One contains contact details, each record containing a unique Contact ID identifier. The other database maps Contact IDs to the PBCs for each gTLD domain name.

It’s unclear who’d manage this service, but it looks like IBM is probably gunning for the contract.

Second, there would be Validators.

A Validator’s job would be to collect and validate contact information from registrants and PBCs.

While registrars and registries could also act as Validators — and the EWG envisages most registrars becoming Validators — this is essentially a new entity/role in the domain name ecosystem.

Third and Fourth, we’ve got newly created Accrediting Bodies and Accreditation Operators.

These entities would be responsible for accrediting users of the RDS system (that is, people who want to do a simple goddamn Whois lookup).

The EWG explains that an Accrediting Body “establishes membership rules, terms of service, and application and enforcement processes, etc., for a given RDS User community.”

An Accreditation Operator would “create and manage RDS User accounts, issue RDS access credentials, authenticate RDS access requests, and provide first-level abuse handling”.

Because it’s not complicated enough already, each industry (lawyers, academics, police, etc) would have their own different combination of Accrediting Bodies and Accreditation Operators.

Who benefits from all this?

The reason the EWG was set up in the first place was to try to resolve the conflict between those who think Whois accuracy should be more strictly enforced (generally law enforcement and IP owners) and those who think there should be greater registrant privacy (generally civil society types).

In the middle you’ve got the registries and registrars, who are generally resistant to anything that adds friction to their shopping carts or causes even moderate implementation costs.

The debate has been raging for years, and the EWG was told to:

1) define the purpose of collecting and maintaining gTLD registration data, and consider how to safeguard the data, and 2) provide a proposed model for managing gTLD directory services that addresses related data accuracy and access issues, while taking into account safeguards for protecting data.

So the EWG proposal could be seen as successful if a) privacy advocates are happy and b) trademark lawyers and the FBI are happy, c) registrars/ries are happy and d) Whois users are happy.

Are the privacy dudes happy?

No, they’re not.

The EWG only had one full-on privacy advocate: Stephanie Perrin, who’s a bit of a big deal when it comes to data privacy in Canada, having held senior privacy roles in public and private sectors there.

Perrin isn’t happy. Perrin thinks the RDS proposal as it stands won’t protect regular registrants’ privacy.

She wrote a Dissenting Report that seems to have been intended as an addendum to the EWG’s official report, but it was not published by the EWG or ICANN. The EWG report makes only a vague, fleeting reference, in a footnote, to the fact that the was any dissent at all.

Milton Mueller at the Internet Governance Project got his hands on it regardless and put it out there earlier this week.

Perrin disagrees with the recommendation (outlined above) that each domain name must have a Legal Contact (or Legal PBC) who is not permitted to hide their name and mailing address from public view.

She argues, quite reasonably I think, that regular registrants don’t have lawyers they can outsource this function to, which means their own name and mailing address will comprise their publicly visible Legal PBC.

This basically voids any privacy protection they’d get from having these details “gated” in the “registrant” record of the RDS. Perrin wrote:

the purpose of the gate is to screen out bad actors from harassing innocent registrants, deter identity theft, and ensure that only legitimate complaints arrive directly at the door of the registrants. It is also to protect the ability of registrants to express themselves anonymously. Placing all contact data outside the gate defeats certain aspects of having a gate in the first place.

The EWG report envisages the use of privacy/proxy services for people who don’t want their sensitive data published publicly.

But we already have privacy/proxy services today, so I’m unclear what benefit RDS brings to the table in terms of privacy protection.

It’s also worth noting that there are no circumstances under which a registrant’s email address is protected, not even from anonymous RDS queries. So there’s no question of RDS stopping Whois-based spam.

Are the trademark dudes going to be happy?

I don’t know. They do seem to be getting a better deal out of the recommendations than the other side (there were at least three intellectual property advocates on the EWG) but if you’re in the IP community the report still leaves much to be desired.

The RDS proposal would create a great big centralized repository of domain registrant information, which would probably be located in a friendly jurisdiction such as the US.

That would make tracking down miscreants a bit easier than in today’s distributed Whois environment.

RDS would also include a WhoWas service, so users can see who has historically owned domain names, and a Reverse Query service, so that users can pull up a list of all the other domains that share the same contact field(s).

Both services (commercially available via the likes of DomainTools already) would prove valuable when collating data for a UDRP complaint or cybersquatting lawsuit.

But it’s important to note that while the EWG report says all contact information should be validated, it stops short of saying that it should be authenticated.

That’s a big difference. Validation would reveal whether a mailing address actually exists, but not whether the registrant actually lives there.

You’d need authentication — something law enforcement and IP interests have been pushing for but do not seem to have received with the EWG proposal — for that.

The EWG suggests that giving registrants more control over which bits of their data are public will discourage them from providing phony contact information for Whois/RDS.

The RDS proposes a lot more carrot than stick on this count.

But if Perrin is correct that it’s a false comfort (given that your name and address will be published as Legal PBC anyway) then wouldn’t a registrant be just as motivated to call themselves Daffy Duck, or use a proxy/privacy service, as they are today?

Are the registrar dudes going to be happy?

If the EWG’s recommendations become a reality registrars could get increased friction in their sales path, depending on how disruptive it is to create a “Contact ID” and populate all the different PBCs.

I think it’s certainly going to increase demand on support channels, as customers try to figure out the new regime.

Remember, the simple requirement to click on a link in an email is causing registrants and registrars all kinds of bother, including suspended domains, under recently introduced rules.

And there’s obviously going to be a bunch of (potentially costly) up-front implementation work registrars will need to do to hook themselves into RDS and the other new entities the system relies on.

I doubt the registrars are going to wholeheartedly embrace the proposal en masse, in other words.

Is Kevin Murphy happy?

No, I’m not happy.

It bugs me, personally, that the EWG completely ignored the needs of the media in its report. It strikes me as a bit of a slap in the face.

The “media” and “bloggers” (I’m definitely in one of those categories) would be given the same rights to gated RDS data as the “general public”, under the EWG proposal.

In other words, no special privileges and no ability to access the registrant name and address fields of an RDS record.

RDS may well give somebody who owns a trademark (such as a reverse domain name hijacker or a sunrise gamer) more rights to Whois records than the New York Times or The Guardian.

That can’t be cool, can it?

Murphy, brah, why you gotta cuss in your headline?

Good question. I do use swearwords on DI occasionally, but only to annoy people who don’t like them, and usually only in posts dated April 1 or in stories that seem to deserve it.

This post is dated June 13.

I think I’ve established that the EWG’s proposal as it stands today is a pretty big overhaul of the current system and that it’s not immediately obvious how the benefits to all sides warrant the massive effort that will have to be undertaken to get RDS to replace Whois.

But the clusterfuckery is going to begin not with the implementation of the proposal, but with the attempt to pass it through the ICANN process.

The proposal has to pass through the ICANN community before becoming a reality.

The Expert Working Group has no power under the ICANN bylaws.

It was created by Chehade while he was still relatively new to the CEO’s job and did not yet appreciate how seriously community members take their established procedures for creating policy.

I think it was a pretty decent idea — getting a bunch of people in a room and persuading them to think outside the box, in an effort to find radical solutions to a a long-stagnant debate.

But that doesn’t change the fact that the EWG’s proposals don’t become law until they’ve been subject to the Generic Names Supporting Organization’s lengthy Policy Development Process.

Some GNSO members were not happy when the EWG was first announced — they thought their sovereignty was being usurped by the uppity new CEO — and they’re probably not going to be happy about some of the language the EWG has chosen to use in its final report.

The EWG said:

The proposed RDS, while not perfect, reflects carefully crafted and balanced compromises with interdependent elements that should not be separated.

The RDS should be adopted as a whole. Adopting some but not all of the design principles recommended herein undermines benefits for the entire ecosystem.

It’s actually quite an audacious turn of phrase for a working group with no actual authority under ICANN bylaws.

It sounds a bit like “take it or leave it”.

But there’s no chance whatsoever of the report being adopted wholesale.

It’s going into the GNSO process, where the same vested interests (IP, LEA, registry, registrar, civil society) that have kept the debate stagnant for the duration of ICANN’s existence will continue to try (and probably fail) to come to an agreement about how Whois should evolve.