Twelve more new gTLD applicants have been found to have exploited a glitch in ICANN’s new gTLD portal to view fellow applicants’ data.
ICANN said last night that it has determined that all 12 access incidents were “inadvertent” and did not disclose personally identifiable information.
The revelation follows an investigation that started in April this year.
ICANN said in a statement:
in addition to the previous disclosures, 12 user credentials were used to access contact information from eight registry operators. Based on the information collected during the investigation it appears that contact information for registry operators was accessed inadvertently. ICANN also concluded that the exposed registry contact information does not appear to contain sensitive personally identifiable information. Each of the affected parties has been notified of the data exposure.
The glitch in question was a misconfiguration of a portal used by gTLD applicants to file and view their documents.
It was possible to use the portal’s search function to view attachments belonging to other applicants, including competing applicants for the same string.
Donuts said in June that the prices it was willing to pay at auction for gTLD string could have been inferred from the compromised data.
ICANN told compromised users in May that the only incidents of non-accidental data access could be traced to the account of Dirk Krischenowski, CEO of dotBerlin.
Krischenowski has denied any wrongdoing.
ICANN said last night that its investigation is now over.
Verisign has admitted it “sponsors” an analyst who has written more than a dozen articles singing the praises of .com and questioning the value of new gTLDs over the last few years.
Zeus Kerravala is the founder and principal analyst at ZK Research. He writes a regular column for Network World called Network Intelligence.
Last week, domain industry eyebrows were raised by the latest in a series of pro-.com articles — all of which seem to have been removed by Network World in the last 24 hours — to appear in the column.
The latest article was entitled “Why more companies are ditching new domain names and reverting to .com“.
Kerravala basically mined domain industry blogs, including this one, for examples of companies preferring .com over ccTLDs and new gTLDS, to support a view that .com is awesome and other TLDs are not.
He could have quite easily have used the same method to reach the opposite conclusion, in my view.
The Halloween-themed article concluded:
The good news is that .com will be here now and into the future, just like it has been for the past 30 years to provide treats to businesses after they have been “tricked” by other TLDs.
The article, and 12 more before it dating back to August 2012, looked to some like Verisign spin.
Other headlines include “Why .com is still the domain of choice for businesses” and “New generic top-level domain names do more harm than good” and “Companies are movin’ on up to .com domain names”.
They’re all basically opinion pieces with a strongly pro-.com slant.
The opinion that .com is better than the alternatives is not uncommon, especially among domainers who have lots of money tied up in .com investments.
The fact that Kerravala, who doesn’t usually touch the domain industry in his column, has written a dozen stories saying essentially the same thing about .com over the last couple of years looked a bit odd to some in the domain industry.
And it turns out that he is actually on the Verisign payroll.
A Verisign spokesperson told DI: “ZK Research is a sponsored industry analyst and blogger.”
The company declined to answer a follow-up question asking whether this meant he was paid to blog.
Kerravala told DI that Verisign is one of his clients, but denied blogging on its behalf. He said in an email:
they are a client like many of the other large technology firms. Although I blog, like many analysts, I am first an foremost an analyst. I have paid relationships with tech vendors, service providers, end user firms, resellers and the financial community.
Verisign pays me for inquiry time and to have access to my research. Verisign has many relationships like this with many analyst firms and I have this type of relationship with many other technology firms.
In no way do vendors pay me to write blogs nor do they influence my research or my opinions. Sometimes, I may choose to interview a vendor on a certain topic and include them in the article.
Kerravala had not disclosed in his Network World articles or boilerplate biography that Verisign is one of his clients.
In a January 2014 article published on SeekingAlpha, “New Generic Top Level Domain Names Pose No Threat To VeriSign“, contains a disclosure that reads in part “I have no business relationship with any company whose stock is mentioned in this article.”
Kerravala said in an email that although his relationship with Verisign started in 2013, the company was not a client at the time the SeekingAlpha article appeared.
The relationship came to light after new gTLD registry Donuts emailed Kerravala via a third party — and Kerravala says under false pretenses — claiming to have liked his most recent article and asking for a contact name at Verisign.
He would have responded honestly to just being asked directly by Donuts, he said.
In a telephone conversation yesterday, he said that his articles about .com represent his genuinely held beliefs which, as we agree, are not particularly unusual.
He observed that DI has a generally pro-TLD-competition point of view, and that many of my advertisers are drawn from the new gTLD industry, and said that his relationship with Verisign is not dissimilar to DI’s relationship to its advertisers.
The upcoming auction for .shop and .shopping new gTLDs is weird, but in a different way to which I reported on Friday.
The actual rules, which are pretty complicated, mean that one applicant could win a gTLD auction without spending a single penny.
The nine applicants for .shop and the two applicants for .shopping are not necessarily all fighting it out to be a single victor, which is what I originally reported.
Rather, it seems to be certain that both .shop and .shopping will wind up being delegated.
The ICANN rules about indirect contention are not well-documented, as far as I can tell.
When I originally reported on the rules exactly two years ago today, I thought an animated GIF of a man’s head exploding was an appropriate way to end the story.
In the .shop/.shopping case, it seems that all 11 applications — nine for .shop and two for .shopping — will be lumped into the same auction.
Which applicant drops out first will determine whether both strings get delegated or only one.
Uniregistry and Donuts have applied for .shopping, but only Donuts’ application is in contention with Commercial Connect’s .shop application (due to a String Confusion Objection).
As Donuts has applied for both .shop and .shopping, it will be submitting separate bids for each application during the auction.
The auction could play out in one of three general ways.
Commercial Connect drops out. If Commercial Connect finds the .shop auction getting too rich for it and drops out, the .shopping contention set will immediately become an entirely separate auction between Uniregistry and Donuts. In this scenario, both .shop and .shopping get to become real gTLDs.
Donuts drops its .shopping bid. If Donuts drops its bid for .shopping, Uniregistry is no longer in indirect contention with Commercial Connect’s .shop application, so it gets .shopping for free.
Commercial Connect wins .shop. If Commercial Connect prevails in .shop, that means Donuts has withdrawn from the .shopping auction and Uniregistry wins.
It’s complicated, and doesn’t make a lot of logical sense, but it seems them’s the rules.
It could have been even more complex. Until recently, Amazon’s application for .通販 was also in indirect contention with .shop.
Thanks to Rubens Kuhl of Nic.br for pointing out the error.
The new gTLDs .shop, .shopping, .cam and .phone are all set to go to auction after their various delays and objections were cleared up.
It seems that .shop and .shopping contention sets remain merged, so only one string from one applicant will emerge victorious.
That’s due to a completely mad String Confusion Objection decision that ruled the two words are too confusingly similar to coexist in the DNS.
That SCO ruling was made by the same guy who held up both sets of applications when he ruled that .shop and .通販 (“.onlineshopping”) were also too confusingly similar.
The two rulings combined linked the contention sets for all three strings.
.通販 applicant Amazon appealed its SCO loss using a special process that ICANN created especially for the occasion, and won.
But .shop and .shopping applicants were not given the same right to appeal, meaning the auction will take place between nine .shop applicants and .shopping applicants Uniregistry and Donuts.
Donuts is an applicant for .shop and .shopping, meaning it will have to make its mind up which string it prefers, if it intends to win the auction. If it’s a private auction, Donuts would presumably qualify for a share of its own winning bid. Weird.
(UPDATE: That was incorrect).
The other contention set held up by an inconsistent SCO decision was .cam, which was originally ruled too similar to .com.
Rightside won its appeal too, meaning it will be fought at auction between Famous Four, Rightside and AC Webconnecting.
.phone had been held up for different reasons.
It’s a two-way fight between Donuts and Dish DBS, a TV company that wanted to run .phone as a closed generic. Like almost all closed generic applicants, Dish has since changed its plans.
CentralNic’s registry back-end business may have got a big boost by last week’s news that Google has adopted a .xyz domain for its new parent, but it is not yet the biggest back-end provider.
That honor still belongs to Rightside, which currently leads CentralNic by a few hundred thousand names, according to zone files.
When Google started using abc.xyz as the primary domain for its new company last Monday, it caused a sharp spike in .xyz’s daily zone file growth.
The volume-leading new gTLD’s zone had been netting about 3,000 domains per day over the previous week, but that number has risen to almost 8,000 on average since the Google announcement.
While undoubtedly good news for XYZ.com and CentralNic, the growth has not been enough to propel CentralNic into the top-spot just yet.
CentralNic said in a press release today that it currently has 1,444,210 domains, making it the “number one registry backend”.
But according to DI’s numbers, Rightside has at least 1,701,316 domains in new gTLDs running on its back-end.
The CentralNic press release, as well as an earlier piece on The Domains, both cite ntldstats.com as their source.
That site had been listing Donuts as the top new gTLD back-end provider for over a year, with CentralNic in second place.
The problem is that Donuts is not a back-end provider. Never has been.
The portfolio registry disclosed right from the start that it was using Rightside (then Demand Media).
A Donuts spokesperson confirmed to DI today that it still uses Rightside.
The company runs its 190 delegated new gTLDs on Rightside’s back-end. Rightside manages another 39 of its own on the same infrastructure.
Combined, these gTLDs make up 1,701,316 second-level domains, making it the largest back-end registry provider.