Empty Whois a threat to the US elections?

Could a lack of Whois records thwart the fight against attempts to interfere in this year’s US elections?
That’s the threat raised by DomainTools CEO Tim Chen in a blog post, and others, this week.
Chen points to recent research by Facebook, based on an investigation by security company FireEye, that linked a large network of bogus news sites and social media accounts to the Iranian state media.
FireEye’s investigation used “historical Whois records”, presumably provided by DomainTools, to connect the dots between various domains and registrants associated with “Liberty Front Press”, a purportedly independent media organization and prolific social media user.
Facebook subsequently found that 652 accounts, pages and groups associated with the network, and removed them from its platform.
The accounts and sites in question were several years old but had been focusing primarily on politics in the UK and US since last year, Facebook said.
Based on screenshots shared by Facebook, the accounts had been used to spread political messages bashing US president Donald Trump and supporting the UK’s staunchly pro-Palestinian opposition leader Jeremy Corbyn.
Google’s research, also inspired by FireEye’s findings and Whois data, linked the network to the state-run Islamic Republic of Iran Broadcasting.
The actions by Google and Facebook come as part of their crackdown on fake news ahead of the US mid-term Congressional elections, this November, which are are largely being seen as a referendum on the Trump presidency.
Because the domains in question predate the General Data Protection Regulation and ICANN’s response to it, DomainTools was able to capture Whois records before they went dark in May.
While the records often use bogus data, registrant email addresses common to multiple domains could be used to establish common ownership.
Historical Whois data for domains registered after May 2018 is not available, which will likely degrade the utility of DomainTools’ service over time.
Chen concluded his blog post, which appeared to be written partly in response to data suggesting that GDPR has not led to a growth in spam, with this:

Domain name Whois data isn’t going to solve the world’s cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in today’s internet. It’s reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.

DomainTools is one of the founders of the new Coalition for a Secure and Transparent Internet, a lobby group devoted to encouraging legislatures to keep Whois open.
Representatives of Facebook and Iran’s government are among the members of the Expedited Policy Development Process on Whois, an emergency ICANN working group that is currently trying to write a permanent GDPR-compliant Whois policy for ICANN.

Facebook clashes with registrars after massive private data request

Facebook is on the warpath, testing the limits of personal data disclosure in the post-GDPR world.
Via an intermediary called AppDetex, the company recently filed 500 requests for non-public Whois contact information with various registrars, covering potentially thousands of domains, and is now complaining to ICANN that almost all of the replies it received were “non-responsive”.
DI has learned that Facebook is not only asking registrars for Whois data on specific domains it believes infringe its trademarks, however. It’s also asking them to provide complete lists of domains owned by the same registrant, along with the Whois data for those domains, something registrars have never been obliged to provide, even pre-GDPR.
It’s now pissed that almost all of its requests were blown off, with registrars giving various reasons they could not provide the data.
AppDetex is a brand protection services firm and ICANN-accredited registrar. It’s built an automated system for generating Whois disclosure requests and sending them to registrars.
Ben Milam, its general counsel, wrote to ICANN last week to urge the organization to come up with, and more importantly enforce, a framework for brand owners to request private Whois data.
The company has stopped short of filing formal complaints against the registrars with ICANN’s compliance division, but Milam said it will in future:

we do plan to file complaints in the future, but not until ICANN has (i) established proper disclosure guidelines for non-public WHOIS requests for the registrar base to follow, and (ii) implemented an enforcement process that will ensure that brand holder requests are being satisfied.

The letter says that only one registrar responded adequately, to three of its disclosure requests. That was FBS Inc, which I believe is Turkey’s largest registrar. Turkey is not in the EU.
One registrar on Facebook’s naughty list is Ireland-based Blacknight Solutions, which received three disclosure requests but did not provide AppDetex with the information it wanted.
Blacknight CEO Michele Neylon shared a copy of one of these requests, which he said was received via email July 2, with DI.
In my view, the request is clearly automated, giving the registrar a deadline to respond 48 hours in the future accurate to the second. It cites five Facebook trademarks — Facebook, FB, Instagram, Oculous and WhatsApp.
At Blacknight’s request, I won’t disclose the domain here, but it begins with the string “insta”. At first glance it’s not an clear-cut case of cybersquatting the Instagram trademark. It’s currently parked, displaying ad links unrelated to Instagram.
The email asks the registrar to turn over the full non-public Whois contact information for the registrant, technical contact and administrative contact, but it goes on to also ask for:

4. All other domain names registered under this registrant’s account or email address
5. All information in requests 1, 2, and 3 for all domains provided in response to request 4

This would increase the volume of Whois records requested by Facebook from 500 to, very probably, thousands.
This reverse-Whois data was not previously available via vanilla registrar-provided Whois, though it may be under successor protocol RDAP. Brand owners would have to use a commercial third-party service such as DomainTools in order to connect a registrant to the rest of his portfolio.
It’s debatable whether registrars will be obliged to provide this reverse-Whois capability on non-public data to brand owners even after RDAP becomes the norm.
The request says Facebook needs the data in order “to investigate and prevent intellectual property infringement and contact infringing parties and relevant service providers” and “to facilitate legal action against the registrant”.
Facebook says it’s entitled to the data under Article 6(1)(f) of the GDPR as it’s “necessary for the purposes of our legitimate interests, namely (1) identifying the registered holder of a domain name and their contact information to investigate and respond to potential trademark infringement and (2) enforcing legal claims.”
Currently, registrars are governed by ICANN’s Temporary Specification for Whois, a GDPR-related Band-Aid designed to last until the ICANN community can create a formal policy.
Access to non-public Whois data is governed by section 4 of the Temp Spec, which reads in part:

Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

In the absence of a formal ICANN policy, legal precedent, or specific guidance from data protection authorities, it’s not abundantly clear how registrars are supposed to comply with this clause of the spec, which may explain why Facebook is getting different responses from different registrars.
Neylon said that Blacknight responded to the disclosure requests by asking Facebook to produce an Irish court order.
He said the requests were overly broad, did not provide any contact information for the requester, did not provide a specific complaint against the registrants, and did not specify what privacy safeguards Facebook planned to subject the data to once it was handed over.
It seems Blacknight was not alone. According to AppDetex’s letter to ICANN, at least six other registrars replied denying the requests and saying:

complainant (Facebook) must utilize legal process of a subpoena or court order; complainant must file a UDRP action; complainant must file an action with WIPO; complainant must contact WIPO; and/or complainant’s request has been forwarded to the domain owner.

Milam said (pdf) that he expects the volume of requests to increase and that registrars’ responses will be forwarded to ICANN Compliance to help create a normalized framework for dealing with such requests.

Tech giants gunning for AlpNames over new gTLD “abuse”

A small group of large technology companies including Microsoft and Facebook have demanded that ICANN Compliance take a closer look at AlpNames, the budget registrar regularly singled out as a spammers’ favorite.
The ad hoc coalition, calling itself the Independent Compliance Working Party, wrote to ICANN last week to ask why the organization is not making better use of statistical data to bring compliance actions against the small number of companies that see the most abuse.
AlpNames, the Gibraltar-based registrar under common ownership with new gTLD portfolio registry Famous Four Media, is specifically singled out in the group’s letter.
The letter, sourcing the August 2017 Statistical Analysis of DNS Abuse in gTLDs (pdf), says there “is a clear problem with one particular contracted party”.
AlpNames was the registrar behind over half of the new gTLD domains blacklisted by SpamHaus over the study period, for example, the letter states.
The tiny territory of Gibraltar also frequently ranks unusually highly on abuse lists due to AlpNames presence there, the letter and report say.
The ICWP letter also says that the four gTLDs .win, .loan, .top, and .link were used by over three quarters of abusive domains over the SADAG study period.
The letter calls the abuse rates “troublesome” and says:

We are alarmed at the levels of DNS abuse among a few contracted parties, and would appreciate further information about how ICANN Compliance is using available data to proactively address the abusive activity amongst this subset of contracted parties in order to improve the situation before it further deteriorates.

It goes on to wonder whether high levels of unaddressed abuse could amount to violations of new gTLD Registry Agreements and Registrar Accreditation Agreements, and to ask whether there any barriers to ICANN Compliance pursuing breach claims against such potential violations.
The ICWP comprises Adobe, DomainTools, eBay, Facebook, Microsoft and Time Warner. It’s represented by Fabricio Vayra of Perkins Coie.
Other than the letter (pdf), the Independent Compliance Working Party does not appear to have any web presence, and a spokesperson has not yet responded to DI’s request for more information.
The SADAG report also singled out Chinese registrar Nanjing Imperiosus Technology Co, aka DomainersChoice.com, as having particularly egregious levels of abuse, but noted that this abuse disappeared after ICANN terminated its RAA last year.
AlpNames has not to date had any public breach notices issued against it, but this is certainly not the first time it’s been singled out for public censure.
In November last year, ICANN’s Competition, Consumer Trust, and Consumer Choice Review Team (CCT) named it in a report that claimed: “Certain registries and registrars appear to either positively encourage or at the very least willfully ignore DNS abuse.”
AlpNames seems to have been used often by abusers due to its bargain-basement, often sub-$1 prices — making disposable domains more cost effective — and its tool that allowed up to 2,000 domains to be registered simultaneously.
If not actively soliciting abusive behavior, these factors certainly don’t make abuse any more difficult.
But will ICANN Compliance take action in response to the criticism leveled by CCT and now ICWP?
The main problem with the ICWP letter, and the SADAG report it is based upon, is that the data it uses is now rather old.
The SADAG report sourced abuse databases only up to January 2017, a time when AlpNames’ total gTLD domains under management was at its peak of around three million names.
Since then, the company has been hemorrhaging DUM, losing hundreds of thousands of domains every month. At the end of November 2017, the most recent data compiled by DI shows that it was down to around 838,000 domains.
It’s quite possible that AlpNames’ customer base is no longer the den of abuse it once was, whether due to natural attrition or a proactive purge of bad actors.
A month ago, in a press release connected with a $5.4 million buy-out of an co-founder, AlpNames chairman Iain Roache said he has a “10-year strategic plan” to turn AlpNames into a “Tier-1” registrar and “bring the competition to the incumbents”.

MarkMonitor tells .feedback to take a hike after “breach” claim

MarkMonitor is to voluntarily terminate its registrar relationship with Top Level Spectrum after the .feedback registry hit it with a breach of contract notice.
Troy Fuhriman, director of domain management at the registrar, told DI today that the company has just sent TLS a letter stating that it no longer wishes to sell .feedback names.
TLS earlier this month accused MarkMonitor of breaking the terms of its Registry-Registrar Agreements by leaking details of that agreement to media outlets including yours truly.
While TLS CEO Jay Westerdal told DI that an apology from MarkMonitor would be enough to make the termination threat go away, MarkMonitor has clearly decided against that route.
“We’re going to terminate all accreditation agreements for .feedback,” he said. “In part it’s a response to ICANN’s finding that Top Level Spectrum violated its Pubic Interest Commitments, and what we believe is a retaliatory breach notification from them.”
MarkMonitor and a small posse of high-profile clients including Facebook recently won a Public Interest Commitment Dispute Resolution Policy complaint against .feedback, related to the transparency of its launch policies and pricing.
It was in that complaint that MarkMonitor released details contained in the RRA that TLS deemed to be confidential.
Terminating the agreement means that MarkMonitor will no longer be able to sell .feedback names as a registrar and will have to transfer its existing registrations to a different registrar.
Not many clients are affected. MarkMonitor had only 45 .feedback domains under management at the last count (which was still enough to make it the fourth-largest independent .feedback registrar).
Most of these domains will be moved to 101domain, which with fewer than 200 domains is still the leading .feedback registrar.
UPDATE: Westerdal says that MarkMonitor was in fact terminated on Monday. Neither party claims that MarkMonitor made any effort to comply with the breach notice by apologizing.

.feedback threatens to shut off MarkMonitor

Top Level Spectrum, the controversial .feedback gTLD registry, has threatened to de-accredit MarkMonitor unless it apologizes for “breaching” its registrar contract.
The move is evidently retaliation for the MarkMonitor-coordinated complaint about .feedback’s launch policies, which last month led to TLS being found in breach of its own ICANN contract.
De-accreditation would mean MarkMonitor would not be able to sell .feedback domains any more, and its .feedback names would be transferred to another registrar.
In a letter to MarkMonitor (pdf) yesterday, TLS informs the registrar that it breached its Registry-Registrar Agreement by releasing said RRA to “the press” as part of the exhibits to its Public Interest Commitments Dispute Resolution Policy complaint.

The problem we take issue with is that your exhibit should have redacted the “Confidential RRA Agreement” prior to being handed over to ” the press ” and it should have been marked in an appropriate way so ICANN would not publicly disclose it. As we can tell no precautions were taken and as a party to the action we find that you violated the confidentiality of the agreement.

I understand “the press” in this case includes DI and others. We published the document last October. We were not asked to keep anything confidential.
The RRA section of the document is marked as “private and confidential” and contains terms forbidding the disclosure of such information, but the name of the registrar is redacted.
TLS believes the undisclosed registrar is actually Facebook, a MarkMonitor client and one of the several parties to the PICDRP complaint against .feedback.
While Facebook may not have actually signed the RRA, MarkMonitor certainly did and therefore should not have released the document, TLS says.
The letter concludes that the “breach… seems incurable” and says: “Please let us know what actions you will take to cure this breach with us or we will have no other option but to de-accredited your Registrars.”
Despite this, TLS CEO Jay Westerdal tells us that an apology will be enough to cure the alleged breach.
The threat is reminiscent of a move pulled by Vox Populi, the .sucks registry, last year. Vox deaccredited MarkMonitor rival Com Laude in June for allegedly leaking a confidential document to DI (I was never able to locate or identify the allegedly leaked document, and had not published any document marked as confidential).
TLS was found in breach of the Public Interest Commitments in its ICANN contract last month by a PICDRP panel. It was the first registry to suffer such a loss.
The PICDRP panel found that .feedback’s launch had not been conducted in a transparent way, but it stopped short of addressing MarkMonitor’s complaints about “fraudulent” behavior.

Facebook, under Chinese court threat, transfers Instagram.com to its new registrar

It’s not quite cyberflight, but Facebook has transferred threatened domain name instagram.com to its newly acquired in-house registrar.
Whois records show that the domain, used for the popular photo-sharing social network, was moved from MarkMonitor to RegistrarSEC yesterday.
It emerged on Friday that Facebook had recently acquired RegistrarSEC.
So why the transfer?
It does not appear that the move is part of a wholesale transfer of domains — facebook.com, whatsapp.com, fb.com and all the other Facebook domains I checked are still with MarkMonitor.
Instead, I would speculate that it’s related to the lawsuit in China in which the family of a deceased cybersquatter are fighting for the return of the domain to their ownership.
Instagram acquired the name for $100,000 from the Guangdong-based Zhou family in January 2011, just a couple of months after Zhou Weiming, the now deceased patriarch, bought it from an American domainer.
According to a lawsuit (pdf) filed against the family in California by Instagram this January, Zhou’s widow and two daughters are suing the third daughter in a Chinese court for selling the domain without the proper authority.
They want the domain returned to them.
By transferring instagram.com to a registrar completely controlled by Facebook, the company has removed one huge risk factor from the Chinese lawsuit.
If MarkMonitor were to be served with a Chinese court order ordering the transfer of the domain to the Zhous, and it were to comply, the Instagram service used by millions could be held hostage by a group of known cybersquatters.
Now that the domain is at RegistrarSEC, Facebook gets the ability to refuse to comply with any such order.
This all begs the question of whether the deep-pocketed social network would go to the trouble of acquiring a registrar (with only 11 names to its accreditation) purely to provide a layer of insurance.
A fresh ICANN accreditation would be cheaper, but would take longer, and transferring to a different third-party registrar wouldn’t really solve the problem.
Instagram is predicted by one analyst to provide Facebook with $5.8 billion in annual revenue by the end of the decade.

Facebook bought a registrar

Facebook has acquired a domain name registrar, according to its point person in ICANN.
Facebook domain manager Susan Kawaguchi said on tonight’s GNSO Council teleconference, as a matter of disclosure, that Facebook recently acquired a registrar.
Multiple sources say the registrar is RegistrarSEC LLC.
DI records show that RegistrarSEC took over the ICANN registrar accreditation of Focus IP Inc, doing business as AppDetex, on March 26.
RegistrarSEC is led by one of the long-gone founders of brand protection registrar MarkMonitor, Faisal Shah, and Chris Bura, founder of Alldomains.com.
Facebook is one of MarkMonitor’s most prominent clients.
RegistrarSEC is not a conventional registrar. It had just 11 registrations under its IANA ID at the end of 2015.
But its parent was founded in 2013 as primarily a provider of brand protection services focused on the mobile app space.
My guess is that Facebook is interested in RegistrarSEC’s parent’s intellectual property, rather than its registrar.

Instagram paid Chinese cyberquatter $100,000 for instagram.com, Facebook lawsuit reveals

Facebook has sued a Chinese cybersquatter for trying to renege on a five-year-old deal that saw it buy the domain instagram.com for $100,000.
The lawsuit, filed in California last week, claims that a family of known cybersquatters, based in Guangdong, is trying to have the purchase invalidated by a Chinese court.
The company, which acquired Instagram for $1 billion in 2012, wants the court to rule that the domain deal was legal, preventing the cybersquatters retaking control of the domain.
Photo-sharing app Instagram launched in October 2010 using the domain instagr.am.
At that time, instagram.com was owned by a US-based domain investor, but it was bought by Zhou Weiming about a month later.
Zhou, Facebook says, was the now-dead father of three of the people it is suing, and the husband of the fourth.
When Zhou purchased the domain, Instagram had become wildly popular, well on the way to hitting the million-user mark in December 2010.
Instagram had applied for the US trademark on its name in September 2010, less than a month before its launch.
The company made the decision to pay $100,000 for the domain in January 2011.
The Whois information for instagram.com changed from Zhou Weiming to Zhou Murong, apparently his daughter, around about the same time, though the registrant email address did not change.
The purchase was processed by Sedo, according to a copy of the deal filed as evidence (pdf).
Now, Murong’s mother and sisters are suing her and Instagram in China, claiming she did not have the authority to sell the domain, according to Facebook’s complaint.
Facebook claims the Chinese suit is a “sham” and that the whole Zhou family is acting in concert.
The company wants the California court to declare that the sale was valid, and that registrar MarkMonitor should not be forced to transfer the domain back to the Zhous.
Facebook in 2014 won a 22-domain UDRP case against Murong Zhou, related to typos of its Instagram trademark.
Read the full California complaint as a PDF here.

Are new gTLD registries ripping off brands with unfair sunrise fees?

Forget .sucks — several less controversial new gTLD registries have come under fire from the likes of Google, Facebook and Adobe for charging sunrise fees as high as $17,000 for domains matching famous trademarks.
According to figures supplied to DI by ICANN’s Business Constituency, the domain instagram.love carries a $17,610 “Premium Name Fee” during the current sunrise period.
Instagram is of course the photo sharing service belonging to Facebook, and to the best of my knowledge not a dictionary word.
The domain facebook.love has a $8,930 fee, these figures show, while google.love costs $6,610, both in addition to sunrise fees of $350 and annual fees of $60.
The regular sunrise fee for .love comes in at $265 at some registrars.
The new gTLDs .design, .video, .wang, .wein, .rich and .top also seem to carry very high fees for brands such as Facebook, according to the BC’s numbers.
Google recently filed a public comment with ICANN which warned:

some registry operators are taking advantage of rights owners during Sunrise by charging exorbitant and extortionate Sunrise registration fees. Although such pricing policies are not strictly within the ICANN compliance mandate, they contravene the spirit of the RPMs [rights protection mechanisms], damage ICANN’s reputation, harm consumers in contravention of ICANN’s mandate to promote the public interest, and create disincentives for rights owners to take advantage of the Sunrise period

Similar comments were sent by the Intellectual Property Constituency, BC, and others.
The issue of registries charging super-high “premium” fees for trademarked names has been on the radar of the BC and the IPC since at least 2013.
It seems that in at least some cases, trademark owners are being hit with the higher fees because their marks are dictionary words that the registry has identified as premium due to their regular meaning.
For example, adobe.design is on the list of names provided by the BC, carrying a $1,175 registration fee.
But Andrew Merriam, director of business development at .design registry Top Level Design, denied that the software company is being targeted. Instead, he said “adobe” refers to the material used in architecture — its dictionary meaning.
He said: “Stucco.design, concrete.design, wood.design, granite.design (and many other materials and building styles) are all on the premium list, at varying prices. In fact, adobe.design is priced on the lower end of all these materials.”
Merriam said the registry’s premium fee for adobe.design is actually $250 and speculated that $1,175 could be the price quoted by Adobe’s brand protection registrar post-markup. It was $349 at Go Daddy, he said.
In other cases, trademarks may have found their way on to premium lists due to a lack of manual vetting by the registry, rather than nefarious targeting.
In the case of instagram.love, Evatt Merchant of .love registry Merchant Law Group told DI that Facebook can buy the name for the normal sunrise fee if it wants.
He told DI that trademark owners should contact the registry if they believe their marks have been wrongly given premium prices. He said:

While it is possible that some brand terms that are frequently googled have ended up on the premium list, valued based on their Google search frequency, there is a simple solution. During the sunrise period, brands seeking non-dictionary trademarked domain names can contact the registry so that a review of individual sunrise pricing can occur. As has already occurred, such requests will often result in the .LOVE TLD voluntarily offering to reduce their sunrise application cost to the base sunrise price and that would certainly be the case for Instagram.

ICANN’s does not regulate pricing in new gTLDs, but nevertheless the IPC and BC and their members have asked ICANN to include premium pricing of trademarked names in its upcoming review of rights protection mechanisms.

Wildly popular Facebook scam attack hits .ninja

Rightside’s .ninja appears to be the victim of a broad, highly effective affiliate marketing scam that targets Indians and exploits Facebook’s trademark.
Today, 11 of the top 12 most-visited .ninja domains are linked to the same attack. Each has an Alexa ranking of under 15,000. They’re all in the top 40 new gTLD domain names by traffic, according to Alexa.
The domains are com-news.ninja, com-finance-news.ninja, com-important-finance-update.ninja, com-important-finance-news.ninja, com-important-update.ninja, com-important-news.ninja, com-important-news-update.ninja, com-finance-now.ninja, com-finance.ninja, com-news-now.ninja and com-personal-finance.ninja.
The domains do not directly infringe any trademarks and appear innocuous enough when visited — they merely redirect to the genuine facebook.com.
However, adding “facebook” at the third level leads users to pages such as this one, which contains a “work at home” scam.

Indian visitors are told that that Facebook will pay them the rupee equivalent of about $250 per day just for posting links to Facebook, under some kind of deal between Bill Gates and Mark Zuckerberg.
It’s all nonsense of course. The page is filled with faked social media quotes and borrowed stock photos.
Not only that, but it uses Facebook’s logo and look-and-feel to make it appear, vaguely, like it’s a genuine Facebook site.
The links in the page all lead to an affiliate marketing campaign that appears, right now, to be misconfigured.
Infringing trademarks at the third level in order to spoof brands is not a new tactic — it’s commonly used in phishing attacks — but this is the first time I’ve seen it deployed so successfully in the new gTLD space.
It would be tricky, maybe impossible, for Facebook to seize the domains using UDRP or have them suspended using URS, given that the second-level domains are clean.
But it seems very probable that the domains are in violation of more than one element of Rightside’s anti-abuse policy, which among other things forbids trademark infringement and impersonation.