ICANN chair Steve Crocker is among a packed line-up of speakers for an event on Tuesday that will address the potential security risks of name collisions in the new gTLD program.
It’s the second TLD Security Forum, which are organized by new gTLD applicants unhappy with ICANN’s proposal to delay hundreds of “uncalculated risk” applied-for gTLDs.
The first event, held in August, was notable for statements playing down the risk from the likes of Google and Digicert.
While Crocker is scheduled to speak on Tuesday, anyone expecting insight into the ICANN board’s thinking on name collisions is likely to be disappointed.
The title of his talk is “The Current State of DNSSEC Deployment”, which isn’t directly relevant to the issue.
Crocker, due to conflicts of interest protections, is also not a member of ICANN’s New gTLD Program Committee, which is tasked with making decisions about the collision problem.
While Crocker’s views may wind up remaining private, we can’t say the same for Amy Mushahwar and Dan Jaffe, representing the Association of National Advertisers, both of whom are also speaking.
The ANA is firmly in the Verisign camp on this issue, claiming that gTLD name collisions create unacceptable security risks for organizations on the internet.
Also on the line-up for Tuesday are Laureen Kapin of the US Federal Trade Commission and Gabriel Rottman of the American Civil Liberties Union, both of whom could bring new perspectives to the debate.
The TLD Security Forum begins at 9am at the Washington Hilton and Heights Meeting Center in Washington, DC. It’s free to attend and will be webcast for those unable to show up in person.
The US Federal Trade Commission is still “looking at” ICANN’s new gTLD program amid concerns that most of the applicants applied defensively, it has emerged.
FTC chairman Jon Leibowitz also said today that he thinks new gTLDs will cause consumer confusion and lead to an increase in fraud.
“We have been very, very concerned about ICANN and their dramatic expansion of the domain names, which we think will cause consumer confusion and even worse lead to more areas where malefactors can hide from the law while defrauding consumers,” Leibowitz said.
“A lot of companies that have plunked down $185,000 per domain name — and there have been hundreds of companies that have done it — have mostly done it for defensive purposes,” he added.
Most new gTLDs are not dot-brands, so Leibowitz probably misspoke when he said that “most” applications are defensive. Within the subset of bids that are dot-brands, he may be on firmer ground.
His comments came during a press conference to discuss the FTC’s settlement of its competition probe of Google, which has itself applied for almost 100 new gTLDs.
The settlement agreement relates to Google’s search practices and not its gTLD applications.
Leibowitz said that the FTC is “not looking that issue [new gTLDs] with respect to Google, we’re looking at that issue with respect to ICANN”.
The FTC’s concerns about the program are not new, but it has not publicly expressed them recently.
In December 2011 the agency said the program could “magnify both the abuse of the domain name system and the corresponding challenges we encounter in tracking down Internet fraudsters.”
No more Donald Duck in the Whois?
Registrars could be obliged to verify their customers’ identities when they sell domain names under new rules proposed for later this year, according to ICANN president Rod Beckstrom.
He told National Telecommunications and Information Administration boss Larry Strickling today that the new provisions could make it into the new Registrar Accreditation Agreement by March.
ICANN expects that the RAA will incorporate – for the first time – Registrar commitments to verify WHOIS data. ICANN is actively considering incentives for Registrars to adopt the anticipated amendments to the RAA prior to the rollout of the first TLD in 2013.
The RAA is currently being renegotiated by ICANN and the registrar community, following governmental outrage about the RAA at its meeting in Dakar last October.
If new Whois rules are added to the RAA, it will be up to registrars to decide whether to implement them immediately or wait until their existing ICANN contracts expire — hence the need for “incentives”.
Documents ICANN has been posting following its RAA meetings have been less than illuminating, so the letter to Strickling today is the first public insight into what the new contract may contain.
Whois verification, which is often found at the top of the wish-lists of intellectual property and law enforcement communities, is of course hugely controversial.
Civil rights advocates believe that checking registrant identities will infringe on rights to privacy and free speech, while not helping to prevent crime. Actual criminals will of course not hand over their true identities when registering domain names.
The process of verifying Whois data may also wind up making domain names more expensive, due to the costs registrars will incur implementing or subscribing to automated verification systems.
Nevertheless, the anti-new-gTLDs campaign in Washington DC led by the Association of National Advertisers recently led to Whois – a separate issue – being placed firmly on the new gTLDs agenda.
The chairman of the Federal Trade Commission, as well as Strickling, both wrote to ICANN to express concern about the lack of progress on strengthening Whois over the last few years.
ICANN has not completely ruled out the possibility that its new generic top-level domains program will be delayed, according to senior vice president Kurt Pritz.
Pritz was asked during a meeting of the GNSO Council last week whether the recent Congressional hearings into new gTLDs could lead to a delay of the January 12 launch.
“I think the risk is above zero,” Pritz said.
An “above zero” risk of delay could still mean a very small risk, of course.
He went on to point out that “the reputation of the multi-stakeholder model is wrapped up in this too”, and that to delay would be a disservice to all the people who have worked on the program.
He noted that the National Telecommunications and Information Administration assistant secretary Larry Strickling has come out in strong support of the multi-stakeholder model.
While the NTIA does not plan to enforce a delay, ICANN itself could make the decision under political pressure from elsewhere in the US, such as from Congress or the Federal Trade Commission.
Pritz faced a rough ride during a House Energy and Commerce Committee hearing last week, during which a number of Congressmen said they believed delay was appropriate.
The committee was largely concerned about the possible costs to trademark holders and implications for law enforcement agencies.
The hearing was called following lobbying by the Association of National Advertisers and the Coalition for Responsible Internet Domain Oversight.
The US Federal Trade Commission has come out swinging against ICANN’s new generic top-level domains program, saying it will increase online fraud and should be scaled back.
In an open letter to ICANN’s top brass yesterday, the FTC’s four commissioners claimed that “the dramatic introduction of new gTLDs poses significant risks to consumers”.
Saying that more gTLDs will make it easier for scammers to acquire domain names confusingly similar to existing brands, the commissioners said the program should be rolled out as a limited pilot.
The FTC commissioners wrote (pdf):
A rapid, exponential expansion of gTLDs has the potential to magnify both the abuse of the domain name system and the corresponding challenges we encounter in tracking down Internet fraudsters. In particular, the proliferation of existing scams, such as phishing, is likely to become a serious challenge given the infinite opportunities that scam artists will now have at their fingertips. Fraudsters will be able to register misspellings of businesses, including financial institutions, in each of the new gTLDs, create copycat websites, and obtain sensitive consumer data with relative ease before shutting down the site and launching a new one.
The letter demands better Whois accuracy enforcement, better ICANN compliance programs, and a cap on approved new gTLDs in the first round perhaps as low as a couple dozen.
The FTC’s claims that new gTLDs will increase phishing may not be supported by reality, however.
The latest data (pdf) from the Anti-Phishing Working Group shows that in the first half of the year only 18% of domain names used in phishing attacks were registered by the attacker.
That was down from 28% in the second half of 2010. Phishers are much more likely to compromise a domain belonging to somebody else – by hacking a web server, for example.
Of the 14,650 maliciously registered domains 10,444 (70%) were used to phish Chinese targets, “overwhelmingly” the e-commerce site Taobao.com, the APWG found.
Furthermore, only 2% of these domains – just 1,816 over six months – were judged to have been registered due to their confusing similarity with the brands they target.
The APWG said (emphasis in the original):
These are the lowest numbers we have observed in the last past four years, and show that using domain names containing brand strings has fallen further out of favor among phishers.
the domain name itself usually does not matter to phishers, and a domain name of any meaning, or no meaning at all, in any TLD, will usually do. Instead, phishers almost always place brand names in subdomains or subdirectories
The APWG found only one gTLD that ICANN has introduced – .info, with 4.5% – in its top ten phishing TLDs. The .com space accounts for 48.9% of all phishing domains.
Will the increase in the number of gTLDs reverse these trends? The FTC seems to think so, but the claims in its letter appear to be based largely on guesswork and fear rather than data.
I suspect that the FTC’s letter is more concerned with ICANN’s ongoing bilateral talks with registrars over law enforcement-demanded amendments to the Registrar Accreditation Agreement.
These talks are completely separate and distinct from the new gTLDs program policies, but in the last few weeks we’ve seen them being repeatedly conflated by US lawmakers, and now the FTC.
This may be ignorance, but it could just as well be an attempt to apply political pressure on ICANN to make sure the RAA talks produce the results law enforcement agencies want to see.
ICANN does not want to be forced into an embarrassing retreat on its hard-fought gTLD expansion. By producing a strong RAA, it could deflect some of the concerns about the program.