Latest news of the domain name industry

Recent Posts

Governments kill off Patagonia’s dot-brand bid

Kevin Murphy, July 11, 2013, Domain Policy

The clothing retailer Patagonia has withdrawn its application for .patagonia after it became clear that ICANN’s Governmental Advisory Committee was unlikely to allow it.

Controversial from the outset, Patagonia’s dot-brand came under fire from governments including Argentina and Chile because the company is named after a large region of Latin America.

The GAC couldn’t find a consensus for a full-on objection to the bid, however, because the US government refused to agree that governments should have rights over such geographic terms.

However the US said last week that it would stand neutral on .patagonia and other geographic-flavored applications at next week’s ICANN meeting in Durban, smoothing the path to GAC consensus.

A GAC consensus objection would have spelled certain death to the application.

Amazon’s .amazon application is in exactly the same position as .patagonia was. Unless the company can come to some kind of arrangement with Brazil and over governments it may suffer the same fate.

Plural gTLDs not confusing, says ICANN (and two gotchas proving it wrong)

Dozens of new gTLD applicants will be breathing a sigh of relief this morning as ICANN said it will allow single and plural versions of the same gTLD to co-exist after all.

The decision, made Tuesday by ICANN’s New gTLD Program Committee, affects at least 98 applications. It said:

NGPC has determined that no changes are needed to the existing mechanisms in the Applicant Guidebook to address potential consumer confusion resulting from allowing singular and plural versions of the same string.

It was in response to the Governmental Advisory Committee, which had advised ICANN to “reconsider its decision to allow singular and plural versions of the same strings.”

Because of the wording of the advice, ICANN is able to disagree with the the GAC’s opinion that “singular and plural versions of the string as a TLD could lead to potential consumer confusion” without triggering its bylaws provision that forces it into time-consuming GAC negotiations.

By “reconsidering” plural/singular coexistence and not doing anything, it has stuck to the letter of the advice.

In its reconsideration it reconsiderated whether it should overturn the findings of its independent String Similarity Panel, which did not believe any plural/singular pairs were confusingly visually similar.

It also used the coexistence of second-level plural and singular domains, registered to different people, as evidence that users would not find similar coexistence at the top level confusing.

The decision has potentially far-reaching consequences on the new gTLD program.

First, it could mean that some plural/singular pairs will be allowed to exist while others will not.

There are a handful of formal String Confusion Objections filed by applicants for gTLDs that have singular or plural competitors in the current round.

These string pairs are not currently in contention sets, but if the objectors prevail only one of the strings will survive to delegation.

Other string pairs have no objections and will be allowed to coexist. This may be fair in a sense, but it’s not uniform nor predictable.

(One wonders if the String Confusion Objection arbitration panels will use ICANN’s ruling this week in their own decision-making process, which could open a can of worms.)

Second, I think the decision might encourage bad business practices by registries.

My beef with coexistence

I don’t think coexistence is a wholly terrible idea, but I do think it will have some negative effects, as I’ve expressed in the past.

First, I think it’s going to lead to millions of unnecessary defensive registrations.

And by “defensive” I’m not talking about companies protecting their trademarks. Whether you think they’re adequate or not, trademark owners already have protections in new gTLDs.

I’m talking about regular domain registrants, small businesses, entrepreneurs and so on. These people are going to find themselves buying two domains when they only need one.

Let’s say you’re Mad John’s Autos, and you’re registering madjohn.auto. You get to the checkout and Go Daddy offers you the matching .autos domain. Assuming similar pricing, you’d definitely register it, right?

You’ve always got to assume a certain subset of users will get confused and either wind up at a dead URL or a competitor’s site. It’s simpler just to defensively register both.

What if one was priced a little higher than the other? Maybe you’d still register it. How big would the price differential have to be before you decided not to buy the plural duplicate?

Buying two domains instead of one may not be a huge financial burden to individual registrants, but it’s going to lead to situations where gTLDs exist in symbiotic — or parasitic — pairs.

If you run the .auto registry, you may find that your plural competitor is spending so much on marketing .autos that you don’t need to lift a finger in order to sell millions of domain names.

Just make sure you’re partnered with the same registrars and bingo: you’re up-sell.

Attractive business plan, right? You may disagree, but when ICANN opens the floodgates for the second round of new gTLD applications in a couple years, we’ll find out for sure.

Two gotchas

Defenses of plural/singular gTLD coexistence often come from, unsurprisingly, the portfolio applicants that have applied for them and, presumably, may apply for them in future rounds.

“Singulars and plurals live together now on the [second-level domain] side,” Uniregistry said. “They create healthy competition and do not unduly confuse consumers to the point of annoyance.”

I wouldn’t disagree with that statement. Plural/singular coexistence may not confuse internet users to the point of danger or annoyance. But, I would argue, they do make people buy more domain names than they need to.

If you were buying autos.com today you’d definitely definitely buy auto.com as well and redirect it to autos.com. You’d be an idiot not too.

When I put this to Uniregistry execs privately several weeks ago, they disagreed with me. Nobody would bother with such duplicative/defensive domains, they said.

In response, I asked, cheekily: so why do you own uniregistries.com, redirecting it to uniregistry.com?

Another portfolio applicant, Donuts, also didn’t like the idea of plurals and singulars being mutually exclusive, according to this CircleID article. It doesn’t think they’re confusingly similar.

Yet a press release put out by the company last month accidentally said it planned to put its application for .apartment to auction.

The problem is that Donuts hasn’t applied for .apartment, it has applied for .apartments.

I feel rotten for highlighting a simple typo by a fellow media professional (I make enough of those) but isn’t that what we’re often talking about when discussing confusing similarity? Typos?

If the registry can get confused by its own applied-for strings, doesn’t that mean internet users will as well?

Oh, I’m a cybersquatter

Interestingly, ICANN’s belief that plurals are not confusing appears to be institutional.

At least, I discovered this morning that icanns.org, the plural of its primary domain, was available for registration.

So I bought it.

Let’s see how much traffic it gets.

If I get hit by a UDRP, that could be interesting too.

ICANN freezes “closed generic” gTLD bids

ICANN has temporarily banned “closed generic” gTLDs in response to Governmental Advisory Committee demands.

The ban, which may be lifted, affects at least 73 applications (probably dozens more) for dictionary-word strings that had been put forward with “single registrant” business models.

ICANN’s New gTLD Program Committee on Tuesday voted to prevent any applicant for a closed generic gTLD from signing a registry contract, pending further talks with the GAC.

In order to sign a registry agreement, applicants will have to agree to the following Public Interest Commitments:

1. Registry Operator will operate the TLD in a transparent manner consistent with general principles of openness and non-discrimination by establishing, publishing and adhering to clear registration policies.

2. Registry Operator of a “Generic String” TLD may not impose eligibility criteria for registering names in the TLD that limit registrations exclusively to a single person or entity and/or that person’s or entity’s “Affiliates” (as defined in Section 2.9(c) of the Registry Agreement). “Generic String” means a string consisting of a word or term that denominates or describes a general class of goods, services, groups, organizations or things, as opposed to distinguishing a specific brand of goods, services, groups, organizations or things from those of others.

The effect of this is that applications for closed generics are on hold until ICANN has figured out what exactly the GAC is trying to achieve with its advice, which emerged in its Beijing communique (pdf).

Closed generics have not to date been a specific category of gTLD. They’re basically bids like Symantec’s .antivirus, L’Oreal’s .beauty and Amazon’s .cloud, where the gTLD is not a “dot-brand” but every second-level domain would belong to the registry anyway.

The two main reasons the new gTLD program has allowed them so far are a) ICANN decided that coming up with definitions for categories of gTLD was too hard and prone to abuse, and b) ICANN didn’t want to overly restrict registries’ business models.

Apparently all it needed was a nudge from the GAC and a change of senior management to change its mind.

ICANN now has a definition of “generic”, which I believe is a first. To reiterate, it’s:

a string consisting of a word or term that denominates or describes a general class of goods, services, groups, organizations or things, as opposed to distinguishing a specific brand of goods, services, groups, organizations or things from those of others

If the proposed PIC stands after ICANN’s talks with the GAC, nobody will be able to operate a generic string as a single-registrant gTLD.

But there may be one massive loophole.

Let’s say Volkswagen had applied for .golf (it didn’t) as a single-registrant dot-brand gTLD.

In that context, “golf” is a word used to label one model of car, “distinguishing a specific brand of goods, services, groups, organizations or things from those of others”.

But the word “golf” is also indisputably “a word or term that denominates or describes a general class of goods, services, groups, organizations or things”.

So which use case would trump the other? Would Volkswagen be banned from using .golf as a dot-brand?

It’s not just hypothetical. There are live examples in the current round of single-registrant applications that are both generic terms in one industry and brands in others.

Apple’s application for .apple is the obvious one. While it’s hard to imagine apple farmers wanting a gTLD, we don’t yet know how crazy the gTLD landrush is going to get in future rounds.

What of Bond University’s application for .bond? It’s a brand in terms of further education, but a generic term for debt instruments in finance.

Boots’ application for .boots? A brand in the high street pharmacy game, a generic if you sell shoes. Google’s application for .chrome is a brand in browsers but a generic in metallurgy.

None of the examples given here (and there are many more) are on the GAC’s list of problematic closed generics, but as far as I can see they would all be affected by ICANN’s proposed PIC.

The affected applications are not dead yet, of course. ICANN could change its view and drop the new PIC requirement a few months from now after talking to the GAC.

But the applications do appear to be in limbo for now.

ICANN offers to split the cost of GAC “safeguards” with new gTLD registries

Kevin Murphy, June 28, 2013, Domain Policy

All new gTLD applicants will have to abide by stricter rules on security and Whois accuracy under government-mandated changes to their contracts approved by the ICANN board.

At least one of the new obligations is likely to laden new gTLDs registries with additional ongoing costs. In another case, ICANN appears ready to shoulder the financial burden instead.

The changes are coming as a result of ICANN’s New gTLD Program Committee, which on on Tuesday voted to adopt six more pieces of the Governmental Advisory Committee’s advice from March.

This chunk of advice, which deals exclusively with security-related issues, was found in the GAC’s Beijing communique (pdf) under the heading “Safeguards Applicable to all New gTLDs”.

Here’s what ICANN has decided to do about it.

Mandatory Whois checks

The GAC wanted all registries to conduct mandatory checks of Whois data at least twice a year, notifying registrars about any “inaccurate or incomplete records” found.

Many new gTLD applicants already offered to do something similar in their applications.

But ICANN, in response to the GAC advice, has volunteered to do these checks itself. The NGPC said:

ICANN is concluding its development of a WHOIS tool that gives it the ability to check false, incomplete or inaccurate WHOIS data

Given these ongoing activities, ICANN (instead of Registry Operators) is well positioned to implement the GAC’s advice that checks identifying registrations in a gTLD with deliberately false, inaccurate or incomplete WHOIS data be conducted at least twice a year. To achieve this, ICANN will perform a periodic sampling of WHOIS data across registries in an effort to identify potentially inaccurate records.

While the resolution is light on detail, it appears that new gTLD registries may well be taken out of the loop completely, with ICANN notifying their registrars instead about inaccurate Whois records.

It’s not the first time ICANN has offered to shoulder potentially costly burdens that would otherwise encumber registry operators. It doesn’t get nearly enough credit from new gTLD applicants for this.

Contractually banning abuse

The GAC wanted new gTLD registrants contractually forbidden from doing bad stuff like phishing, pharming, operating botnets, distributing malware and from infringing intellectual property rights.

These obligations should be passed to the registrants by the registries via their contracts with registrars, the GAC said.

ICANN’s NGPC has agreed with this bit of advice entirely. The base new gTLD Registry Agreement is therefore going to be amended to include a new mandatory Public Interest Commitment reading:

Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.

The decision to include it as a Public Interest Commitment, rather than building it into the contract proper, is noteworthy.

PICs will be subject to a Public Interest Commitment Dispute Resolution Process (PICDRP) which allows basically anyone to file a complaint about a registry suspected of breaking its commitments.

ICANN would act as the enforcer of the ruling, rather than the complainant. Registries that lose PICDRP cases face consequences up to an including the termination of their contracts.

In theory, by including the GAC’s advice as a PIC, ICANN is handing a loaded gun to anyone who might want to shoot down a new gTLD registry in future.

However, the proposed PIC language seems to be worded in such a way that the registry would only have to include the anti-abuse provisions in its contract in order to be in compliance.

Right now, the way the PIC is worded, I can’t see a registry getting terminated or otherwise sanctioned due to a dispute about an instance of copyright infringement by a registrant, for example.

I don’t think there’s much else to get excited about here. Every registry or registrar worth a damn already prohibits its customers from doing bad stuff, if only to cover their own asses legally and keep their networks clean; ICANN merely wants to formalize these provisions in its chain of contracts.

Actually fighting abuse

The third through sixth pieces of GAC advice approved by ICANN this week are the ones that will almost certainly add to the cost of running a new gTLD registry.

The GAC wants registries to “periodically conduct a technical analysis to assess whether domains in its gTLD are being used to perpetrate security threats such as pharming, phishing, malware, and botnets.”

It also wants registries to keep records of what they find in these analyses, to maintain a complaints mechanism, and to shut down any domains found to be perpetrating abusive behavior.

ICANN has again gone the route of adding a new mandatory PIC to the base Registry Agreement. It reads:

Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.

You’ll notice that the language is purposefully vague on how registries should carry out these checks.

ICANN said it will convene a task force or GNSO policy development process to figure out the precise details, enabling new gTLD applicants to enter into contracts as soon as possible.

It means, of course, that applicants could wind up signing contracts without being fully apprised of the cost implications. Fighting abuse costs money.

There are dozens of ways to scan TLDs for abusive behavior, but the most comprehensive ones are commercial services.

ICM Registry, for example, decided to pay Intel/McAfee millions of dollars — a dollar or two per domain, I believe — for it to run daily malware scans of the entire .xxx zone.

More recently, Directi’s .PW Registry chose to sign up to Architelos’ NameSentry service to monitor abuse in its newly relaunched ccTLD.

There’s going to be a fight about the implementation details, but one way or the other the PIC would make registries scan their zones for abuse.

What the PIC does not state, and where it may face queries from the GAC as a result, is what registries must do when they find abusive behavior in their gTLDs. There’s no mention of mandatory domain name suspension, for example.

But in an annex to Tuesday’s resolution, ICANN’s NGPC said the “consequences” part of the GAC advice would be addressed as part of the same future technical implementation discussions.

In summary, the NGPC wants registries to be contractually obliged to contractually oblige their registrars to contractually oblige their registrants to not do bad stuff, but there are not yet any obligations relating to the consequences, to registrants, of ignoring these rules.

This week’s resolutions are the second big batch of decisions ICANN has taken regarding the GAC’s Beijing communique.

Earlier this month, it accepted some of the GAC’s direct advice related to certain specific gTLDs it has a problem with, the RAA and intergovernmental organizations and pretended to accept other advice related to community objections.

The NGPC has yet to address the egregiously incompetent “Category 1” GAC advice, which was the subject of a public comment period.

Verisign says people might die if new gTLDs are delegated

Kevin Murphy, June 2, 2013, Domain Policy

If there was any doubt in your mind that Verisign is trying to delay the launch of new gTLDs, its latest letter to ICANN and the Governmental Advisory Committee advice should settle it.

The company has ramped up its anti-expansion rhetoric, calling on the GAC to support its view that launching new gTLDs now will put the security and stability of the internet at risk.

People might die if some strings are delegated, Verisign says.

Among other things, Verisign is now asking for:

  • Each new gTLD to be individually vetted for its possible security impact, with particular reference to TLDs that clash with widely-used internal network domains (eg, .corp).
  • A procedure put in place to throttle the addition of new gTLDs, should a security problem arise.
  • A trial period for each string ICANN adds to the root, so that new gTLDs can be tested for security impact before launching properly.
  • A new process for removing delegated gTLDs from the root if they cause problems.

In short, the company is asking for much more than it has to date — and much more that is likely to frenzy its rivals — in its ongoing security-based campaign against new gTLDs.

The demands came in Verisign’s response to the GAC’s Beijing communique, which detailed government concerns about hundreds of applied-for gTLDs and provided frustratingly vague remediation advice.

Verisign has provided one of the most detailed responses to the GAC advice of any ICANN has received to date, discussing how each item could be resolved and/or clarified.

In general, it seems to support the view that the advice should be implemented, but that work is needed to figure out the details.

In many cases, it’s proposing ICANN community working groups. In others, it says each affected registry should negotiate individual contract terms with ICANN.

But much of the 12-page letter talks about the security problems that Verisign suddenly found itself massively concerned about in March, a week after ICANN started publishing Initial Evaluation results.

The letter reiterates the potential problem that when a gTLD is delegated that is already widely used on internal networks, security problems such as spoofing could arise.

Verisign says there needs to be an “in-depth study” at the DNS root to figure out which strings are risky, even if the volume of traffic they receive today is quite low.

It also says each string should be phased in with an “ephemeral root delegation” — basically a test-bed period for each new gTLD — and that already-delegated strings should be removed if they cause problems:

A policy framework is needed in order to codify a method for braking or throttling new delegations (if and when these issues occur) either in the DNS or in dependent systems that provides some considerations as to when removing an impacting string from the root will occur.

While it’s well-known that strings such as .home and .corp may cause issues due to internal name clashes and their already high volume of root traffic, Verisign seems to want every string to be treated with the same degree of caution.

Lives may be on the line, Verisign said:

The problem is not just with obvious strings like .corp, but strings that have even small query volumes at the root may be problematic, such as those discussed in SAC045. These “outlier” strings with very low query rates may actually pose the most risks because they could support critical devices including emergency communication systems or other such life-supporting networked devices.

We believe the GAC, and its member governments, would undoubtedly share our fundamental concern.

The impact of pretty much every recommendation made in the letter would be to delay or prevent the delegation of new gTLDs.

A not unreasonable interpretation of this is that Verisign is merely trying to protect its $800 million .com business by keeping competitors out of the market for as long as possible.

Remember, Verisign adds roughly 2.5 million new .com domains every month, at $7.85 a pop.

New gTLDs may well put a big dent in that growth, and Verisign doesn’t have anything to replace it yet. It can’t raise prices any more, and the patent licensing program it has discussed has yet to bear fruit.

But because the company also operates the primary DNS root server, it has a plausible smokescreen for shutting down competition under the guise of security and stability.

If that is what is happening, one could easily make the argument that it is abusing its position.

If, on the other hand, Verisign’s concerns are legitimate, ICANN would be foolhardy to ignore its advice.

ICANN CEO Fadi Chehade has made it clear publicly, several times, that new gTLDs will not be delegated if there’s a good reason to believe they will destabilize the internet.

The chair of the SSAC has stated that the internal name problem is largely dealt with, at least as far as SSL certificates go.

The question now for ICANN — the organization and the community — is whether Verisign is talking nonsense or not.