Latest news of the domain name industry

Recent Posts

Could .cpa be the most successful new gTLD sunrise yet?

Kevin Murphy, September 25, 2020, Domain Registries

The registry for the new .cpa gTLD reckons it has received “thousands” of applications for domains during its current launch period, potentially making it the most successful gTLD sunrise since 2012.

The American Institute of Certified Public Accountants, which manages the TLD, said today:

Well over half of the 100 biggest U.S. firms — as well as an equally large percentage of the next 400 — have begun advancing their applications as part of the early phase of the .cpa registration process, which launched on Sept. 1.

Assuming “thousands” means at least 2,000, this would make .cpa a top three or four sunrise, judging by figures collected by ICANN showing Google’s .app the current volume leader at 2,908.

But we can’t assume that all the .cpa domains boasted of are trademark-verified sunrise period applications under ICANN’s rules.

AICPA is running a simultaneous Limited Registration Period during which any CPA firm can apply for domains that are “most consistent with their current digital branding” — ie, no trademark required.

Both of these periods end October 31, after which the registry will dole out domains in a batch, presumably giving preference to the sunrise applicants.

We have to assume the amount of purely defensive registrations will be relatively low, due to AICPA’s policies.

Not only are registrants limited to licensed CPA companies and individuals, but registrants have to commit to redirect their .cpa domain to their existing web site within a month and deploy a full web site within a year.

.cpa domains sell for $225 a year, according to the registry. General availability is scheduled for January 15.

ICANN 69 returning to YouTube

Kevin Murphy, September 25, 2020, Domain Policy

ICANN is to make its annual general meeting next month available streaming on YouTube, the org has announced.

That’s in addition to the Zoom rooms that have been used exclusively for meetings since the coronavirus pandemic hit at the start of the year.

The YouTube streams will be listen/view only and will have up to 30 seconds delay compared to the live Zoom rooms, which will of course continue to have interactivity.

The move will be a welcome return for those of us who need to listen in to sessions and not necessarily engage.

Unfortunately, only five “high-interest” sessions will be available, and there won’t be any live interpretation for the non-English speakers.

For the Zoom rooms, they’ll be mandatory registration before you can even view the meeting schedule. The links will be hidden behind a login screen.

This is largely due to repeated incidents of “Zoom-bombing”, where trolls interrupt proceedings with inflammatory off-topic material.

Whois plan approved, but it may be a waste of money

Kevin Murphy, September 24, 2020, Domain Policy

ICANN’s GNSO Council has approved a plan to overhaul Whois and sent it to the ICANN board for the royal assent, alongside a warning that it may be a huge waste of money.

All seven members of the Contracted Parties House voted in favor of the plan, created by the so-called EPDP working group, which would create a centralized System for Standardized Access/Disclosure for Whois records.

In the Non-Contracted Parties House, only the two members of the Intellectual Property Constituency and the two members of the Business Constituency voted against the headline resolution, with the remaining nine voting in favor.

This was sufficient to count as a supermajority, which was the threshold required.

But the board will be receiving the SSAD recommendations alongside a request for a consultation on “whether a further cost-benefit analysis should be conducted”:

Noting some of the questions surrounding the financial sustainability of SSAD and some of the concerns expressed within the different minority statements, the GNSO Council requests a consultation with the ICANN Board as part of the delivery of the GNSO Council Recommendations Report to the ICANN Board to discuss these issues, including whether a further cost-benefit analysis should be conducted before the ICANN Board considers all SSAD-related recommendations for adoption.

The cost of SSAD is currently estimated by ICANN loosely at $9 million to build and $8.9 million a year to run. Under the approved recommendations, it would be paid for by accreditation fees paid by end-user data requestors.

And the benefits?

Well, to listen to the IPC, BC, governments and security experts — collectively the expected customers of SSAD — the system will be a bit rubbish and maybe not even worth using.

They complain that SSAD still leaves ultimate responsibility for deciding whether to grant access to Whois records to trained humans at individual registries and registrars. They’d prefer a centralized structure, with much more automation, more closely resembling the pre-GDPR universe.

Contracted parties counter that if GDPR is going to hold them legally responsible for disclosures, they can’t risk offloading decision-making to a third party.

But this could prove a deterrent to adoption, and if fewer companies want to use SSAD that could mean less revenue to fund it which in turn could lead to even higher prices or the need for subsidies out of ICANN’s budget.

The IPC called the recommendations “an outcome that will not meet the needs of, and therefore will not be used by, stakeholders”.

It’s a tricky balancing act for ICANN, and it could further extend the runway to implementation.

The most likely first chance the ICANN board will get to vote on the recommendations would be the AGM, October 22, but if the GNSO consultation concludes another cost/benefit analysis is due, that would likely push the vote out into 2021.

There’s the additional wrinkle that three of ICANN’s four advisory committees, including the governments, have expressed their displeasure with the EPDP outcome, which is likely to add complexity and delay to the roadmap.

And the GNSO’s work on Whois is not even over yet.

Also during today’s meeting, the Council started early talks on whether to reopen the EPDP to address the issues of data accuracy, whether registrars should be obliged to distinguish between legal and natural persons, and whether it’s feasible to have a uniform system of anonymized email addresses in Whois records.

Should YOU have to pay when lawyers access your private Whois info?

Kevin Murphy, September 23, 2020, Domain Policy

The question of who should shoulder the costs of ICANN’s proposed Whois overhaul is being raised, with governments and others suggesting that the burden should fall on registrants themselves.

In separate statements to ICANN recently, the Governmental Advisory Committee and Security and Stability Advisory Committee both put forward the view that registrants, rather than the trademark lawyers behind most requests for private Whois data, should fund the system.

ICANN currently expects the so-called System for Standardized Access/Disclosure (SSAD), proposed after two years of talks in an ICANN community working group, to cost $9 million to build and another $9 million a year to operate.

The working group, known as the EPDP, has recommended in its final report that registrants “MUST NOT bear the costs for having data disclosed to third parties”.

Instead, it recommended that requestors themselves should pay for the system, probably via an annual accreditation fee.

But now the GAC and SSAC have issued minority statements calling that conclusion into question.

The GAC told ICANN (pdf):

While the GAC recognizes the appeal of not charging registrants when others wish to access their data, the GAC also notes that registrants assume the costs of domain registration services as a whole when they register a domain name.

While the SSAC said (pdf):

Data requestors should not primarily bear the costs of maintaining the system. Requestors should certainly pay the cost of getting accredited and maintaining their access to the system. But the current language of [EPDP Recommendation] 14.2 makes victims and defenders cover the costs of the system’s operation, which is unfair and is potentially dangerous for Internet security…

No previous PDP has protected registrants from having the costs associated with “core” registration services or the implementation of consensus policies being passed on to them. No previous PDP has tried to manipulate the functioning of market forces as is proposed in Recommendation 14.

SSAC suggested instead that registrars should be allowed to pass on the costs of SSAD to their customers, and/or that ICANN should subsidize the system.

Over 210 million gTLD domain names, $9 million a year would work out to less than five cents per domain, but one could argue there’s a principle at stake here.

Should registrants have to pay for the likes of Facebook (probably the biggest requestor of private Whois data) to access their private contact information?

The current proposed system would see the estimated $9 million spread out over a far smaller number of requestors, making the fee something like $450 per year.

EPDP member Milton Mueller did the math and concluded that any company willing to pay its lawyers hundreds of thousands of dollars to fight for greater Whois access in ICANN could certainly swallow a measly few hundred bucks a year.

But the minority objections from the GAC, SSAC and Intellectual Property Constituency do not focus wholly on the costs. They’re also bothered that SSAD doesn’t go nearly far enough to actually provide access to Whois data.

Under the current, temporary, post-GDPR system, registries and registrars basically use their own employees’ discretion when deciding whether to approve a Whois data request.

That wouldn’t change significantly under SSAD, but there would be a huge, multi-tiered system of accreditation and request-forwarding that’s been described as “glorified, overly complex and very expensive ticketing system”.

The GAC wants something much more automated, or for the policy to naturally allow increased automation over time. It also wants increased centralization, taking away much of the human decision-making at registrars out of the equation.

The response from the industry has basically been that if GDPR makes them legally liable for their customers’ data, then it’s the registries and registrars that should make the disclosure decisions.

The GAC has a great deal of power over ICANN, so there’s likely to be a bit of a fight about the EPDP’s outcomes and the future of SSAD.

The recommendations are due to be voted on by the GNSO Council at its meeting tomorrow, and as I’ve noted before, it could be tight.

Council chair Keith Drazek seems to be anticipating some lively debate, and he’s already warned fellow members that’s he’s not minded to approve any request for a delay on the vote, noting that the final report has been available for review for several weeks.

By convention, the Council will defer a vote on the request of any of its constituency groups, but this is sometimes exploited.

Should the Council approve the resolution approving the final report — which contains a request for further financial review of SSAD — then it will be forwarded to the ICANN board of directors for final discussion and approval.

But with the GAC on its case, with its special advisory powers, getting SSAD past the board could prove tricky.

Donuts to launch .contact next week

Kevin Murphy, September 23, 2020, Domain Registries

Almost a year and a half after buying it, Donuts is ready to launch its newest gTLD, .contact.

According to ICANN records, the sunrise period for the domain will run from September 29 to November 28.

Registrars report that general availability will begin December 9. Retail pricing is expected to be competitive with .com.

Donuts will also run its traditional Early Access Period, from December 2, a week during which prices start very high and decline day by day.

It will be an unrestricted space, as it Donuts’ wont, and I imagine the suggested use case is something similar to the .tel model — the publication of contact information.

Donuts acquired .contact from Top Level Spectrum for an undisclosed amount in April 2019.

Is India’s largest registrar about to go titsup? And where the hell is ICANN?

Kevin Murphy, September 21, 2020, Domain Registrars

India’s largest independent domain name registrar appears to be “doing an AlpNames”, with many customers complaining about domains going dark, transfer codes not being issued, and customer support being unavailable for weeks.

Net 4 India, which claims to have 400,000 customers, has been in insolvency proceeds for over two years, but it’s only in the last couple months that the complaints have started piling up by the scores from disgruntled customers.

A major complaint is that renewals are not processed even after they are paid for, that transfer authcodes never arrive, that customer support never picks up the phone or replies to emails, and (occasionally) that the Net4 web site itself is down.

As we saw with AlpNames last year and RegisterFly back in the mists of time, These are all the warning signs of a registrar in trouble.

On its web site, Net4 prominently warns customers that its call centers are operating on a skeleton staff due to India’s coronavirus lockdown measures, which may account for the lack of support.

But there are reports that customers have visited the company’s offices in person to find them closed.

There’s been radio silence from the registrar. Even its Twitter account is private.

Many local commentators are pointing to the fact that Net4 is in protracted insolvency proceedings as the true underlying issue.

There have been calls for government intervention, action by .in registry NIXI, ICANN enforcement, and even the Indian equivalent of a class action lawsuit. This local cyber law blogger is all over it.

But what is ICANN doing about it?

Net4 was taken to a quasi-judicial insolvency court in 2017 by a debt-recovery company called Edelweiss over the rupee equivalent of about $28 million of unpaid loans from the State Bank of India.

ICANN has been aware of this fact since at least April 2019, when it started calling the registrar for an explanation.

Under the standard Registrar Accreditation Agreement, being in insolvency for over 30 days is grounds for unilateral termination by ICANN.

ICANN could terminate the agreement and transfer all of Net4’s gTLD domain names to a different registrar pretty much at will — all the registrant data is in escrow. This would not protect Net4’s many thousands of .in registrants of course.

ICANN suspended Net4’s RAA in June last year, but Net4 somehow managed to talk its way out of it. ICANN later rescinded the suspension on the proviso that the registrar provide monthly updates regarding its insolvency.

Net4’s cure period has been extended three times by ICANN. The latest expired July 31 this year.

At least one ICANN staffer is on the case, however. ICANN’s head of India Samiran Gupta has recently been reaching out to customers on Twitter, offering his email address and assistance getting in contact with Net4 staff, apparently with some success.

But Net4 had 95,000 gTLD names under management at the last count (though it’s been hemorrhaging thousands per month) so this individual approach won’t go very far.

No ICANN meetings until 2021

Kevin Murphy, September 16, 2020, Domain Policy

Community members itching to be able to suck up to (or berate) ICANN staffers in person rather than over the phone or videoconferencing will have to wait a little longer.

The Org announced today that all face-to-face meetings have been cancelled until the end of the year due to the ongoing coronavirus pandemic.

It doesn’t affect any of the big public meetings — the AGM in October was relocated from Hamburg to Zoom a few months ago — but regular business travel and intersessional meetings are hit.

It also means ICANN staffers will continue to work from home until January at the earliest, ICANN said.

The health and safety of our community and staff are always our top concern, and we believe it is not prudent to travel or encourage gatherings until at least the end of 2020. The ongoing and long-term health impact of COVID-19 on our community and staff is a risk that we are not willing to take. In addition, the travel landscape has not yet stabilized, which makes any travel complicated and risky.

Call me a pessimist, but I’d be very surprised if this is the last time the travel ban is extended.

Floodgates, open! Trademark Clearinghouse now supports .com

Kevin Murphy, September 15, 2020, Domain Services

The Trademark Clearinghouse has added .com to the roster of TLDs supported by its infringement notification service.

The Deloitte-managed service recently announced the change to its Ongoing Notification Service, which came into effect late last month.

The update means TMCH subscribers will receive alerts whenever a .com domain is registered that contains their trademark, helping them to decide whether to pursue enforcement actions such as UDRP.

Unlike the ICANN-mandated 90-day Trademark Claims period that accompanies the launch of each new gTLD, the registrant herself does not receive an alert of possible infringement at point of registration.

The service, which is not regulated by ICANN, is still free to companies that have their marks registered in the TMCH, which charges an extra dollar for every variation of a mark the holder wishes to monitor.

Such services have been commercially available from the likes of MarkMonitor for 20 years or more. The TMCH has been offering it for new gTLDs since they started launching at the end of 2013.

With the .com-shaped gaping hole now plugged, two things could happen.

First, clients may find a steep increase in the number of alerts they receive — .com is still the biggest-selling and in volume terms the most-abused TLD.

Second, commercial providers of similar services now find themselves competing against a free rival with an ICANN-enabled captive audience.

The upgrade comes at the tail end of the current wave of the new gTLD program. With the .gay launch out of the way and other desirable open TLDs tied up in litigation, there won’t be much call for TMCH’s core services for the next few years.

It also comes just a couple months after the .com zone file started being published on ICANN’s Centralized Zone Data Service, but I expect that’s just a coincidence.

GoDaddy could lose control of .co this week

Kevin Murphy, September 8, 2020, Domain Registries

It looks like GoDaddy’s recently acquired .co registry could lose formal control of the ccTLD this week.

ICANN’s board of directors has “Transfer of the .CO (Colombia) top-level domain to the Ministry of Information and Communications Technologies” on its agenda for its meeting this Thursday.

Since 2009, IANA record for .co shows the Colombian company .CO Internet as the sponsor, admin contact and tech contact.

.CO Internet was acquired by Neustar for $109 million in 2014. Neustar’s registry business, including the .co contract, was acquired by GoDaddy earlier this year. Most of .CO Internet’s original staff are still with the company.

GoDaddy now has the contract to run .co for the next five years, but as a service provider rather than having full administrative control of the TLD.

A redelegation to the Colombian ministry will not affect that contract, and in fact seems to have been envisaged by it.

Back in April when the renewal was announced, MinTIC said it would in future “be in charge of its [.co’s] administration through a group dedicated to Internet governance with technical personnel with knowledge and ability to manage and administer the domain”.

The new deal also sees Colombia receive 81% of the profits from .co, compared to the 6-7% it received under the old deal.

Assuming the ICANN board gives the redelegation the nod this week, it usually only takes IANA a day or two to make the appropriate updates to its registry.

ICANN ordered to freeze .hotel after “serious questions” about trade secrets “theft”

Kevin Murphy, September 3, 2020, Domain Policy

ICANN has been instructed to place the proposed .hotel gTLD in limbo after four applicants for the string raised “sufficiently serious questions” that ICANN may have whitewashed the “theft” of trade secrets.

The order was handed down last month by the emergency panelist in the Independent Review Process case against ICANN by claimants Fegistry, MMX, Radix and Domain Ventures Partners.

Christopher Gibson told ICANN to “maintain the status quo” with regards the .hotel contention set, meaning currently winning applicant Hotel Top Level Domain, which is now owned by Afilias, won’t get contracted or delegated until the IRP is resolved.

At the core of the decision (pdf) is Gibson’s view that the claimants raised “sufficiently serious questions related to the merits” in allegations that ICANN mishandled and acted less than transparently in its investigation into a series of data breaches several years ago.

You may recall that ICANN seriously screwed up its new gTLD application portal, configuring in such a way that any applicant was able to search for and view the confidential data, including financial information such as revenue projections, of any other competing applicant.

Basically, ICANN was accidentally publishing applicants’ trade secrets on its web site for years.

ICANN discovered the glitch in 2015 and conducted an audit, which initially fingered Dirk Krischenowski — who at time was the half-owner of a company that owned almost half of HTLD as well as a lead consultant on the bid — as the person who appeared to have accessed the vast majority of the confidential data in March and April 2014.

ICANN did not initially go public with his identity, but it did inform the affected applicants and I managed to get a copy of the email, which said he’d downloaded about 200 records he shouldn’t have been able to access.

It later came to light that Krischenowski was not the only HTLD employee to use the misconfiguration to access data — according to ICANN, then-CEO of HTLD Katrin Ohlmer and lawyer Oliver Süme had too.

HTLD execs have always denied any wrongdoing, and as far as I know there’s never been any action against them in the proper courts. Krischenowski has maintained that he had no idea the portal was glitched, and he was using it in good faith.

Also, neither Ohlmer nor Krischenowski are still involved with HTLD, having been bought out by Afilias after the hacking claims emerged.

These claims of trade secret “theft” are being raised again now because the losing .hotel applicants think ICANN screwed up its probe and basically tried to make it go away out of embarrassment.

Back in August 2016, the ICANN board decided that demands to cancel the HTLD application were “not warranted”. Ohlmer barely gets a mention in the resolution’s rationale.

The losing applicants challenged this decision in a Request for Reconsideration in 2016, known as Request 16-11 (pdf). In that request, they argued that the ICANN board had basically ignored Ohlmer’s role.

Request 16-11 was finally rejected by the ICANN board in January last year, with the board saying it had in fact considered Ohlmer when making its decision.

But the IRP claimants now point to a baffling part of ICANN’s rationale for doing so: that it found “no evidence that any of the confidential information that Ms. Ohlmer (or Mr. Krischenowski) improperly accessed was provided to HTLD”.

In other words, ICANN said that the CEO of the company did not provide the information that she had obtained to the company of which she was CEO. Clear?

Another reason for brushing off the hacking claims has been that HTLD could have seen no benefit during the application process by having access to its rivals’ confidential data.

HTLD won the contention set, avoiding the need for an auction, in a Community Priority Evaluation. ICANN says the CPE was wholly based on information provided in its 2012 application, so any data obtained in 2014 would have been worthless.

But the losing applicants say that doesn’t matter, as HTLD/Afilias still have access to their trade secrets, which could make the company a more effective competitor should .hotel be delegated.

This all seems to have been important to Gibson’s determination. He wrote in his emergency ruling (pdf) last month:

The Emergency Panelist determines that Claimants have raised “sufficiently serious questions related to the merits” in in relation to the Board’s denial of Request 16-11, with respect to the allegations concerning the Portal Configuration issues in Request 16-11. This conclusion is made on the basis of all of the above information, and in view of Claimants’ IRP Request claim that ICANN subverted the investigation into HTLD’s alleged theft of trade secrets. In particular, Claimants claim that ICANN refused to produce key information underlying its reported conclusions in the investigation; that it violated the duty of transparency by withholding that information; that the Board’s action to ignore relevant facts and law was a violation of Bylaws; and further, to extent the BAMC and/or Board failed to have such information before deciding to disregard HTLD’s alleged breach, that violated their duty of due diligence upon reasonable investigation, and duty of independent judgment.

The Emergency Panelist echoes concerns that were raised initially by the Despegar IRP Panel regarding the Portal Configuration issues, where that Panel found that “serious allegations” had been made188 and referenced Article III(1) of ICANN’s Bylaws in effect at that time, but declined to make a finding on those issues, indicating “that it should remain open to be considered at a future IRP should one be commenced in respect of this issue.” Since that time, ICANN conducted an internal investigation of the Portal Configuration issues, as noted above; however, the alleged lack of disclosure, as well as certain inconsistencies in the decisions of the BAMC and the Board regarding the persons to whom the confidential information was disclosed and their relationship to, or position with HTLD, as well as ICANN’s decision to ultimately rely on a “no harm no foul” rationale when deciding to permit the HTLD application to proceed, all raise sufficiently serious questions related to the merits of whether the Board breached ICANN’s Article, Bylaws or other polices and commitments.

It’s important to note that this is not a final ruling that ICANN did anything wrong, it’s basically the ICANN equivalent of a ruling on a preliminary injunction and Gibson is saying the claimants’ allegations are worthy of further inquiry.

And the ruling did not go entirely the way of the claimants. Gibson in fact ruled against them on most of their demands.

For example, he said their was insufficient evidence to revisit claims that a review of the CPE process carried out by FTI Consulting was a whitewash, and he refused to order ICANN to preserve documentation relating to the case (though ICANN has said it will do so anyway).

He also ruled against the claimants on a few procedural issues, such as their demands for an Ombudsman review and for IRP administrator the International Center for Dispute Resolution to recuse itself.

Some of their claims were also time-barred under ICANN’s equivalent of the statute of limitations.

But ICANN will be prevented from contracting with HTLD/Afilias for now, which is a key strategic win.

ICANN reckons the claimants are just using the IRP to try to force deep-pocketed Afilias into a private auction they can be paid to lose, and I don’t doubt there’s more than a grain of truth in that claim.

But if it exposes another ICANN cover-up in the process, I for one can live with that.

The case continues…