Recent Posts
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
Congress to put .sucks on trial
The US Congress is to hold a hearing to look into the .sucks gTLD and ICANN accountability.
A hearing entitled “Stakeholder Perspectives on ICANN: The .sucks Domain and Essential Steps to Guarantee Trust and Accountability in the Internet’s Operation” has been scheduled by the House Subcommittee on Courts, Intellectual Property, and the Internet
It will take place in Washington DC next Wednesday, May 13.
The list of witnesses does not yet appear to have been published.
I would guess we’d be looking at, at the very least, somebody senior from ICANN, somebody senior from .sucks registry Vox Populi, and an intellectual property lawyer.
It was ICANN’s Intellectual Property Constituency that complained about .sucks’ sunrise policies and fees, causing ICANN to refer the matter to US and Canadian trade regulators.
The title of the House hearing suggests that the .sucks controversy will be inextricably tied to the broader issue of ICANN accountability, which is currently undergoing a significant review as ICANN seeks to split permanently from US government oversight.
That’s not great optics for ICANN; I’m sure the organization would rather not have its performance judged on what is quite an unusual edge case emerging from the new gTLD program.
Whois privacy reforms incoming
Whois privacy services will become regulated by ICANN under proposals published today, but there’s a big disagreement about whether all companies should be allowed to use them.
A working group has released the first draft of its recommendations covering privacy and proxy services, which mask the identity and contact details of domain registrants.
The report says that P/P services should be accredited by ICANN much like registrars are today.
Registrars should be obliged to disclose which such services they operate or are affilated with, presumably at the risk of their Registrar Accreditation Agreement if they do not comply, the report recommends.
A highlight of the paper is a set of proposed rules governing the release of private Whois data when it is requested by intellectual property interests.
Under the proposed rules, privacy services would not be allowed to reject such requests purely because the alleged infringement deals with the content of a web site rather than just the domain.
So the identity of a private registrant of a non-infringing domain would be vulnerable to disclosure if, for example, the domain hosted bootleg content.
Registrars would be able to charge IP owners a nominal “cost recovery” fee in order to process requests and would be able to ignore spammy automated requests that did not appear to have been manually vetted.
There’d be a new arbitration process that would kick in to resolve disputes between IP interests and P/P service providers.
The 98 pages of recommendations (pdf) were drafted by the Generic Names Supporting Organization’s Privacy & Proxy Services Accreditation Issues Working Group (PPSAI) and opened for public comment today.
There are a lot of gaps in the report. Work, it seems, still needs to be done.
For example, it acknowledges that the working group didn’t reach any conclusions about what should happen when law enforcement agencies ask for private data.
The group was dominated by registrars and IP interests. There was only one LEA representative and only one governmental representative, and they participated in a very small number of teleconferences.
There was also a sharp division on the issue of who should be able to use privacy services, with two dissenting opinions attached to the report.
One faction, led by MarkMonitor and including Facebook, Domain Tools and fake pharmacy watchdog LegitScript, said that any company that engages in e-commerce transactions should be ineligible for privacy, saying: “Transparent information helps prevent malicious activity”.
Another group, comprising a handful of non-commercial stakeholders, said that no kind of activity should prevent you from registering a domain privately, pointing to the example of persecuted political groups using web sites to raise funds.
There was a general consensus, however, than merely being a commercial entity should not alone exclude you from using a P/P service.
Currently, registrar signatories to the 2013 RAA are bound by a temporary P/P policy that is set to expire January 2017 or whenever the P/P accreditation process starts.
There are a lot of recommendations in the report, and I’ve only touched on a handful here. The public comment period closes July 7.
Most ICANN new gTLD breaches were over a year ago
Almost three quarters of the security breaches logged against ICANN’s new gTLD portal occurred over a three-month period in early 2014, DI can reveal.
Almost every incident of a new gTLD applicant coming across data they weren’t supposed to see — 322 of the 330 total — happened before the end of October last year, ICANN told DI.
Most — 244 of the 330 — happened before April 30 last year.
The first breach, discovered by an independent audit of the portal, was January 22 2014.
ICANN says it was first notified of there being a problem on February 27, 2015.
The improper data disclosures were announced by ICANN last week.
As we reported, a simple configuration error by ICANN in third-party software allowed users of the Global Domains Division portal — all new gTLD applicants — to view confidential data belonging to other applicants.
Documents revealed could have included sensitive financial projections and registry technical details.
My first assumption was that the majority of the incidents — which have been deliberate or accidental — were relatively recent, but that turns out not to be the case.
In fact, if anyone did download data they weren’t supposed to see, most of them did it over a year ago.
ICANN has been notifying applicants and registries about whether their own data was compromised and expects to have told each affected applicant which other applicants could have seen their data before May 27.
Ninety-six applicants and 21 registries were affected.
Dumb ICANN bug revealed secret financial data to new gTLD applicants
Secret financial projections were among 330 pieces of confidential data revealed by an ICANN security bug.
Over the last two years, a total of 19 new gTLD applicants used the bug to access data belonging to 96 applicants and 21 registry operators.
That’s according to ICANN, which released the results of a third-party audit this afternoon.
Ashwin Rangan, ICANN’s new chief information and innovation officer, confirmed to DI this afternoon that the data revealed to unauthorized users included private financial and technical documents that gTLD applicants attached to their applications.
It would have included, for example, documents that dot-brand applicants reluctantly submitted to demonstrate their financial health.
But Rangan said it was not clear whether the glitch had been exploited deliberately or accidentally.
While saying the situation was “very deeply regrettable”, he added that applicant data deemed confidential when it was submitted back in 2012 may not be considered as such today.
The vulnerability was in ICANN’s Global Domains Division Portal, which was taken offline for three days at the end of February and early March after the bug was reported by a user.
Two outside consulting firms were brought in to scan access logs going back to the launch of the new gTLD portal back in April 2013.
What they found was that any user of the portal could access any attachment to any application, whether it belonged to them or a third-party applicant, simply by checking a radio button in the advanced search feature.
It was a misconfiguration by ICANN of the Salesforce.com software used by GDD, rather than a coding error, Rangan said.
“The public/private data sharing setting can be On or Off and here it was set to On,” he said.
On 330 occasions, starting “in earliest part of when the portal first became available” two years ago, these 19 users would have been exposed to data they were not supposed to be able to see.
The audit has been unable to determine whether the users actually downloaded confidential data on those occasions.
What’s confirmed is that only new gTLD applicants were able to use the glitch. No third-party hackers were involved.
The 19 users who, whether they meant to or not, exploited this vulnerability are now going to be sent letters asking them to explain themselves. They’ll also be asked to delete anything they downloaded and to not share it with third parties.
Before May 27, ICANN will also contact those applicants whose secret data was exposed, telling them which rival applicants could have seen it.
Rangan said that there have been almost 600,000 GDD sessions in the last two years, and that only 36 of them revealed data to unauthorized users.
“It’s a small fraction,” he said. “The question is whether they just stumbled across something they were not even aware of… Looking at the log files it is not clear what is the case.”
ICANN seems to be giving the 19 users the benefit of the doubt so far, but still wants them to explain their actions.
As CIO, Rangan was not able to comment on whether the breach exposes ICANN or applicants to any kind of legal liability.
It’s not the first time sensitive applicant data has been exposed. Back in 2012, DI discovered that the home addresses of the directors of applicants had been published, despite promises that they would remain private.
At the time of the original GDD portal misconfiguration, ICANN had noted security expert Jeff “The Dark Tangent” Moss as its chief security officer.
Earlier this week, ICANN’s board of directors authorized expenses of over $500,000 to carry out security audits of ICANN’s code.
New gTLD zones top five million names
There are now more than five million new gTLD domain names live in the DNS.
That’s according to zone files collated by ICANN, which I’m told show 5,002,252 names across the 597 new gTLD registries providing data.
That works out to a mean of 8,378 domains per TLD, a median of 1,254.
The largest zone file is .xyz, with 877,450 names. There’s at least 100 new gTLDs with only one domain in their zones.
Due to the way ICANN’s Centralized Zone Data Service works (or doesn’t work) with access rights expiring on a pretty much daily basis, it’s virtually impossible for a third party such as DI to count up zone file numbers across every new gTLD with 100% daily accuracy.
Today, DI PRO reports a count of 4,999,024 names.
The total number of zone file domains in this post was provided by ICANN, which does not have the same CZDS restrictions as the rest of us.
As .stream is won, ICANN’s auction list empties
.stream has become the latest new gTLD contention set to be settled prior to its ICANN auction, leaving ICANN’s auction schedule looking barren.
Famous Four Media beat Hughes Satellite Systems to the string, which was due to auction May 27.
The four strings scheduled for bidding April 29 — .living, .fun, .map and .search — were also recently settled.
All that remains on ICANN’s schedule is the controversial .game/.games contention set, which will employ a unique process designed for contention sets created by inconsistent singular/plural string confusion rulings.
The five .game applicants and one .games applicant (Donuts) are still due to hit the block May 20.
A couple dozen other gTLDs are still pending ICANN auction but do not have set dates due to various challenges and disputes.
Dirty tricks claimed in .music fight
A .music hopeful has tried to add over 300 pages of documents to its new gTLD application, apparently in an effort to leapfrog competitors, and its rival community applicant is far from happy.
DotMusic Limited submitted the change request (pdf) in order to add some Public Interest Commitments to its .music bid.
Rival .Music LLC now claims that it is “outrageous and unfair for ICANN to allow this applicant to abuse the PIC process in this way” and has filed a Request for Reconsideration.
Of the eight .music bidders, these two companies are the only formal “community” applicants.
Under the rules of the new gTLD program, community applicants can avoid having to fight an auction if they win a strict Community Priority Evaluation.
To avoid confusion: DotMusic Limited is the applicant led by Constantine Roussos; .Music LLC (aka Far Further) is led by John Styll.
Far Further fought a CPE last year but lost in spectacular fashion, scoring just 3 out of the 16 available points, a long way shy of the 14 points required for a pass.
The Roussos applicant has now submitted eight new proposed Public Interest Commitments — things it promises to do to protect registrants and rights holders — as an addendum to its application.
That’s pretty standard stuff.
What’s unusual are the 308 pages of additional “clarifications” that seek to explain how the proposed PICs relate to its original application.
They’re not changes to the application, technically speaking, but they are a way to get hundreds of extra pages of content into the public record ahead of DotMusic’s own CPE.
According to Styll, this latest gambit is nothing more than an attempt to score more CPE points. He told ICANN:
the 308 additional pages of “clarifications” contain wording that clearly utilizes learnings from previous CPE results (including our own), in violation of ICANN policy
Complicating matters, it turns out that Far Further tried to make some substantive changes to its application back in May 2014, but had the request declined by ICANN “in order to be fair to other applicants”.
That was prior to ICANN’s publication of guidelines governing change request, Styll says.
Because of this alleged discrepancy between how the two competing change requests were handled, Far Further wants a second crack at the CPE for its own application.
Its RfR (pdf) asks ICANN to reverse its May 2014 decision, allow its change request, throw out the original results of its CPE and refer the CPE to a new Economist Intelligence Unit panel for a full reevaluation.
Failing that, it wants ICANN to throw out the 308 pages of “clarifications” submitted by DotMusic.
Both applicants have the written support of dozens of music industry groups.
There’s some crossover, but Far Further’s backers appear to me to be a little more “establishment” than DotMusic’s, including the likes of the Recording Industry Association of America.
The other, non-community applicants are Amazon, Google, Donuts, Radix, Famous Four Media and Entertainment Names.
With Google and Amazon in the mix, if it goes to auction, .music could easily be an eight-figure auction along the lines of .app, which sold to Google for $25 million.
In my view, winning a CPE is the only way DotMusic has a chance of getting its hands on .music, short of combining with another applicant.
Warren Buffett party firm beats Google to .fun
An 80-year-old seller of party supplies, owned by Warren Buffett, has won the rights to the new gTLD .fun, after the other two applicants withdrew.
Oriental Trading Company plans to operate the gTLD as a “restricted” space where only the company and its partners can register, according to its application.
Quite why this isn’t on hold as a “closed generic”, I don’t know.
The application states .fun will be:
an authoritative Internet space for OTC, its affiliates and partners where OTC can develop an unlimited number of domain names dedicated and relevant to “fun” and to provide Internet users with content, services and products they need, while being assured of brand authenticity.
The other two applicants were Google and Dot Strategy. Both applications have now been withdrawn.
OTC sells balloons, party hats, banners and such. It was acquired by Buffett’s Berkshire Hathaway in 2012 after filing for bankruptcy protection.
In other withdrawal news, games maker Konami today became the latest company to dump its plans for a dot-brand, in this case .konami.
ICANN in “fact-finding” mode over potential .sucks breach
ICANN is playing its cards close to its chest when pressed on what it thinks Vox Populi may have done wrong with its .sucks launch pricing and policies.
The organization told DI in a statement that it is currently “fact-finding”, and will not speculate on what parts of the Registry Agreement may have been breached.
ICANN on Thursday reported Vox Pop to the US and Canadian trade regulators, asking them to judge whether the registry’s $2,000 sunrise fee broke any laws.
Its Intellectual Property Constituency reckons the launch, which also places thousands of trademarks on permanent, high-priced “Sunrise Premium” list amounts to nothing more than a “shakedown” of brand owners.
Vox Pop CEO John Berard told DI last week that the referral to the US Federal Trade Commission, despite that fact that the company and its owners are Canadian, amounted to “appeasement” of the IPC.
In response, ICANN told DI in a statement:
The registry is offering domain name registrations to registrants located in jurisdictions around the world. It¹s possible that a registry’s activities could violate the law in the registry’s own jurisdiction; it is also possible that a registry’s activities could violate the law in the jurisdiction of a registrar or registrant where the registry offers domain name registrations. In this case, the IPC letter was signed by an attorney based in New York City, and ICANN thought it appropriate to ask both U.S. and Canadian authorities to consider the IPC allegations.
ICANN seems to be saying on the one hand that registries are beholden to the laws of wherever their registrants are based and on the other hand that the jurisdiction of the IPC’s current president, Greg Shatan, somehow has a bearing on what laws gTLD registries are obliged to obey.
I await correction from more knowledgeable readers, but I don’t think either of those statements is accurate.
If the latter is true, then perhaps the IPC should in future elect its leaders from only the countries with the most trademark-friendly regimes.
In ICANN’s letters to the FTC and IPC, the organization said it was “evaluating other remedies”. From the context, it seems that ICANN is thinking it could initiate some kind of compliance action against .sucks regardless of the what governmental regulators say.
Asked to explain this, ICANN told DI:
We¹re currently doing some fact-finding and analysis to assess whether there has been any breach by the registry of its obligations, and, based on the results of that analysis, we will try to determine what remedies, if any, may be available. Obviously, it will depend on all the facts and circumstances. Beyond that, since we haven¹t finished that evaluation process it would be inappropriate to speculate about possible remedies.
That’s not saying much, but it leaves the door open for ICANN Compliance to do something even if the FTC and Office of Consumer Affairs deem that no laws have been broken.
One possible “breach” that has been floated relates to the differential pricing created by the Sunrise Premium list. However, my take on this is that, under the new gTLD contracts, it’s not massively different to other kinds of premium pricing program.
Differential pricing protections only apply to renewal fees. If the registrant is told at the point of sale that their renewal fees will be high, that enables registries to put different fees on different domains.
There have also been theories put forward about ICANN’s motivation for referring .sucks to regulators.
The idea that ICANN can defer to the FTC and others on legal matter is not entirely new. In cases where registries intend to merge, ICANN is allowed under its contracts to refer the deals to regulators before approving them.
But this is the first time ICANN has referred new gTLD pricing to competition authorities.
Is it a case of ICANN ass-covering?
ICANN is taking unique fees worth up to $1 million extra from Vox Populi and, as I wrote two weeks ago, the optics of this are bad for ICANN, which could look like it is profiteering from .sucks.
ICANN has explained that the extra fees related to entities that were owned by Vox Pop parent Momentous, the Canadian registrar that had many subsidiaries go out of business owing ICANN a tonne of cash.
By punting the IPC’s complaint to regulators, ICANN could deflect criticism that it is not doing enough to protect rights holders and registrants while avoiding having to make a tricky decision itself.
Regardless, the FTC referral and the fact that ICANN is charging Vox Pop special fees sends a strong message that ICANN does not trust the registry one bit.
Three registrars suspended by ICANN
ICANN has enforced the 2013 Registrar Accreditation Agreement against three more registrars, suspending their ability to sell gTLD domain names.
Canadian registrar Namevault, along with Signdomains and Times Internet of India, cannot sell domains or accept inbound transfers from April 21 to July 20, according to ICANN compliance notices.
Namevault’s suspension came after it got its third compliance strike in a year, this time relating to its failure to provide records about domain stronglikebull.com, which was at Namevault from 2008 but is now at Go Daddy.
Times Internet has failed to implement a Whois service, despite being first warned about its failings last September, ICANN says.
Signdomains was originally issued a breach notice due to its failure to pay over $3,000 in accreditation fees. It also does not display pricing information on its web site, according to ICANN. Neither breach has been rectified.
The three registrars have not many more than 10,000 names under management between them, according to latest registry reports.
They’re the first three registrars to have their RAAs suspended in 2015. Three other registrars have been terminated since the beginning of the year.
Recent Comments