Latest news of the domain name industry

Recent Posts

.com and NameSilo fingered as “most-abused” after numbers rocket

SpamHaus has revealed the most-abused TLDs and registrars in its second-quarter report on botnets.

The data shows huge growth in abuse at Verisign’s .com and the fast-growing NameSilo, which overtook Namecheap to top the registrar list for the first time.

Botnet command-and-control domains using .com grew by 166%, from 1,549 to 4,113, during the quarter, SpamHaus said.

At number two, .xyz saw 739 C&C domains, up 114%.

In the registrar league table, NameSilo topped the list for the first time, unseating Namecheap for the first time in years.

NameSilo had 1,797 C&C domains on its books, an “enormous” 594% increase. Namecheap’s number was 955 domains, up 52%.

Botnets are one type of “DNS abuse” that even registrars agree should be acted on at the registrar level.

The most-abused lists and lots of other botnet-related data can be found here.

Price caps on .org could return, panel rules

Kevin Murphy, April 27, 2021, Domain Policy

ICANN could be forced to reimpose price caps on .org, .biz and .info domains, an Independent Review Process panel has ruled.

The panel handling the IRP case filed by Namecheap against ICANN in February 2020 has decided to allow the registrar to continue to pursue its claims that ICANN broke its own bylaws by removing price controls from the three gTLD contracts.

Conversely, in a win for ICANN, the panel also threw out Namecheap’s demand that the IRP scrutinize ICANN’s conduct during the attempted takeover of .org’s Public Interest Registry by Ethos Capital in 2019.

The split ruling (pdf) on ICANN’s motion to dismiss Namecheap’s case came March 10 and was revealed in documents recently published by ICANN. The case will now proceed on the pricing issue alone.

The three-person panel decided that the fact that ICANN ultimately decided to block Ethos’ acquisition of PIR meant that Namecheap lacked sufficient standing to pursue that element of its case.

Namecheap had argued that ICANN’s opaque processing of PIR’s change of control request created uncertainty that harmed its business, because ICANN may approve such a request in future.

But the panel said it would not prejudge such an eventuality, saying that if another change of control is approved by ICANN in future, Namecheap is welcome to file another IRP complaint at that time.

“Harm or injury flowing from possible future violations by the ICANN Board regarding change of control requests that are not presently pending and that may never occur does not confer standing,” the panel wrote.

On the pricing issue, the panel disagreed with ICANN’s argument that Namecheap has not yet been harmed by a lack of .org price caps because PIR has not yet raised its .org prices.

It said that increased prices in future are a “natural and expected consequence” of the lack of price controls, and that to force Namecheap to wait for such increases to occur before filing an IRP would leave it open to falling foul of the 12-month statute of limitations following ICANN decision-making baked into the IRP rules.

As such, it’s letting those claims go ahead. The panel wrote:

This matter will proceed to consideration of Namecheap’s request for a declaration that ICANN must annul the decision that removed price caps in the .org, .info and .biz registry agreements. The Panel will also consider Namecheap’s request for a declaration that ICANN must ensure that price caps from legacy gTLDs can only be removed following policy development process that takes due account of the interests of the Internet user and with the involvement of different stakeholders. The Panel will consider Namecheap’s request for a declaration that “registry fees… remain as low as feasible consistet with the maintenance of good quality service” within the context of removal of price caps (not in the context of regulating changes of control).

In other words, if Namecheap prevails, future price caps for pre-2012 gTLDs could be decided by the ICANN community, with an assumption that they should remain as low as possible.

That would be bad news for PIR, as well as .info registry Donuts and .biz registry GoDaddy.

But it’s important to note that the IRP panel has not ruled that ICANN has done anything wrong, nor that Namecheap is likely to win its case — the March 10 ruling purely assesses Namecheap’s standing to pursue the IRP.

The panel has also significantly extended the proposed timeline for the case being resolved. There now won’t be a final decision until 2022 at the earliest.

The panel last week delayed its final hearing in the case from August this year to January next year, according to a document published this week.

Other deadlines in the case have also been pushed backed weeks or months.

Facebook gunning for Web.com in latest $27 million-plus cybersquatting lawsuit

Kevin Murphy, April 16, 2021, Domain Registrars

Facebook has sued what it believes is a Web.com subsidiary, claiming the company has been engaged in wholesale cybersquatting for well over a decade.

The complaint, filed in a Pennsylvania District Court, alleges that New Venture Services Corp current owns 74 domains, and has previously owned 204 more, that infringe its Facebook, Instagram and WhatsApp trademarks.

While no other named defendants are listed, the complaint makes it abundantly clear that it believes NVSC is a subsidiary of Web.com and a sister of Network Solutions, Register.com, SnapNames and Perfect Privacy.

Facebook is suing partly under the Anti-Cybersquatting Consumer Protection Act, allowing it to claim $100,000 damages per infringing domain, so we’re looking at a floor of $27.8 million of potential damages should the lawsuit be successful.

But it’s also looking for NVSC to hand over any profits it’s made from the domains in question, which are generally parked with ads and listed for sale via the SnapNames network for premium fees.

While NVSC is registered in the British Virgin Islands and uses a Pennsylvania post office box as its mailing address, there’s a wealth of evidence going back to 2007 that it’s been affiliated first with NetSol and then Web.com.

Web.com’s last regulatory filing before it went private in 2017 lists NVSC as a subsidiary, which is probably the most compelling piece of evidence establishing ownership.

It appears that NVSC is a shell company that Web.com uses to hold potentially valuable or traffic-rich domains that its customers have allowed to expire. The names are then parked and put up for resale.

Example domains listed in the complaint include httpinstagram.com, faceebbok.com, facebooc.net, instagram-login.com, and installwhatsapps.com.

One would have to assume these names were captured using a fully automated process; even a cursory human review would clock that they’re useful only to bad actors.

The lawsuit is the latest in Facebook’s crusade against mainstream registrars it believes are profiting by infringing its trademarks, which has already ensnared Namecheap a year ago and OnlineNIC in October 2019.

Namecheap recently filed a counterclaim in which it tries to get some of Facebook’s trademarks cancelled.

Facebook has all but admitted that putting legal pressure on registrars is part of its strategy when it comes to getting the policies it wants out of ICANN on privacy and Whois access, where there’s currently an impasse.

Here’s the complaint (pdf).

Nominet members wail as ousted director made CEO

Nominet has been accused of being “tone deaf” to its members’ criticisms after it appointed two staffers to its board of directors and named a recently ousted director as interim CEO.

The .uk registry told members last week that Eleanor Bradley will occupy the corner office “for approximately 6 months” while a permanent replacement for Russel Haworth is sought.

Haworth quit last month rather than face the wrath of members at an Extraordinary General Meeting that shortly thereafter voted to remove Bradley and three other directors from the board.

Bradley has been with the company for many years and was head of registry at Nominet, and seems like an obvious pick for an internal appointment, but members took to social media to express their displeasure.

The EGM was held after a campaign to round up the votes at PublicBenefit.uk, organized by Simon Blackler of Krystal Hosting. Members had hoped to install Sir Michael Lyons and Axel Pawlik on the board as chair and deputy chair.

But Nominet said that its bylaws would not allow directors to be selected this way, and there was no vote on that motion.

Instead, after the vote, relatively new director Rob Binns has taken the acting chair’s job and CIO Adam Leach and company secretary Rory Kelly joined the board from staff.

Binns informed the members of the appointments in a letter March 31 (pdf), which also said that Pawlik has been offered a consulting gig but had declined.

While eating a generous slice of humble pie, assuring members that the EGM was “an opportunity to reset and begin rebuilding the relationship between membership and Nominet”, the plan for the company he outlined was not a million miles away from the plan Nominet had put forward to address members’ concerns under its previous management.

Crucially, Nominet is still backing its non-core security business, which many members believe is an unnecessary diversification that diverted focus from the registry and profits from public benefit causes.

Binns said: “We believe those capabilities are integral to the public benefit we provide, so we want to develop a refreshed structure that protects that capability while addressing members’ desire for Nominet to focus more on its core activities.”

He also backed plans for a Registry Advisory Council, which would have seats for members, and said Nominet will bring back its web-based member discussion forum, which was closed down last year.

His letter contains no mention of reducing prices, one of the five big asks the PublicBenefit.uk campaign made.

Most of the social media reaction to Binns’ letter was negative. Notably, Richard Kirkendall, CEO of Namecheap, one of the largest registrars to publicly expressed its support for the campaign, tweeted:

Others had similar points of view, and some speculated that a second EGM may be required to set Nominet on the path the majority of its members appear to want.

One year on, Namecheap still fighting aborted .org takeover and may target GoDaddy and Donuts next

Kevin Murphy, February 5, 2021, Domain Registrars

Even though Ethos Capital’s proposed takeover of Public Interest Registry was rejected last May, registrar Namecheap is still doggedly pursuing legal action against ICANN’s handling of the deal, regardless.

The Independent Review Process complaint filed last February is still active, with Namecheap currently fighting a recent ICANN motion to dismiss the case.

The company is also demanding access to information about GoDaddy’s acquisition of Neustar and Donuts’ acquisition of Afilias, and is threatening to file separate actions related to both those deals.

Namecheap has essentially two beefs with ICANN. First, that it should not have lifted price caps in its .org, .biz and .info registry contracts. Second, that its review of Ethos’ bid for PIR lacked the required level of transparency.

ICANN’s trying to get the IRP complaint thrown out on two fairly simple grounds. First, that Namecheap lacks standing because it’s failed to show a lack of price caps have harmed it. Second, that it rejected the PIR acquisition, so Namecheap’s claims are moot.

In its motion to dismiss (pdf), its lawyers wrote:

Namecheap’s entire theory of harm, however, is predicated on the risk of speculative future harm. In fact, nearly every explanation of Namecheap’s purported harm includes the words “may” or “potential.” Namecheap has not identified a single actual, concrete harm it has suffered.

Namecheap’s claims related to the Change of Control Request should be dismissed because ICANN’s decision not to consent to the request renders these claims moot
and, separately, Namecheap cannot demonstrate any harm resulting from this decision.

In December, Namecheap had submitted as evidence two analyses of its business prospects in the event of registry price increases, one compiled by its own staff, the other prepared by a pair of outside expert economists.

While neither shows Namecheap has suffered any directly quantifiable harm, such as a loss of revenue or customers, Namecheap argues that that doesn’t matter and that the likelihood of future harm is in fact a current harm.

A mere expectation of an increase in registry prices is sufficient to show harm. This is because such expectation reduces Namecheap’s expected profits and its net present value.

It further argues that if Namecheap was found to not have standing, it would give ICANN the ability to evade future IRP accountability by simply adding a 12-month delay to the implementation of controversial decisions, pushing potential complainants outside the window in which they’re able to file for IRP.

On the PIR change of control requests, Namecheap says it’s irrelevant that ICANN ultimately blocked the Ethos acquisition. The real problem is that ICANN failed in its transparency requirements related to the deal, the company claims.

The fact that ICANN withheld its consent is no excuse for refusing to provide full transparency with respect to the actions surrounding the proposed acquisition and ICANN’s approval process. Namecheap’s claims relate to the non-transparent process; not the outcomes of such process. Irrespective of the outcome, lack of transparency increases the level of systemic risk in Namecheap’s business environment.

How did ICANN come to its decision? Was an imminent request for a change of control known to ICANN, when it took the decision to remove the price control provisions? What was discussed in over 30 hours of secret meetings between ICANN org and the Board? What discussions took place between ICANN, PIR and other entities involved? All these questions remain unanswered

Namecheap refers to two incidents last year in which ICANN hid its deliberations about industry acquisitions by conducting off-the-books board discussions.

The first related to the PIR deal. I called out ICANN for avoiding its obligation to provide board meeting minutes in a post last May.

The second relates to the board’s consideration of Donuts’ proposed (and ultimately approved) acquisition of Afilias last December. Again, ICANN’s board discussed the deal secretly prior to its official, minuted December 17 meeting, thereby avoiding its transparency requirements.

In my opinion, this kind of bullshit has to stop.

Namecheap is also now threatening to bring the Afilias deal and GoDaddy’s acquisition of Neustar’s registry business last April into the current IRP, or to file separate complaints related to them, writing in its response to ICANN’s motion (pdf):

Namecheap seeks leave to have ICANN’s actions and inactions regarding its consideration of the Neustar and Afilias changes of control reviewed by this IRP Panel. If, per impossibile such leave is not granted, Namecheap reserves all rights to initiate separate proceedings on these issues.

The deals are similar because both involve the change of control of legacy gTLD contractors with millions of domains under management that have recently had their price caps lifted — Afilias ran .info and Neustar ran .biz.

ICANN grants Verisign its price increases, of course

Kevin Murphy, March 30, 2020, Domain Registries

ICANN has given Verisign its ability to increase .com prices by up to 7% a year, despite thousands of complaints from domain owners.

The amendments give Verisign the right to raise prices in each of the last four years of its six-year duration. The current price is $7.85 a year.

Because the contract came into effect in late 2018, the first of those four years begins October 26 this year, but Verisign last week said that it has frozen the prices of all of its TLDs until 2021, due to coronavirus.

Not accounting for discounts, .com is already already worth $1.14 billion in revenue to Verisign every year, based on its end-of-2019 domains under management.

In 2019, Verisign had revenue of $1.23 billion, of which about half was pure, bottom-line, net-income profit.

In defending this shameless money-grab, ICANN played up the purported security benefits of the deal, while offering a critique of the domainers and registrars that had lobbied against it.

Göran Marby, ICANN’s CEO, said in a blog post.

I believe this decision is in the best interest of the continued security, stability, and resiliency of the Internet.

Overall, the decision to execute the .COM Registry Agreement amendment and the proposed binding Letter of Intent is of benefit to the Internet community.

The decision was explained in more detail in a eight-page analysis document (pdf) published late last week.

I’ll summarize this paper in three bullet points (my words, not ICANN’s):

  • Domainers are hypocrites.
  • The deal is good for DNS security.
  • Our hands were tied anyway.

First, while ICANN received over 9,000 comments about the proposed amendment, almost all negative, it said that publicity campaigns from domainer group the Internet Commerce Association and domainer registrar Namecheap were behind many of them.

the Internet Commerce Association (ICA) and Namecheap, are active players in the so called “aftermarket” for domain names, where domain name speculators attempt to profit by “buying low and selling high” on domain names, forcing end users to pay higher than retail prices for desirable domain names

It goes on to cite data from NameBio, which compiles lists of secondary market domain sales, to show that the average price of a resold domain is somewhere like $1,600 (median) to $2,400 (mean).

Both Namecheap and ICA supporter GoDaddy, which sells more .coms than any other registrar, have announced steep increases in their .com retail renewal fees in recent years — 20% in the case of GoDaddy — the ICANN document notes.

This apparent hypocrisy appears to be reason ICANN felt quite comfortable in disregarding many of the negative public comments it received.

Second, ICANN reckons other changes to the .com contract will benefit internet security.

Under a side deal (pdf) Verisign’s going to start giving ICANN $4 million a year, starting next January and running for five years, for what Marby calls “ICANN’s initiatives to preserve and enhance the security, stability, and resiliency of the DNS.” These include:

activities related to root server system governance, mitigation of DNS security threats, promotion and/or facilitation of Domain Name System Security Extensions (DNSSEC) deployment, the mitigation of name collisions, and research into the operation of the DNS.

Note that these are without exception all areas in which ICANN already performs functions, usually paid for out of its regular operating budget.

Because it looks like to all intents and purposes like a quid pro quo, to grease the wheels of getting the contract amendments approved, Marby promised that ICANN will commit to “full transparency” as to how its new windfall will be used.

The new contract also has various new provisions that standardize technical standardization and reporting in various ways, that arguably could provide some minor streamlining benefits to internet security and stability.

But ICANN is playing up new language that requires Verisign to require its registrars to forbid their .com registrants from doing stuff like distributing malware and operating botnets. Verisign’s registrar partners will now have to include in their customer agreements:

a provision prohibiting the Registered Name Holder from distributing malware, abusively operating botnets, phishing, pharming, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law and providing (consistent with applicable law and any related procedures) consequences for such activities, including suspension of the registration of the Registered Name;

Don’t expect this to do much to fight abuse.

It’s already a provision that applies to hundreds of other TLDs, including almost all gTLDs, and registrars typically incorporate it into their registration agreements by way of a link to the anti-abuse policy on the relevant registry’s web site.

Neither Verisign nor its registrars have any obligation to actually do anything about abusive domains under the amendments. As long as Verisign does a scan once a month and keeps a record of the total amount of abuse in .com — and this is data ICANN already has — it’s perfectly within the terms of its new contract.

Third and finally, ICANN reckons its hands were pretty much tied when it comes to the price increases. ICANN wrote:

ICANN org is not a competition authority or price regulator and ICANN has neither the remit nor expertise to serve as one. Rather, as enshrined in ICANN’s Bylaws, which were
developed through a bottom up, multistakeholder process, ICANN’s mission is to ensure the security and stability of the Internet’s unique identifier systems. Accordingly, ICANN must defer to relevant competition authorities and/or regulators, and let them determine if any conduct or behavior raises anticompetition concerns and, if so, to address such concerns, whether it be through price regulation or otherwise. As such, ICANN org has long-deferred to the DOC and the United States Department of Justice (DOJ) for the regulation of wholesale pricing for .COM registry services.

It was of course the DoC, under the Obama administration, that froze Verisign’s ability to raise prices and, under the Trump administration, thawed that ability in November 2018.

If you’re pissed off that the carrying cost of your portfolio is about to go up, you can blame Trump, in other words.

Namecheap and others banning coronavirus domains

Kevin Murphy, March 26, 2020, Domain Registrars

Anyone wanting to buy a coronavirus-related domain for scamming purposes won’t be able to do it via Namecheap, which has preemptively banned keyword domains on its storefront.

For the last several days, the registrar has rejiggered its web site to prevent customers adding domains containing certain keywords — such as “coronavirus” or “covid” or “vaccine” — to their shopping carts.

The company said today that customers wishing to register such domains for legitimate purposes can continue to do so by calling up Namecheap customer service and having the name registered manually.

CEO Richard Kirkendall said in an email to customers that Namecheap is also “actively working with authorities to both proactively prevent, and take down, any fraudulent or abusive domains or websites related to COVID19”.

A GoDaddy spokesperson told DI this week that it has also taken down domains when alerted to their usage as coronavirus scams.

Meanwhile, .uk registry Nominet said that it has added keywords such as “coronavirus” and “covid” to its Domain Watch initiative, the same semi-automated system it uses to flag and suspend phishing and “rape” domains preemptively at point of registration. Nominet said:

Those that look suspicious — based on our algorithm and then a manual check — are suspended until we see evidence of good intentions from the registrants.

So far, we have suspended over 180 domains while we conduct this extra due diligence. A small proportion responded to our satisfaction and had their domain names reactivated. It’s highly likely that those who did not respond were intending to use their domains to manipulate a public in need of information.

Another domain company taking action is aftermarket site Dan.com, which today said on Twitter that it will remove all coronavirus related domains from its marketplace.

Namecheap is also offering some customers payment flexibility when it comes to some products — largely non-domain products such as hosting — if they can convince customer service reps of their coronavirus-related financial hardship.

“I urge you not to abuse this offer, please allow it to be used by those who need it most, who are otherwise unable to pay,” Kirkendall wrote.

Verisign, the .com registry, yesterday hinted that it will be offering its registrars some similar flexibility, which one assumes could be passed on to registrants.

US officials gunning for coronavirus domains

Kevin Murphy, March 24, 2020, Domain Registrars

US state and federal law enforcement are pursuing domain names being used to push bogus products and misinformation related to coronavirus Covid-19.

In separate actions, the US Department of Justice forced Namecheap to take down a scam site that was allegedly using fear of coronivirus to hoodwink visitors out of their cash, while the New York Attorney General has written to registrars to demand they take action against similar domains.

The DoJ filed suit (pdf) against the anonymous “John Doe” registrant of coronavirusmedicalkit.com on Saturday and on Sunday obtained a temporary restraining order obliging Namecheap to remove the DNS from the domain and lock it down, which Namecheap seems to have done.

Namecheap is not named as a defendant, but the complaint notes that the DoJ had requested the domain be taken down on March 19 and no action had been taken by the evening of March 21.

The web site in question allegedly informed visitors that the World Health Organization was giving away free coronavirus vaccines to anyone prepared to pay a $4.95 shipping fee by handing over their credit card details.

This is an identity theft scam and wire fraud, the complaint says.

Meanwhile, NYAG Letitia James has sent letters, signed by IT chief Kim Berger, to several large US registrar groups — including GoDaddy, Dynadot, Name.com, Namecheap, Register.com, and Endurance — to ask them to “stop the registration and use of internet domain names by individuals trying to unlawfully and fraudulently profit off consumers’ fears around the coronavirus disease”.

In the letter to GoDaddy (pdf), Berger asks for a “dialogue” on the following preventative measures:

  • The use of automated and human review of domain name registration and traffic patterns to identify fraud;
  • Human review of complaints from the public and law enforcement about fraudulent or illegal use of coronavirus domains, including creating special channels for such complaints;
  • Revising your terms of service to reserve aggressive enforcement for the illegal use of coronavirus domains; and
  • De-registration of the domains cited in the articles identified above that were registered at GoDaddy, and any holds in place on registering new domains related to coronavirus, or similar blockers that prevent rapid registration of coronavirus-related domains.

In other words: try to stop these domains being registered, and take them down if they are.

No specific malicious sites are listed in the letter. Rather, Berger cites a study by Check Point Software that estimates that something like 3% of the more than 4,000 coronavirus-related domains registered between January and March 5 are “malicious” in nature.

Facebook WILL sue more registrars for cybersquatting

Kevin Murphy, March 13, 2020, Domain Registrars

Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.

Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.

In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.

In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.

Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.

The complaint is very similar to one filed against OnlineNIC (pdf) in October.

And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.

Speaking at the second public forum at ICANN 67 yesterday, she said:

This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.

Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.

Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.

The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:

We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.

UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.

Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.

Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.

The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.

Four big developments in the .org pricing scandal

Kevin Murphy, November 26, 2019, Domain Registries

The renewal of Public Interest Registry’s .org contract and its subsequent acquisition by Ethos Capital is the gift that keeps on giving in terms of newsworthy developments, so I thought I’d bundle up the most important into a single article.

First, ICANN has thrown out the appeal filed by Namecheap and provided a (kinda) explanation of how the recent contract renewal came about.

The board of directors voted to reject Namecheap’s Request for Reconsideration on Thursday, as I reported last week, but the decision was not published until last night.

Namecheap had demanded ICANN reverse its decision to remove the 10%-a-year cap on price increases previously in the .org contract, enabling PIR to unilaterally raise its prices by however much it wants.

It said that ICANN had “ignored” the more then 3,000 people and organizations that had submitted comments opposing the lifting of caps.

But the board said:

ICANN org’s Core Values do not require it to accede to each request or demand made in public comments or otherwise asserted through ICANN’s various communication channels. ICANN org ultimately determined that ICANN’s Mission was best served by replacing price caps in the .ORG/.INFO Renewed RAs with other pricing protections to promote competition in the registration of domain names, afford the same “protections to existing registrants” that are afforded to registrants of other TLDs, and treat registry operators equitably.

The board also decided to describe, in a roundabout kinda way, how it conducts renewal talks with pre-2012 legacy gTLDs, explaining that ICANN “prefers” to move these registries to the 2012 contract, but that it cannot force them over. The resolution states:

All registry agreements include a presumptive right of renewal clause. This clause provides a registry operator the right to renew the agreement at its expiration provided the registry operator is in good standing (e.g., the registry operator does not have any uncured breaches), and subject to the terms of their presumptive renewal clauses.

In the course of engaging with a legacy registry operator on renewing its agreement, ICANN org prefers to and proposes that the registry operator adopts the new form of registry agreement that is used by new gTLDs as the starting point for the negotiations. This new form includes several enhancements that benefit the domain name ecosystem such as better safeguards in dealing with domain name infrastructure abuse, emergency backend support, as well as adoption of new bilaterally negotiated provisions that ICANN org and the gTLD Registries Stakeholder Group conduct from time to time for updates to the form agreement, and adoption of new services (e.g., RDAP) and procedures.

Although ICANN org proposes the new form of registry agreement as a starting place for the renewal, because of the registry operator’s presumptive right of renewal ICANN org is not in a position to mandate the new form as a condition of renewal. If a registry operator states a strong preference for maintaining its existing legacy agreement form, ICANN org would accommodate such a position, and has done so in at least one such instance.

I believe the gTLD referred to in the last sentence is Verisign’s .net, which renewed in 2017 without substantially transitioning to the 2012-round contract.

On the acquisition, the board notes:

the Board acknowledges (and the Requestor points out in its Rebuttal) the recently announced acquisition of PIR, the current .ORG registry operator, and the results of that transaction is something that ICANN organization will be evaluating as part of its normal process in such circumstances.

That appears to be a nod to the fact that ICANN has the power to reject changes of control under exceptional circumstances, per the .org contract.

Despite the wholly predictable rejection of Namecheap’s RfR, appeals against the contract’s new terms may not be over.

For some reason I have yet to ascertain, the very similar RfR filed around the same time by the Electronic Frontier Foundation was not considered, despite being on the agenda for last Thursday’s board meeting.

Additionally, I hear Namecheap has applied for Cooperative Engagement Process status, meaning it is contemplating filing an Independent Review Process appeal.

Second, Ethos Capital, PIR’s new owner, launched a web site in which it attempts to calm many of the concerns, criticisms and conspiracy theories leveled its way since the acquisition was announced.

Found at keypointsabout.org, the site tries to clarify the timing and motivation of the deal.

On timing, Ethos says:

Ethos Capital first approached the Internet Society in September 2019, well after PIR’s contract renewal with ICANN had finished… PIR was not for sale at the time the price caps were lifted on .ORG. The removal of .ORG’s price restrictions earlier this year was not unique to .ORG and was in no way motivated by a desire to sell PIR.

The .org contract was signed at the end of July, so while Ethos may well have been lusting after PIR before the renewal, it apparently did not run towards it with its trousers around its ankles until at least a month later.

On its pricing intentions, Ethos says:

The current price of a .ORG domain name is approximately $10 per year. Our plan is to live within the spirit of historic practice when it comes to pricing, which means, potentially, annual price increases of up to 10 percent on average — which today would equate to approximately $1 per year.

This sounds rather specific, but it’s vague enough to give PIR leeway to, say, introduce a 100% increase immediately and then freeze prices until it averages out at 10% per year. I don’t think the company will do something so extreme, but it would technically be possible the way it’s described here.

On the connections to Abry Partners and former ICANN CEO Fadi Chehade, Ethos says that while founder and CEO Erik Brooks is a 20-year veteran of Abry (which also owns Donuts) “Abry Partners is not involved in this transaction.”

It adds, however, that Chehade’s company, Chehade & Company, where Ethos chief purpose officer Nora Abusitta-Ouri has worked “is an adviser to Ethos”.

What this means, at the very least, is that the new owner of .org allowed an outside contractor to register the domain matching its name in the very gTLD it runs, which most domain veterans will recognize as a rookie mistake.

Ethos goes on to list VidMob Inc, Whistle Sports Inc, Adhark Inc and LiquidX Inc as other companies Ethos has invested in, perhaps rubbishing the hypothesis (which I, admittedly, have publicly floated) that Ethos was a vehicle created by Abry purely to buy up PIR.

Third, Ethos may be funded by “billionaire Republicans”.

.eco registry founder Jacob Malthouse, who’s trying to rouse up support for the #SaveDotOrg campaign, dug up an email apparently sent by ISOC CEO Andrew Sullivan to a members mailing list in the wake of the acquisition announcement, which names some of the backers of the deal.

They are: Perot Holdings, FMR LLC and Solamere Capital.

What they have in common is that they’re all — at least according to Malthouse’s since-amended original post — founded/owned/affiliated with prominent billionaire US Republicans. I’m not sure I’d fully agree with that characterization.

Perot was founded by Ross Perot, who stood for US president as an independent a few times but spent the last couple of decades of his life (which ended in July) as a Republican. I’d say his political affiliation died with him.

FMR, or Fidelity Investments, is run by Abigail Johnson, who inherited the role from her father and grandfather. While she’s made donations to Republicans including local senator, Mitt Romney, she also gave Hillary Clinton a tonne of cash to support her 2016 presidential election run, so I’m not sure I’d necessarily characterize her as die-hard GOP.

Romney himself was involved in the founding of Solamere Capital, the third apparent Ethos investor, but according to its web site he stepped down at the start of this year, long before Ethos was even founded, in order to re-join the US Senate.

I’m not sure what the big deal about these connections is anyway, unless you’re of the (often not unreasonable) belief that you don’t get to be a billionaire Republican without being just a little bit Evil.

Fourth, a bunch of non-profits are campaigning to get the deal scrapped.

The #SaveDotOrg campaign now has its matching .org address and web site, savedotorg.org.

It appears to have been set up by the EFF, but its supporters also include the non-profits American Alliance of Museums, American Society of Association Executives, Aspiration, Association of Junior Leagues International, Inc., Creative Commons, Crisis Text Line, Demand Progress Education Fund, DoSomething.org, European Climate Foundation, Free Software Foundation, Girl Scouts of the USA, Independent Sector, Internet Archive, Meals on Wheels America, National Council of Nonprofits, National Human Services Assembly, NTEN, Palante Technology Cooperative, Public Knowledge, R Street Institute, TechSoup, VolunteerMatch, Volunteers of America, Wikimedia Foundation, YMCA of the USA and YWCA USA.

The letter (pdf) states:

Non-governmental organizations all over the world rely on the .ORG top-level domain. Decisions affecting .ORG must be made with the consultation of the NGO community, overseen by a trusted community leader. If the Internet Society (ISOC) can no longer be that leader, it should work with the NGO community and the Internet Corporation for Assigned Names and Numbers (ICANN) to find an appropriate replacement.

It claims that the new .org contract gives PIR powers to “do significant harm” to non-profits, should they be abused.

The campaign has had a little traction on social media and so far has over 8,000 signatures.