Latest news of the domain name industry

Recent Posts

Fight as ICANN “backtracks” on piracy policing

Kevin Murphy, July 1, 2016, Domain Policy

ICANN has clarified that it will not terminate new gTLD registries that have piracy web sites in their zones, potentially inflaming an ongoing fight between domain companies and intellectual property interests.

This week’s ICANN 56 policy meeting in Helsinki saw registries and the Intellectual Property Constituency clash over whether an ICANN rule means that registries breach their contract if they don’t suspend piracy domains.

Both sides have different interpretation of the rule, found in the so-called “Public Interest Commitments” or PICs that can be found in Specification 11 of every new gTLD Registry Agreement.

But ICANN chair Steve Crocker, in a letter to the IPC last night, seemed to side strongly with the registries’ interpretation.

Spec 11 states, among other things, that:

Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.

A literal reading of this, and the reading favored by registries, is that all registries have to do to be in compliance is to include the piracy prohibitions in their Registry-Registrar Agreement, essentially passing off responsibility for piracy to registrars (which in turn pass of responsibility to registrants).

Registries believe that the phrase “consistent with applicable law and related procedures” means they only have to suspend a domain name when they receive a court order.

Members of the IPC, on the other hand, say this reading is ridiculous.

“We don’t know what this clause means,” Marc Trachtenberg of the IPC said during a session in Helsinki on Tuesday. “It’s got to mean something. It can’t just mean you have to put a provision into a contract, that’s pointless.”

“To put a provision into a contract that you’re not going to enforce, has no meaning,” he added. “And to have a clause that a registry operator or registrar has to comply with a court order, that’s meaningless also. Clearly a registry operator has to comply with a court order.”

Some IPC members think ICANN has “backtracked” by introducing the PICs concept then failing to enforce it.

IPC members in general believe that registries are supposed to not only require their registrars to ban piracy sites, but also to suspend piracy domains when they’re told about them.

Registries including Donuts have started doing this recently on a voluntary basis with partners such as the Motion Picture Association of America, but believe that ICANN should not be in the business of content policing.

“[Spec 11] doesn’t say what some members of the IPC think it says,” Donuts VP Jon Nevett said during the Helsinki session. “To say we’re in blatant violation of that PIC and that ICANN is not enforcing that PIC is problematic.”

The fight kicked off face-to-face in Helsinki, but it has been happening behind the scenes for several months.

The IPC got mad back in February when Crocker, responding to Governmental Advisory Committee concerns about intellectual property abuse, said the issue “appears to be outside of our mandate” (pdf).

That’s a reference to ICANN’s strengthening resolve that it is not and should not be the internet’s “content police”.

In April (pdf) and June (pdf) letters, IPC president Greg Shatan and the Coalition for Online Accountability’s Steve Metalitz called on Crocker to clarify this statement.

Last night, he did, and the clarification is unlikely to make the IPC happy.

Crocker wrote (pdf):

ICANN will bring enforcement actions against Registries that fail to include the required prohibitions and reservations in its end-user agreements and against Registrars that fail to main the required abuse point of contact…

This does not mean, however, that ICANN is required or qualified to make factual and legal determinations as to whether a Registered Name Holder or website operator is violating applicable laws and governmental regulations, and to assess what would constitute an appropriate remedy in any particular situation.

This seems pretty clear — new gTLD registries are not going to be held accountable for domains used for content piracy.

The debate may not be over however.

During Helsinki there was a smaller, semi-private (recorded but not webcast live) meeting of the some registries, IPC and GAC members, hosted by ICANN board member Bruce Tonkin, which evidently concluded that more discussion is needed to reach a common understanding of just what the hell these PICs mean.

Radix joins the Hollywood content police

Radix has become the second major gTLD registry to announce a content policing deal with the movie industry.

It today said it has signed an agreement with the Motion Picture Association of America similar to the one Donuts announced in February.

Like Donuts, Radix will treat the MPAA as a “trusted notifier” for the purposes of taking down “large-scale pirate websites”.

Radix said the deal “imposes strict standards for such referrals, including that they be accompanied by evidence of clear and pervasive copyright infringement, and a representation that the MPAA has first attempted to contact the registrar and hosting provider for resolution.”

Donuts described its notifier program in this document (pdf). Radix said its arrangement is “similar”.

The Donuts-MPAA deal proved somewhat controversial.

The Electronic Frontier Foundation invoked the slippery slope argument, saying of it:

The danger in agreements like this is that they could become a blanket policy that Internet users cannot avoid. If what’s past is prologue, expect to see MPAA and other groups of powerful media companies touting the Donuts agreement as a new norm, and using it to push ICANN and governments towards making all domain name registries disable access to an entire website on a mere accusation of infringement.

The EFF said these kinds of deals could ultimately lead to legal freedom of speech being curtailed online.

We’re not quite there yet — right now we have two gTLD registries (albeit covering over 200 gTLDs) and one trusted notifier — but I expect more similar deals in future, branching out into different industries such as music and pharamaceuticals.

The deals stem in part from the Domain Name Association’s Healthy Domains Initiative, which aims to avoid ICANN/government regulation by creating voluntary best practices for the industry.

The advantage of a voluntary arrangement is that there’s no risk of a terminal sanction — such as losing your registry contract — if you fail to live up to its terms.

Radix’s portfolio includes .website, .space, .online and .tech. It’s also a .music and .web applicant.

Rape ban results in just one .uk takedown, but piracy suspensions soar

Kevin Murphy, February 19, 2016, Domain Registries

Nominet’s controversial policy of suspending domain names that appear to condone rape resulted in one .uk domain being taken down last year.

That’s according to a summary of take-downs published by Nominet yesterday.

The report (pdf) reveals that 3,889 .uk names were taken down in the 12 months to October 31, 2015.

That’s up on the the 948 domains suspended in the six months to October 31, 2014.

The vast majority — 3,610 — were as a result of complaints from the Police Intellectual Property Crime Unit. In the October 2014 period, that unit was responsible for 839 suspensions.

Unlike these types of suspensions, which deal with the allegedly illegal content of web sites, the “offensive names” ban deals purely with the words in the domain names.

Nominet’s systems automatically flagged 2,407 names as potentially in breach of the policy — most likely because they contained the string “rape” or similar — in the 12 months.

But only one of those was judged, upon human perusal, in breach.

In the previous 12 months period, 11 domains were suspended based on this policy, but nine of those had been registered prior to the implementation of the policy early in 2014.

The policy, which bans domains that “promote or incite serious sexual violence”, was put in place following an independent review by Lord Macdonald.

He was recruited for advice due to government pressure following a couple of lazy anti-porn articles, both based on questionable research by a single anti-porn campaigner, in the right-wing press.

Assuming it takes a Nominet employee five minutes to manually review a .uk domain for breach, it seems the company is paying for 200 person-hours per year, or 25 working days, to take down one or two domain names that probably wouldn’t have caused any actual harm anyway.

Great policy.

Donuts makes Hollywood content policing deal

Kevin Murphy, February 9, 2016, Domain Registries

Donuts has made a deal with the American movie industry that will make it easier to take down piracy domains.

The Motion Picture Association of America has been given a “Trusted Notifier” status, and the two companies have agreed upon a domain take-down framework.

The agreement targets “large-scale pirate websites”, Donuts said.

It’s the first such deal Donuts has made, executive VP Jon Nevett told DI, but it’s likely to be extended into other industries, possibility including music, pharmaceuticals and child abuse prevention.

“This could be a model for not just content-related issues,” he said.

Nevett did not want to get into much detail about the specifics of the take-down process by discussing the definition of “large scale” or timing, but he did say that the MPAA has an obligation to do manual research into each domain it wants suspending.

After it receives a report from the MPAA, Donuts will reach out to the registrar and registrant to ask for an explanation of the alleged piracy.

A decision to suspend the domain or leave it alone would be made “solely in our discretion”, Nevett said.

Donuts already has this in its acceptable use policy, which reads in part:

Donuts reserves the right, at its sole discretion and at any time and without limitation, to deny, suspend, cancel, redirect, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status as it determines necessary for any of the following reasons:

domain name use is abusive or violates this AUP, or a third party’s rights or acceptable use policies, including but not limited to the infringement of any copyright or trademark;

While Donuts is the registry for .movie and .theater, the MPAA agreement applies to all of its almost 200 gTLDs.

The announcement comes the day before the Domain Name Association meets to discuss its Healthy Domains Initiative.

Nevett said that DNA members will meet tomorrow with law enforcement, IP owners, and abuse prevention and security folk to seek input on the question “What are tenets of healthy domain ecosystem?”

That input will be discussed at a subsequent DNA meeting, likely to coincide with the ICANN meeting in Marrakech this April.

The eventual goal is to come up with a set of voluntary best practices for registries and registrars.

Nevett stressed that the MPAA deal, and whatever the DNA comes up with, are voluntary agreements made outside the auspices of ICANN’s contracts.

Despite this, the “Trusted Notifier” concept does put me in mind of section 3.18 of the Registrar Accreditation Agreement, where governmental or affiliated entities are given special powers to have dodgy domains investigated and suspended.

Pirates lose privacy rights under new ICANN rules

Kevin Murphy, January 22, 2016, Domain Registrars

People operating piracy web sites would have a harder time keeping their personal information private under new ICANN rules.

ICANN’s GNSO Council last night approved a set of recommendations that lay down the rules of engagement for when trademark and copyright owners try to unmask Whois privacy users.

Among other things, the new rules would make it clear that privacy services are not permitted to reject requests to reveal a domain’s true owner just because the IP-based request relates to the content of a web site rather than just its domain name.

The recommendations also contain safeguards that would allow registrants to retain their privacy if, for example, their safety would be at risk if their identities were revealed.

The 93-page document (pdf) approved unanimously by the Council carries a “Illustrative Disclosure Framework” appendix that lays out the procedures in some depth.

The framework only covers requests from IP owners to proxy/privacy services. The GNSO was unable to come up with a similar framework for dealing with, for example, requests from law enforcement agencies.

It states flatly:

Disclosure [of the registrant’s true Whois details] cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena; (iii) a pending civil action; or (iv) a UDRP or URS proceeding; nor can refusal to disclose be solely based on the fact that the Request is founded on alleged intellectual property infringement in content on a website associated with the domain name.

This fairly explicitly prevents privacy services (which in most cases are registrars) using the “we don’t regulate content” argument to shoot down disclosure requests from IP owners.

Some registrars were not happy about this paragraph in early drafts, yet it remains.

Count that as a win for the IP lobby.

However, the new recommendations spend a lot more time giving IP owners a quite strict set of guidelines for how to file such requests in the first place.

If they persistently spam the registrar with automated disclosure requests, the registrar is free to ignore them. They can even share details of spammy IP owners with other registrars.

The registrar is also free to ignore requests that, for example, don’t give the exact or representative URL of an alleged copyright infringement, or if the requester has not first attempted to contact the registrant via an email relay service, should one be in place.

The registrant also gets a 15-day warning that somebody has requested their private details, during which, if they value their privacy more than their web site, they’re able to relinquish their domain and remain anonymous.

If the registrant instead uses that time to provide a good reason why they’re not infringing the requester’s rights, and the privacy service agrees, the request can also be denied.

The guidelines would make it easier for privacy service operators to understand what their obligations are. By formalizing the request format, it should make it easier to separate legit requests from the spurious requests.

They’re even allowed to charge IP owners a nominal fee to streamline the processing of their requests.

While these recommendations have been approved by the GNSO Council, they need to be approved by the ICANN board before becoming the law of the ‘net.

They also need to pass through an implementation process (conducted by ICANN staff and GNSO members) that turns the recommendations into written procedures and contracts which, due to their complexity, I have a hunch will take some time.

The idea is that the rules will form part of an accreditation program for privacy/proxy services, administered by ICANN.

Registrars would only be able to use P/P services that agree to follow these rules and that have been accredited by ICANN.

It seems to me that the new rules may be quite effective at cracking down on rogue, “bulletproof” registrars that automatically dismiss piracy-based disclosure requests by saying they’re not qualified to adjudicate copyright disputes.