Latest news of the domain name industry

Recent Posts

That .sucks weirdness? Worse than I thought

Kevin Murphy, October 16, 2020, Domain Registries

A business plan to turn .sucks into a massive Wikipedia-style gripe site, described by trademark lawyers five years ago as a “shakedown”, has reared it ugly head again.

You may recall that earlier this week I reported how somebody had registered many hundreds of .sucks domain names and listed them for sale on secondary market web sites at cost price. It looked weird, almost as if the registry or an affiliate was the registrant, which the registry denied.

It turns out I only told you half the story, for which I can only apologize.

At the time, the domains in question were not resolving for me, probably due to my terrible, block-happy ISP. But now they are resolving, and they reveal the return of Everything.sucks, a plan first floated by the .sucks registry in 2015.

It’s a network of hundreds of .sucks micro gripe-sites, each targeted to a specific brand and each each populated with content scraped, usually without citation, from Wikipedia, social media, and consumer-review aggregator web sites.

Here’s where jackdaniels.sucks takes you, for example (click to enlarge).

Jack Daniels sucks

The description of the company is taken from Wikipedia. The customer comments below are taken from reviews of an apparently unrelated company called The Whisky Exchange published by TrustPilot, and the social media posts have been pulled from Instagram users deploying the hashtag #jackdanielssucks.

Other pages on the site seem to scrape content from GlassDoor, a site where employees review their employers.

While there’s nothing wrong with gripe sites, automating their creation over hundreds or even thousands of brands that you don’t genuinely have gripes with seems, charitably, churlish.

And these gripe sites are — or at least were — being monetized.

You’ll see a banner ad in the top-right corner of the above screen-grab, offering jackdaniels.sucks for sale. The link took you to a page on Sedo that offers the domain for sale with a buy-now price of $199 (the same as the registry’s wholesale fee).

Banners on other pages led to landers on GoDaddy-owned Uniregistry.com with prices of $599.

These banners, which appeared on every brand’s page that I checked, seem to have disappeared at some point over the last two days. I’m sure the change is unrelated to the fact that I started asking .sucks registry Vox Populi and parent Momentous difficult questions about these trademark-match domains on Wednesday.

While UDRP panels have disagreed over the years, there’s precedent dating back two decades that “trademarksucks.tld” domains with sites that contain genuine, non-commercial criticism can confer legitimate rights to the registrant and are therefore NOT cybersquatting.

I doubt a site that actively tries to sell the domain name in question for above out-of-pocket costs could be considered non-commercial.

Still, it looks like those banners are gone now, and I can’t find any other examples of obvious monetization.

I use jackdaniels.sucks as an example here as it’s the site I took a screenshot of before the changes, but there are many hundreds of similar trademark-match domains being used to feed traffic to Everything.sucks.

I note that unitedinternet.sucks, named after the parent company of Sedo, is for sale for $199 on Sedo and leads to a gripe site on Everything.sucks containing less-than-complimentary remarks. It’s for sale at $599 on Uniregistry.

But who is Everything.sucks?

The concept itself originates with the .sucks registry itself. Before the TLD launched in 2015, it floated the idea to a tsunami of criticism from trademark owners.

The plan back then was to sell .sucks domains for .com prices — a discount of a couple hundred dollars — but only to registrants unaffiliated with the trademark owner. These registrants would have had to forward their domains to an Everything.sucks-branded discussion forum.

Back then, Vox Pop said it planned to work with a non-for-profit third party on this initiative.

That third party never materialized, and later in 2015 appeared to mutate into a system called This.sucks, operated by a company called This.sucks Ltd, which took over the Everything.sucks domain name.

This.sucks sold .sucks domains for $12 a year, with the domains pointing to a forum/blogging platform that the company hoped to monetize.

Both This.sucks and Vox Pop denied there was any link between the two companies, but I later uncovered a lot of compelling circumstantial evidence linking the two companies, including the fact that Rob Hall, CEO of Vox Pop parent Momentous, paid for This.sucks’ web site design.

This.sucks appears to have fizzled out in the intervening years, but now Everything.sucks is back with a mystery registrant snapping up thousands of domains, at a cost of at least half a million bucks, under the Everything.sucks brand.

Public Whois is useless nowadays, of course.

But the front page of Everything.sucks describes it as “a non-profit organization and communications forum for social activism”.

Many of the domains that redirect to its site appear to be registered to a Turks and Caicos company called Honey Salt Ltd, a name that does not naturally suggest a non-profit entity.

Others use Momentous’ domain privacy service. All appear to be registered via Momentous-owned registrar Rebel, which sells .sucks domains at cost and is therefore one of the cheapest registrars on the market.

Back in 2015, intellectual property interests expressed doubt that the proposed Everything.sucks third party and the This.sucks third party were not in fact just smokescreens, fronts for the registry itself.

Vox Pop CEO John Berard on Wednesday denied to DI that the company had any involvement in the recent spurt of trademark-match registrations being used by Everything.sucks and expressed a lack of knowledge about the registrant’s intent.

I’ve not yet received comment from Momentous, but I’d be very surprised if the company does not know who is behind Everything.sucks.

At the very least, Vox Pop and Rebel are both privy to the unexpurgated Whois and/or customer records for whoever is running Everything.sucks and whoever it is that has grown the .sucks zone file by about 50% since June.

Could .cpa be the most successful new gTLD sunrise yet?

Kevin Murphy, September 25, 2020, Domain Registries

The registry for the new .cpa gTLD reckons it has received “thousands” of applications for domains during its current launch period, potentially making it the most successful gTLD sunrise since 2012.

The American Institute of Certified Public Accountants, which manages the TLD, said today:

Well over half of the 100 biggest U.S. firms — as well as an equally large percentage of the next 400 — have begun advancing their applications as part of the early phase of the .cpa registration process, which launched on Sept. 1.

Assuming “thousands” means at least 2,000, this would make .cpa a top three or four sunrise, judging by figures collected by ICANN showing Google’s .app the current volume leader at 2,908.

But we can’t assume that all the .cpa domains boasted of are trademark-verified sunrise period applications under ICANN’s rules.

AICPA is running a simultaneous Limited Registration Period during which any CPA firm can apply for domains that are “most consistent with their current digital branding” — ie, no trademark required.

Both of these periods end October 31, after which the registry will dole out domains in a batch, presumably giving preference to the sunrise applicants.

We have to assume the amount of purely defensive registrations will be relatively low, due to AICPA’s policies.

Not only are registrants limited to licensed CPA companies and individuals, but registrants have to commit to redirect their .cpa domain to their existing web site within a month and deploy a full web site within a year.

.cpa domains sell for $225 a year, according to the registry. General availability is scheduled for January 15.

Floodgates, open! Trademark Clearinghouse now supports .com

Kevin Murphy, September 15, 2020, Domain Services

The Trademark Clearinghouse has added .com to the roster of TLDs supported by its infringement notification service.

The Deloitte-managed service recently announced the change to its Ongoing Notification Service, which came into effect late last month.

The update means TMCH subscribers will receive alerts whenever a .com domain is registered that contains their trademark, helping them to decide whether to pursue enforcement actions such as UDRP.

Unlike the ICANN-mandated 90-day Trademark Claims period that accompanies the launch of each new gTLD, the registrant herself does not receive an alert of possible infringement at point of registration.

The service, which is not regulated by ICANN, is still free to companies that have their marks registered in the TMCH, which charges an extra dollar for every variation of a mark the holder wishes to monitor.

Such services have been commercially available from the likes of MarkMonitor for 20 years or more. The TMCH has been offering it for new gTLDs since they started launching at the end of 2013.

With the .com-shaped gaping hole now plugged, two things could happen.

First, clients may find a steep increase in the number of alerts they receive — .com is still the biggest-selling and in volume terms the most-abused TLD.

Second, commercial providers of similar services now find themselves competing against a free rival with an ICANN-enabled captive audience.

The upgrade comes at the tail end of the current wave of the new gTLD program. With the .gay launch out of the way and other desirable open TLDs tied up in litigation, there won’t be much call for TMCH’s core services for the next few years.

It also comes just a couple months after the .com zone file started being published on ICANN’s Centralized Zone Data Service, but I expect that’s just a coincidence.

No .sex please, we’re infected!

MMX saw poorer-than-expected sales of porn-related defensive registrations in the first half of the year, the only blip in what was otherwise a strong period for the company.

The registry updated the market today to say that its domain name base grew by 31% year over year during the half, ending June with 2.38 million names under management. It only grew by 19% in the same period last year.

Billings for H1 were up 7% at $7.9 million, MMX said.

But because the mix shifted away from one-off brokered sales, which are registered on the earnings report as a lump sum, and towards regular automated registrations, which are recognized over the lifetime of the reg, MMX expects to report revenue 5% down on last year.

While that’s all fair enough, the company said that it didn’t sell as many defensive blocks in .xxx, .sex, .porn and .adult as it had expected, which it blamed on coronavirus:

Management also notes that expected H1 channel sales from the Company’s brand protection activity were held back due to the impact of COVID-19, but anticipates those brand protection initiatives that were delayed in Q2 will resume in H2.

It’s a reference to the AdultBlock and AdultBlock Plus services launched last year, which enable trademark owners to block (and not use) their marks in all four adult TLDs for about $350 to $800 a year.

$11 billion dot-brand blames coronavirus as it self-euthanizes

Another new gTLD you’ve never heard of and don’t care about has asked ICANN to terminate its registry contract, but it has a rather peculiar reason for doing so.

The registry is Shriram Capital, the financial services arm of a very rich Indian conglomerate, and the gTLD is .shriram.

In its termination notice, Shriram said: “Due to unprecedented Covid-19 effect on the business, we have no other option but to terminate the registry agreement with effect from 3lst March 2020.”

Weird because the letter was sent in May, and weird because Shriram Group reportedly had revenue of $11 billion in 2017. The carrying cost of a dot-brand isn’t that much.

Registries don’t actually need an excuse to terminate their contracts, so the spin from Shriram is a bit of a mystery.

Shriram had actually been using .shriram, with a handful of domains either redirecting to .com sites or actually hosting sites of their own.

It’s the 79th dot-brand to self-terminate. ICANN expects to lose 62 in the fiscal year that started three weeks ago.

Donuts rolls out free phishing attack protection for all registrants

Donuts is offering registrants of domains in its suite of new gTLDs free protection from homograph-based phishing attacks.

These are the attacks where a a bad guy registers a domain name visually similar or identical to an existing domain, with one or more characters replaced with an identical character in a different script.

An example would be xn--ggle-0nda.com, which can display in browser address bars as “gοοgle.com”, despite having two Cyrillic characters that look like the letter O.

These domains are then used in phishing attacks, with bad actors attempting to farm passwords from unsuspecting victims.

Under Donuts’ new service, called TrueNames, such homographs would be blocked at the registry level at point of sale at no extra cost.

Donuts said earlier this year that it intended to apply this technology to all current and future registrations across its 250-odd TLDs.

The company has been testing the system at its registrar, Name.com, and reckons the TrueNames branding in the shopping cart can lead to increased conversions and bigger sales of add-on services.

It now wants other registrars to sign up to the offering.

It’s not Donuts’ first foray into this space. Its trademark-protection service, Domain Protected Marks List, which has about 3,500 brands in it, has had homograph protection for a few years.

But now it appears it will be free for all customers, not just deep-pocketed defensive registrants.

Amazon finally gets its dot-brands despite last-minute government plea

Amazon’s three long-sought dot-brand gTLDs were added to the DNS root last night, despite an eleventh-hour attempt by South American governments to drag the company back to the negotiating table.

.amazon, along with the Japanese and Chinese translations — .アマゾン (.xn--cckwcxetd) and .亚马逊 (.xn--jlq480n2rg) — and its NIC sites have already gone live.

Visiting nic.amazon today will present you with a brief corporate blurb and a link to Amazon’s saccharine social-responsibility blog. As a dot-brand, only Amazon will be allowed to use .amazon domains.

The delegations come despite a last-minute plea to ICANN by the eight-government Amazon Cooperation Treaty Organization, which unsuccessfully tried to insert itself into the role of “joint manager” of the gTLDs.

ACTO believes its historical cultural right to the string outweighs the e-commerce giant’s trademark, and that its should have a more or less equal role in the gTLD’s management.

This position was untenable to Amazon, which countered with a collection of safeguards protecting culturally sensitive strings and various other baubles.

Talks fell through last year and ICANN approved the gTLDs over ACTO’s objections.

ACTO’s secretary-general, Alexandra Moreira, wrote to ICANN (pdf) May 21 to take one last stab at getting Amazon back in talks, telling CEO Göran Marby:

the name “Amazon” pertains to a geographical region constituting an integral part of the heritage of its countries. Therefore, we Amazonians have the right to participate in the governance of the “.amazon” TLD.

Our side is ready to resume negotiations on the TLD’s governance with the Amazon Corporation., from the point where their side interrupted it, with a view to arriving at a satisfactory agreement.

Her letter came in response to an earlier Marby missive (pdf) that extensively set out ICANN’s case that talks fell apart due to ACTO repeatedly postponing and cancelling scheduled meetings.

Despite the fact that Amazon’s basically got what it wanted, seven years after filing its gTLD applications, ACTO’s members didn’t get nothing.

The contracts Amazon signed with ICANN back in December have Public Interest Commitments in them that allow the governments to reserve up to 1,500 culturally sensitive strings from registration, as well as giving each nation its own .amazon domain.

World’s youngest country launches its Nazi-risk TLD next week

South Sudan is gearing up to launch its controversial top-level domain, .ss, on Monday.

It’s being run by the National Communication Authority for the country, which was founded in 2011 after its split from Sudan and is the world’s youngest nation.

As I noted back then, while SS was the natural and obvious choice of ISO country code, it’s potentially controversial due to the risk of it being used by modern-day Nazis in honor of Hitler’s Schutzstaffel.

Arguably, the risk nine years later is even greater due to the rise of the populist, nationalist right around the world.

So some readers may be pleased to hear that the registry is playing its launch by the book, starting with a sunrise period from June 1 to July 15. Trademark owners will have to show proof of ownership.

I’m sure Hugo Boss already has an intern with a checkbook, trademark certificate and sleeping bag outside the registry’s HQ, to be sure to be first in line on Monday.

Sunrise will be followed by a landrush period from July 17 to August 17, during which names can be acquired for a premium fee.

Immediately after that there’ll be an early access period, from August 19 to August 29, with more premium fees. General availability will begin September 1.

Perhaps surprisingly, given the direction other ccTLDs have been taking over the last decade, South Sudan has opted for a three-level structure, with registrations possible under .com.ss, .net.ss, .biz.ss, .org.ss, .gov.ss, .edu.ss, .sch.ss and .me.ss.

The com/net/biz/me versions are open to all. The others require some proof that the registrant belongs to the specific category.

The registry says it plans to make direct second-level regs available “at a later date”.

Getting your hands on a .ss domain may prove difficult.

Trademark owners won’t be able to use their regular corporate registrar (at least not directly) as NCA is only currently accredited South Sudan-based registrars. So far, only two have been accredited. Neither are also ICANN-accredited.

One is rather unfortunately called JuHub. It’s apparently using a free domain from Freenom’s .ml (Mali) and is listed as having its email at Gmail, which may not inspire confidence. Its web site does not resolve for me.

The other is NamesForUs, which is already taking pre-registration requests. No pricing is available.

The registry’s web site has also been down for most of today, and appears to have been hacked by a CBD splogger at some point, neither of which bodes well.

Irony alert! Data protection agency complains it can’t get access to private Whois data

Kevin Murphy, May 26, 2020, Domain Policy

A European data protection authority has complained to ICANN after a registrar refused to hand over one of its customers’ private Whois records, citing the GDPR data protection regulation, according to ICANN.

Compounding the irony, the DPA wanted the data as part of its probe into an alleged GDPR violation at the domain in question.

This is the frankly hilarious scenario outlined in a letter (pdf) from ICANN boss Göran Marby to Andrea Jelinek, chair of the European Data Protection Board, last week.

Since May 2018, registrars and registries have been obliged under ICANN rules to redact all personally identifiable information from public Whois records, because of the EU’s General Data Protection regulation.

This has irked the likes of law enforcement and intellectual property owners, who have found it increasingly difficult to discover the identities of suspected bad actors such as fraudsters and cybersquatters.

Registrars are still obliged to hand over data upon request in certain circumstances, but the rules are vague, requiring a judgement call:

Registry and Registrar MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

While an ICANN working group has been attempting to come up with a clearer-cut set of guidelines, administered by a central body, this so-called SSAD (System for Standardized Access/Disclosure) has yet to come to fruition.

So when an unidentified European DPA recently asked a similarly unidentified non-EU registrar for the Whois data of somebody they suspected of GDPR violations, the registrar told it to get stuffed.

It told the DPA it would “not act against a domain name without any clear and unambiguous evidence for the fraudulent behavior” and said it would respond to legal requests in its own jurisdiction, according to ICANN.

The DPA complained to ICANN, and now ICANN is using that complaint to shame the EDPB into getting off the fence and providing some much-needed clarity about when registrars can declassify Whois data without breaking the law.

Marby wrote that registrars are having to apply their “subjective judgment and discretion” and will most often come down on the side of registrants in order to reduce their GDPR risk. He wrote:

ICANN org would respectfully suggest to the EDPB that a more explicit recognition of the importance of certain legitimate interests, including the relevance of public interests, combined with clearer guidelines on balancing, could address these problems.

ICANN org would respectfully suggest to the EDPB to consider issuing additional specific guidance on this topic to ensure that entities with a legitimate interest in obtaining access to non-public gTLD registration data are able to do so. Guidance would in particular be appreciated on how to balance legitimate interests in access to data with the interests of the data subject concerned

ICANN and the EDPB have been communicating about this issue for a couple of years now, with ICANN looking for some clarity on this largely untested area of law, but the EDPB’s responses to data have been pretty vague and unhelpful, almost as if it doesn’t know what the hell it’s doing either.

Will this latest example of the unintended consequences of GDPR give the Board the kick up the bum it needs to start talking in specifics? We’ll have to wait and see.

CSC removes reference to “retiring” new gTLD domain after retiring new gTLD domain

The corporate registrar and new gTLD management consultant CSC Global has ditched a new gTLD domain in favor of a .com, but edited its announcement after the poor optics became clear.

In a brief blog post this week, the company wrote:

We’re retiring cscdigitalbrand.services to give you a more user-friendly interface at cscdbs.com.

From the trusted provider of choice for Forbes Global 2000 companies, this more user-friendly site is filled with information you need to secure and protect your brand. You’ll experience a brand new look and feel, at-a-glance facts and figures, learn about the latest digital threats, access our trusted resources, and see what our customers are saying.

Visit the site to learn more about our core solutions: domain management, domain security, and brand and fraud protection.

But the current version of the post expunges the first paragraph, referring to the retirement of its .services domain, entirely.

I’m going to guess this happened after OnlineDomain reported the move.

But the original text is still in the blog’s cached RSS feed at Feedly.

CSC blog post

It’s perhaps not surprising that CSC would not want to draw attention to the fact that it’s withdrawn to a .com from a .services, the gTLD managed by Donuts.

After all, CSC manages dozens of new gTLDs for clients including Apple, Yahoo and Home Depot, and releases quarterly reports tracking and encouraging activation of dot-brands.

Interestingly, and I’m veering a little off-topic here, there is a .csc new gTLD but CSC does not own it. It was delegated to a company called Computer Sciences Corporation (ironically through an application managed by CSC rival MarkMonitor) which also owns csc.com.

Computer Sciences Corporation never really got around to using .csc, and in 2017 merged with a unit of HP to form DXC Technology.

If you visit nic.csc today, you’ll be redirected to dxc.technology/nic, which bears a notice that it’s the “registry for the .dxc top-level domain”.

Given that the .dxc top-level domain doesn’t actually exist, I think this might make DXC the first company to openly declare its intent to go after a dot-brand in the next round of new gTLDs.