Latest news of the domain name industry

Recent Posts

Brandsight starts beta with “large corporations”

Kevin Murphy, February 20, 2018, Domain Registrars

New brand management registrar Brandsight says it has started a beta test of its initial service.

Head of marketing Elisa Cooper tells DI the service is being tested by prospective clients at unspecified “large corporations”.

Brandsight Domain Name Management is a portfolio management system for large corporate domain controllers.

The company reckons its service is more streamlined than the competition, leveraging “big data” and modern user interface techniques to make brand managers’ lives easier.

Features include the ability to make sure domains are forwarding to where they’re supposed to. There’s also an industry news feed, according to a press release.

Brandsight was formed last year and staffed by former senior staffers from Fairwinds and MarkMonitor who thought they’d spotted a gap in the market.

ICANN chief to lead talks over blocked .amazon gTLD

Kevin Murphy, February 14, 2018, Domain Policy

ICANN CEO Goran Marby has been asked to help Amazon come to terms with several South American governments over its controversial bid for the .amazon gTLD.

The organization’s board of directors passed a resolution last week accepting the suggestion, which came from the Governmental Advisory Committee. The board said:

The ICANN Board accepts the GAC advice and has asked the ICANN org President and CEO to facilitate negotiations between the Amazon Cooperation Treaty Organization’s (ACTO) member states and the Amazon corporation

Governments, prominently Peru and Brazil, have strongly objected to .amazon on the grounds that the “Amazon” river and rain-forest region, known locally as “Amazonas” should be a protected geographic term.

Amazon’s applications for .amazon and two Asian-script translations were rejected a few years ago after the GAC sided with its South American members and filed advice objecting to the gTLDs.

A subsequent Independent Review Process panel last year found that ICANN had given far too much deference to the GAC advice, which came with little to no evidence-based justification.

The panel told ICANN to “promptly” take another look at the applications and “make an objective and independent judgment regarding whether there are, in fact, well-founded, merits-based public policy reasons for denying Amazon’s applications”.

Despite this, the .amazon application is still classified as “Will Not Proceed” on ICANN’s web site. That’s basically another way of saying “rejected” or “denied”.

Amazon the company has promised to protect key domains, such as “rainforest.amazon”, if it gets to run the gTLDs. Governments would get to help create a list of reserved, sensitive domains.

It’s also promised to actively support any future bids for .amazonas supported by the governments concerned.

.amazon would be a dot-brand, so only Amazon would be able to register names there.

US and EU call for Whois to stay alive

Kevin Murphy, January 31, 2018, Domain Policy

Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.

The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.

Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.

David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.

Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.

Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”

“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”

He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.

The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.

For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.

It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.

The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.

While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.

Two weeks ago it called for comments on three possible Whois models that could be used from May.

That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.

Research finds homograph attacks on big brands rife

Kevin Murphy, January 22, 2018, Domain Tech

Apparent domain name homograph attacks against major brands are a “significant” problem, according to research from Farsight Security.

The company said last week that it scanned for such attacks against 125 well-known brands over the three months to January 10 and found 116,113 domains — almost 1,000 per brand.

Homographs are domains that look like other domains, often indistinguishable from the original. They’re usually used to phish for passwords to bank accounts, retailers, cryptocurrency exchanges, and so on.

They most often use internationalized domain names, mixing together ASCII and non-ASCII characters when displayed in browsers.

To the naked eye, they can look very similar to the original ASCII-only domains, but under the hood they’re actually encoded with Punycode with the xn-- prefix.

Examples highlighted by Farsight include baŋkofamerica.com, amazoṇ.com and fàcebook.com

Displayed as ASCII, those domains are actually xn--bakofamerica-qfc.com, xn--amazo-7l1b.com and xn--fcebook-8va.com.

Farsight gave examples including and excluding the www. subdomain in a blog post last week, but I’m not sure if it double-counted to get to its 116,113-domain total.

As you might imagine, almost all of this abuse is concentrated in .com and other TLDs that were around before 2012, judging by Farsight’s examples. That’s because the big brands are not using new gTLDs for their primary sites yet.

Farsight gave a caveat that it had not generally investigated the ownership of the homograph domains it found. It’s possible some of them are defensive registrations by brands that are already fully aware of the security risk they could present.

Big changes at DomainTools as privacy law looms

Kevin Murphy, January 11, 2018, Domain Services

Regular users of DomainTools should expect significant changes to their service, possibly unwelcome, as the impact of incoming European Union privacy law begins to be felt.

Professional users such as domain investors are most likely to be impacted by the changes.

The company hopes to announce how its services will be rejiggered to comply with the General Data Protection Regulation in the next few weeks, probably in February, but CEO Tim Chen spoke to DI yesterday in general terms about the law’s possible impact.

“There will be changes to the levels of service we offer currently, especially to any users of DomainTools that are not enterprises,” Chen said.

GDPR governs how personal data on EU citizens is captured, shared and processed. It deals with issues such as customer consent, the length of time such data may be stored, and the purposes for which it may be processed.

Given that DomainTools’ entire business model is based on capturing domain registrants’ contact information without their explicit consent, then storing, processing and sharing that data indefinitely, it doesn’t take a genius to work out that the new law represents a possibly existential threat.

But while Chen says he’s “very concerned” about GDPR, he expects the use cases of his enterprise customers to be protected.

DomainTools no longer considers itself a Whois company, Chen said, it’s a security services company now. Only about 20% of its revenue now comes from the $99-a-month customers who pay to access services such as reverse Whois and historical Whois queries.

The rest comes from the 500-odd enterprise customers it has, which use the company’s data for purposes such as tracking down network abuse and intellectual property theft.

DomainTools is very much aligned here with the governments and IP lawyers that are pressing ICANN and European data protection authorities to come up with a way Whois data can still be made available for these “legitimate purposes”.

“We’re very focused on our most-important goal of making sure the cyber security and network security use cases for Whois data are represented in the final discussions on how this legislation is really going to land,” he said.

“There needs to be some level of access that is retained for uses that are very consistent with protecting the very constituents that this legislation is trying to protect from a privacy perspective,” he said.

The two big issues pressing on Chen’s mind from a GDPR perspective are the ability of the company to continue to aggregate Whois records from hundreds of TLDs and thousands of registrars, and its ability to continue to provide historical, archived Whois records — the company’s most-popular product after vanilla Whois..

These are both critical for customers responding to security issues or trying to hunt down serial cybersquatters and copyright infringers, Chen said.

“[Customers are] very concerned, because their ability to use this data as part of their incident response is critical, and the removal of the data from that process really does injure their ability to do their jobs,” he said.

How far these use cases will be protected under GDPR is still an open question, one largely to be determined by European DPAs, and DomainTools, like ICANN the rest of the domain industry, is still largely in discussion mode.

“Part of what we need to help DPAs understand is: how long is long enough?” Chen said. “Answering how long this data can be archived is very important.”

ICANN was recently advised by its lawyers to take its case for maintaining Whois in as recognizable form as possible to the DPAs and other European privacy bodies.

And governments, via the Governmental Advisory Committee, recently urged ICANN to continue to permit Whois access for “legitimate purposes”.

DomainTools is in a different position to most of the rest of the industry. In terms of its core service, it’s not a contracted party with ICANN, so perhaps will have to rely on hoping whatever the registries and registrars work out will also apply to its own offerings.

It’s also different in that it has no direct customer relationship with the registrants whose data it processes, nor does it have a contractual relationship with the companies that do have these customer relationships.

This could make the issue of consent — the right of registrant to have a say in how their data is processed and when it is deleted — tricky.

“We’re not in a position to get consent from domain owners to do what we do,” Chen said. “I think where we need to be more thoughtful is whether DomainTools needs to have a process where people can opt out of having their data processed.”

“When I think about consent, it’s not on the way in, because we just don’t have a way to do that, it’s allowing a way out… a mechanism where people can object to their data being processed,” he said.

How DomainTools’ non-enterprise customers and users will be affected should become clear when the company outlines its plans in the coming weeks.

But Chen suggested that most casual users should not see too much impact.

“The ability of anyone who has an interest in using Whois data, who needs it every now and then, for looking up a Whois record of a domain because they want to buy it as a domain investor for example, that should still be very possible after GDPR,” he said.

“I don’t think GDPR is aimed at individual, one-at-a-time use cases for data, I think it’s aimed at scalable abuse of the data for bad purposes,” he said.

“If you’re running a business in domain names and you need to get Whois at significant scale, and you need to evaluate that many domains for some reason, that’s where the impact may be,” he said.

Disclosure: I share a complimentary DomainTools account with several other domain industry bloggers.

XYZ relaunches .storage with $2,200 price tag

Kevin Murphy, November 8, 2017, Domain Registries

XYZ.com has reopened .storage to registrations with a new, much higher price tag.

A confusingly named “Trademark Holder Landrush” started yesterday and will run for three weeks.

It’s not a sunrise period — .storage already had its ICANN-mandated sunrise under its previous management — and it appears that it’s not actually restricted to trademark holders.

The .storage web site states that “neither registrars nor XYZ will validate trademarks during this period”. The registry says that all strings, including generic words, are available.

It basically appears to be just a way to squeeze a little extra cash out of larger companies and anyone else desperate for a good name.

There are not many registrars carrying the TLD right now, just five brand protection registrars and 101domain.

101domain prices the names at $699.99 with a $1,500 application fee during the trademark landrush.

XYZ says that the regular suggested retail price for .storage will be $79.99 per month which seems to be a roundabout way of saying $948 per year. There’s no option to register for less than a year.

.storage is designed for companies in the data storage and physical storage industries, so adopting a high-price, low-volume business model is probably a smart move by the registry.

It’s a similar model to that XYZ employs in its car-related gTLDs operated in partnership with Uniregistry.

XYZ does not appear to be relying entirely on defensive registrations to make its coin, however.

It’s offering a “complimentary” web site migration service, usually priced at $10,000, that it says can help early registrants switch to .storage in as little as 72 hours with no loss of search engine juice.

.storage was originally owned by Extra Storage Space, a physical storage company, but XYZ acquired the contract for an undisclosed sum in May.

The trademark landrush will be immediately followed by an Early Access Period, during which there will also be a sliding-scale fee (day one will be a whopping $55,000 at 101domain!), before general available starts a month from now.

Former MarkMonitor execs join new brand protection registrar

Kevin Murphy, August 30, 2017, Domain Registrars

Two former MarkMonitor executives have teamed up with a Fairwinds co-founder to launch a new “next generation” brand protection registrar.

The new company is Brandsight. It was set up by CEO Phil Lodico, who left brand consultancy Fairwinds about a year ago, and was accredited by ICANN earlier this month.

The first two hires are Matt Serlin, who until a couple months ago was VP of client services at MarkMonitor, and Elisa Cooper, who joins after being VP of marketing at the intellectual property management company Lecorpio.

Cooper, who also worked for MarkMonitor in the same position until a couple of years ago, will be Brandsight’s head of marketing and policy. Serlin will head up operations and client services.

The two told me yesterday that Brandsight will attempt to differentiate itself from its alma maters through a combination of better technology, expertise and use of data.

Both have many years experience in the domain industry and ICANN and, one imagines, thick contacts books of potential clients.

The Brandsight site, which went live today, will feature improved workflow via a streamlined user interface, they said.

The company also hopes “better leverage big data to help companies make better decisions and streamline processes around domain management”, Cooper said.

“Legacy registrars haven’t been focused on building new technology, some for almost 10 years,” she said.

It looks like it’s going to be a boutique operation at first — I believe Lodico, Serlin and Cooper are the only three employees right now — but Cooper said the plan is to staff up over the remainder of the year in areas such as sales.

The idea is to be a company that is purely focused on corporate domain services as its core competency, as opposed to what they called the “legacy” larger registrars that have domains as just one service among many, Cooper and Serlin said.

Brandsight is based in New York state and funded by private investors.

.storage to have pricey second sunrise

The .storage gTLD is to get a second sunrise period after being acquired and repurposed by XYZ.com.

The registry will operate a “Trademark Landrush Period” for three weeks from November 7 as the first stage of .storage’s reboot as an open-to-all gTLD.

It’s not technically a “sunrise” period under ICANN rules — that phase was already completed under previous owner Extra Space Storage — nor is it restricted to trademark owners.

Basically anyone with the money will be able to buy a .storage domain during the period, but at a price.

One registrar is reporting that registrants will have to pay a $1,500 application fee on top of the soon-to-be-standard higher $699-per-year registration fee.

That’s considerably more than most new gTLDs charge during their regular sunrise phases.

There’s no need to own a matching trademark, so neither the registry, registrars or Trademark Clearinghouse have any trademark verification costs to bear.

But that also means anyone can pick up any generic, dictionary .storage domain they want without the need for paperwork. XYZ has previously said that all domains will be available at the same price, regardless of their previous “premium” status.

I can see some intellectual property interests being uneasy with how this relaunch is handling trademarks.

Under its former management, .storage was set to be tightly restricted to the physical and data storage industries, reducing the chance of cybersquatting, so some brands may have avoided the sunrise period.

After the relaunch — general availability starts December 5 — there will be no such restrictions. However, the high price of standard registrations is likely to deter all but the richest or dumbest cybersquatters.

XYZ.com acquired .storage for an undisclosed sum in May. There are currently about 800 domains in the .storage zone file.

EFF recommends against new gTLDs

Kevin Murphy, July 28, 2017, Domain Policy

The Electronic Frontier Foundation has recommended that domain registrants concerned about intellectual property “bullies” steer clear of new gTLDs.

The view is expressed in a new EFF report today that is particularly critical of policies in place at new gTLD portfolio registries Donuts and Radix.

The report (pdf) also expresses strong support for .onion, the pseudo-TLD available only to users of the Tor browser and routing network, which the EFF is a long-term supporter of.

The report makes TLD recommendations for “security against trademark bullies”, “security against identity theft and marketing”, “security against overseas speech regulators” and “security against copyright bullies”.

It notes that no one TLD is “best” on all counts, so presents a table explaining which TLD registries — a broad mix of the most popular gTLD and ccTLD registries — have which relevant policies.

For those afraid of trademark “bullies”, the EFF recommends against 2012-round new gTLDs on the basis that they all have the Uniform Rapid Suspension service. It singles out Donuts for special concern due to its Domain Protected Marks List, which adds an extra layer of protection for trademark owners.

On copyright, the report singles out Donuts and Radix for their respective “trusted notifier” schemes, which give the movie and music industries a hotline to report large-scale piracy web sites.

These are both well-known EFF positions that the organization has expressed in previous publications.

On the other two issues, the report recommends examining ccTLDs for those which don’t have to kowtow to local government speech regulations or publicly accessible Whois policies.

In each of the four areas of concern, the report suggests taking a look at .onion, while acknowledging that the pseudo-gTLD would be a poor choice if you actually want people to be able to easily access your web site.

While the opinions expressed in the report may not be surprising, the research that has gone into comparing the policies of 40-odd TLD registries covering hundreds of TLDs appears on the face of it to be solid and possibly the report’s biggest draw.

You can read it here (pdf).

GNSO faces off with governments over IGO cybersquatting

Kevin Murphy, January 27, 2017, Domain Policy

A defiant ICANN working group looking at cybersquatting rules for intergovernmental organizations is sticking to its guns in an ongoing face-off with the Governmental Advisory Committee.

In a report published for public comment this week, the GNSO working group recommended that IGOs should be given the right to use the UDRP and URS rights protection mechanisms, despite not being trademark owners.

But the recommendations conflict with the advice of the GAC, which wants ICANN to create entirely new mechanisms to deal with IGO rights.

I explored a lot of the back story of this argument in two posts a few months ago, which I will not rehash here.

The latest development is the publication of the proposed initial report of the GNSO IGO-INGO Access to Curative Rights Protection Mechanisms Initial Report (pdf) for comment.

The WG was tasked with deciding whether changes should be made to UDRP and URS to help protect the names and acronyms of IGOs and INGOs (international non-governmental organizations).

For INGOs, including the special cases of the International Olympic Committee and the Red Cross/Red Crescent, it decided no changes and no new mechanisms are required, concluding:

Many INGOs already have, and do, enforce their trademark rights. There is no perceivable barrier to other INGOs obtaining trademark rights in their names and/or acronyms and subsequently utilizing those rights as the basis for standing in the existing dispute resolution procedures (DRPs) created and offered by ICANN as a faster and lower cost alternative to litigation. For UDRP and URS purposes they have the same standing as any other private party.

The case with IGOs is different, because using UDRP and URS requires complainants to agree that the panel’s decisions can be challenge in court, and IGOs by their nature have a special legal status that allows them to claim jurisdictional immunity.

The WG recommends that these groups should be allowed access to UDRP and URS if they have protection under Article 6ter of the Paris Convention, a longstanding international intellectual property treaty.

This rule would actually extend UDRP and URS to hundreds more IGO names and acronyms than the GAC has requested protection for, which is just a few hundred. WIPO’s 6ter database by contrast currently lists 925 names and 399 abbreviations.

To deal with the jurisdictional immunity problem, the WG report recommends that IGOs should be allowed to file cybersquatting complaints via a third-party “assignee, agent or licensee”.

It further recommends that if an IGO manages to persuade a court it has special jurisdictional immunity, having been sued by a UDRP-losing registrant, that the UDRP decision be either disregarded or sent back to the arbitration for another decision.

The recommendations with regard IGOs are in conflict with the recommendations (pdf) of the so-called “small group” — a collection of governments, IGOs, INGOs and ICANN directors that worked quietly and controversially in parallel with the WG to come up with alternative solutions.

The small group wants ICANN to create separate but “functionally equivalent” copies of the UDRP and URS to deal with cybersquatting on IGO name and acronyms.

These copied processes would be free for IGOs to use and, to account for the immunity issue, would not be founded in trademark law.

The WG recommendations are now open for public comment and are expected to be the subject of some debate at the March ICANN meeting in Copenhagen.