Government forces Nominet into ludicrous porn review

Should Nominet ban dirty words from the .uk namespace?
Obviously not, but that’s nevertheless the subject of a formal policy review announced by Nominet today, forced by pressure from the British government and the Murdoch press.
Nominet said it has hired Ken MacDonald, former director of public prosecutions, to carry out the review.
He’s tasked with recommending whether certain “offensive” words and phrases should be banned from the .uk zone.
According to Nominet, MacDonald’s qualifications include his role as a trustee of the pro-free-speech Index on Censorship and a human rights audit he carried out for the Internet Watch Foundation, the UK’s child abuse material watchdog.
Nominet said:

Lord Macdonald will work with Nominet’s policy team to conduct a series of meetings with key stakeholders, and to review and assess wider contributions from the internet community, which should be received by 4 November 2013. The goal is to deliver a report to Nominet’s board in December of this year, which will be published shortly thereafter.

You can contribute here.
The review was promised by Nominet in early August following an article in the Sunday Times, subsequently cribbed quite shamelessly by the Daily Mail, which highlighted the fact that Nominet’s policies do not ban strings suggesting extreme or illegal pornography.
You may recall a rant-and-a-half DI published at the time.
While my rant was written without the benefit of any input from Nominet — I didn’t speak to anyone there before publishing it — it appears that Nominet already had exactly the same concerns as me.
The company has published a set of lightly redacted correspondence (pdf) between itself and the Department of Culture, Media and Sport which makes for extremely illuminating reading.
In a July 23 letter to DCMS minister Ed Vaizey, Nominet CEO Lesley Cowley uses many of the same arguments — even giving the same examples — as I did a week later. She was much more polite, of course.
She points out that as a matter of principle it probably should not be left to a private company such as Nominet to determine what is and isn’t acceptable content, and that it’s difficult to tell what the content of a site will be at the point the domain is registered anyway.

In relation to the questions of practicality, the permutations of offensive words and phrases that can be created in the 63 characters of a domain name are almost limitless, so the creation of some kind of exclusion list would ultimately not prevent offensive phrases being registered as domain names. Were we to have a set of words or phrases that could not be registered, we would likely end up restricting many legitimate registrations. A good example is Scunthorpe.co.uk, which contains an offensive term within the domain name, or therapist.co.uk which could be read in more than one way.

She also points out that domains such as “childabuse.co.uk”, which may on the face of it cause concern, actually just redirect to the NSPCC, the UK’s main child abuse prevention charity.
The real eye-opening correspondence discusses the Sunday Times article that first compelled Vaizey to lean on Nominet.
As I discussed in my rant, it was based on the musings of just one guy, a purported expert in internet safety called John Carr, who once worked for the IWF and now apparently advises the government.
The examples of “offensive” domains he had supplied the Sunday Times with, I discovered, were either unregistered or contained no illegal content whatsoever.
Nominet’s correspondence contains several more .uk domains that Carr had given the newspaper, and they’re even less “offensive” than the “rape”-oriented ones it eventually published.
The domains are teens‐adult‐sex‐chat.co.uk, teendirtychat.co.uk, teens.demandadult.co.uk, teenfuckbook.co.uk and ukteencamgirls.co.uk, all of which Nominet found contained legal over-18s pornography.
One of them is even owned by Playboy.
Carr, it seems, didn’t even provide the Sunday Times or Nominet privately with any domains that suggest illegal content in the string and actually contain it in the site.
Judging by the emails between Nominet’s PR people (which, admittedly, may not be the best place to obtain an objective viewpoint) the Sunday Times reporter was “not interested in the complexity of the issue” and:

has taken a very hostile stance and is broadly of the view that the internet industry is not doing enough to stop offensive (legal) content.

The Sunday Times’ downmarket sister publication, The Sun, is famous primarily for printing topless photographs of 18-year-old women (in the 1980s it was 16-year-old girls) on Page 3 every day.
The Sun, the UK’s best-selling daily, is currently resisting a valiant effort by British feminists, which I wholeheartedly support, to have Page 3 scrapped.
In other words, the level of media hypocrisy, government idiocy and registry cowardice that came together to create the MacDonald review is quite outstanding.
Still, Nominet in recent years has proven itself pretty good at making sure its independent reviews turn out the way it wants them to, so it’s looking fairly promising that this one is likely to conclude that banning rude words would be impractical and pointless.

Famous Four says that Demand Media’s .cam should be rejected

Demand Media’s application for .cam should be rejected because it lost a String Confusion Objection filed by .com registry Verisign, according to rival applicant Famous Four Media.
“The process in the applicant guidebook is now clear: AC Webconnecting and dot Agency Limited proceed to resolve the contention set, and United TLD’s application cannot proceed,” chief legal officer Peter Young told DI.
dot Agency is Famous Four’s applicant for .cam, which along with AC Webconnecting survived identical challenges filed by Verisign. United TLD is the applicant subsidiary of Demand Media.
Serious questions were raised about the SCO process after two International Centre for Dispute Resolution panelists reached opposition conclusions in the three .cam/.com cases last month.
Demand Media subsequently called for an ICANN investigation into the process, with vice president Statton Hammock writing:

String confusion objections are meant to be applicant agnostic and have nothing to do with the registration or use of the new gTLD.

However, Famous Four thinks it has found a gotcha in a letter (pdf) written by a lawyer representing Demand which opposed consolidation of the three .cam cases, which stated:

Consolidation has the potential to prejudice the Applicants if all Applicants’ arguments are evaluated collectively, without regard to each Applicant’s unique plan for the .cam gTLD and their arguments articulating why such plans would not cause confusion.

In other words, Demand argued that the proposed usage of the TLD should be taken into account before the ICDR panel ruled against it, and now it saying usage should not have been taken into account.
Famous Four’s Young said:

Whether or not one ascribes to the view that usage should not be taken into account, and we believe that it should (otherwise we would not have argued it), the fact is that United TLD were very explicit prior to the publication that usage should indeed be taken into account.

The SCO debate expanded yesterday when the GNSO Council spent some time discussing .cam and other SCO discrepancies during its regular monthly meeting.
Concerns are such that the Council intends to inform the ICANN board of directors and its New gTLD Program Committee that it is looking into the issue.
The NGPC, has “Update on String Similarity” on its agenda for a meeting on Tuesday, which will no doubt try to figure out what, if anything, needs to be done.

No, ICANN isn’t moving to Switzerland

There’s a rumor going around this morning that ICANN is planning to up sticks from its US base in California and become subject to Swiss jurisdiction instead.
While this would be a huge change for ICANN, which has been tethered to the US government since its formation in 1998, it’s almost certainly not what’s happening.
The rumor emerged following CEO Fadi Chehade’s speech at the Asia Pacific Regional Internet Governance Forum in Korea yesterday, during which he talked about setting up a “legal structure” in Switzerland.
Addressing long-standing criticisms that ICANN is too US-centric, he discussed the recent creation of “hub” offices in Istanbul and Singapore, then said:

You heard me announce recently in Durban that ICANN, for the first time, is setting up a legal structure in Switzerland. That means that ICANN is going to seek to become an international organization that is serving the world, not just as a private corporation in California. These are important fundamental steps that we are exploring in order for ICANN to take a new global posture.

That ICANN wants a Swiss presence is not news. At the Durban meeting in July Chehade said publicly that ICANN had opened an “engagement center” in Geneva, headed by his senior adviser Tarek Kamel.
But the version of the Chehade quote doing the rounds on mailing lists today capitalizes “International Organization”, which arguably changes the meaning and makes his remarks seem more profound.
A capitalized “International Organization” can mean one of two legal structures: either an International Non-Governmental Organization or an Intergovernmental Organization.
That would, indeed, imply a change of jurisdiction. ICANN is currently, legally, a California non-profit corporation.
However, if Chehade just said “international organization” with no implied upper-case letters, it just means it’s an organization with offices and legal entities internationally.
I think this is closer to the truth, and so do People In A Position To Know whom I’ve run this by this morning.
It’s important to note that ICANN’s Affirmation of Commitments with the US government forces it to stay headquartered in the US:

ICANN affirms its commitments to: … remain a not for profit corporation, headquartered in the United States of America with offices around the world to meet the needs of a global community;

While Chehade has expansionist plans on a scale beyond any of his predecessors, it seems unlikely that these include breaking the AoC, incurring the wrath of the US government.
UPDATE: ICANN has provided DI with the following statement:

ICANN is not currently planning to set up a headquarters office in Switzerland. We will have an engagement center in Geneva, along with others scattered around the world but our three main hubs, as Fadi has previously announced, will be in L.A., Istanbul and Singapore.

Economist replaces de La Chapelle on ICANN board

ICANN’s board of directors is to see one new member in November, with economist Bruno Lanvin replacing former French civil servant Bertrand de La Chapelle.
The changes were among several appointments announced by ICANN’s Nominating Committee yesterday.
NomCom has decided to keep previous appointees Cherine Chalaby, who’s head of the New gTLD Program Committee, and Erika Mann, the former MEP who now runs Facebook’s Brussels office.
Lanvin is currently executive director of the European Competitiveness Initiative and the Global Indices projects at INSEAD, a business school, but he spent 20 years of his career with the United Nations.
Outgoing director de La Chapelle was France’s Governmental Advisory Committee representative before his appointment to the board in 2010. He, Mann and Chalaby have initial three-year terms ending in November.
It’s not known if de La Chapelle, one of ICANN’s most vocal and active directors, had nominated himself for a second term.

String confusion in disarray as Demand’s .cam loses against Verisign’s .com

Demand Media is demanding an ICANN review of its objections policy, after its applied-for new gTLD .cam was beaten in a String Confusion Objection by .com registry Verisign.
A International Centre for Dispute Resolution panelist has ruled (pdf) that .cam and .com are too confusingly similar to coexist, meaning Demand’s bid for .cam must be rejected by ICANN.
But the ruling by Urs Laeuchli conflicts with two other ICDR panel decisions on .cam, which both found that the string is NOT confusingly similar to .com and therefore can be delegated.
So while Demand’s .cam bid, under a strict reading of the rules, is now supposed to be rejected, applications for identical strings filed by AC Webhosting and dotAgency can go ahead.
ICANN has been thrown a curve ball it is not yet fully prepared to deal with.
As Akram Atallah, president of ICANN’s Generic Domains Division, told DI last week, it’s possible that the policy or the implementation of that policy may need to be revisited by ICANN and the community.
United TLD, the Demand Media subsidiary that applied for .cam, is now calling for precisely that, with vice president of business and legal affairs Statton Hammock writing today:

String confusion objections are meant to be applicant agnostic and have nothing to do with the registration or use of the new gTLD. What matters in string confusion objections is whether a string is visually, aurally or, according to ICANN’s Applicant Guidebook, otherwise “so nearly resembles another that it is likely to deceive or cause confusion.” Individuals may disagree on whether .CAM and .COM are similarly confusing, but there can be no mistake that United TLD’s .CAM string, AC Webhosting’s .CAM string, and dotAgency Limited’s .CAM string are all identical. Either all three applications should move forward or none should move forward.

The .cam cases are not alone in presenting ICANN with SCO problems.
Last week, Donuts’ bid for .pets was ruled confusingly similar to Google’s .pet, despite previous ICDR cases finding that plurals and singulars are not too confusing to coexist.
Where the .cam panelists disagreed
While there were three .cam cases, two of them were decided by the same panelist. It seems that both panelists were provided with very similar sets of evidence in all three cases.
It’s relevant to note that neither panelist — unlike some of their colleagues in other cases — thought it was appropriate to apply trademark law such as the DuPont factors in their decisions.
They did, however, consider the expected use cases of .cam.
All three applicants take .cam as short for “webcam” or “camera” and would target registrants interested in those fields (a lot of the use will likely be pornographic — AC Webconnecting is a porn firm after all).
But all three applicants also want to run “open” gTLDs, with no registration restrictions.
ICDR panelist Murray Smith was in charge of both the AC Webconnecting and dotAgency cases. He addressed expected usage explicitly in dotAgency, and explained why:

It is not just the visual, phonetic and conceptual similarity between the words that must be taken into account. In my view the greater emphasis should be focused on the use of the disputed extensions in the context of modern Internet usage. It is this context that compels the conclusion that an average Internet user would not be confused and would know that a .com website is probably a commercial website while a .cam websites would be something more focused in a particular field.

In AC Webconnecting, he wrote:

I agree that a consumer would quickly realize that a .cam website is likely associated with photography or camera use and is different than a .com website in use generally by a myriad of commercial entities.

So he’s putting the “greater emphasis” on usage — a factor that is not explicitly mentioned in the Applicant Guidebook’s description of the SCO and which may quite often differ between applicants.
Right there, in Smith’s interpretation of his task, we have a reason why SCOs will produce different results for identical strings.
I find Smith’s thinking baffling for a couple of reasons.
First, “a consumer would quickly realize that a .cam website is likely associated with photography” seems to ignore the existence of a bazillion .com web sites that are also associated with photography.
When did “commercial entities” and “photography or camera use” become mutually exclusive? Is photographyblog.com not confusingly similar to photographyblog.cam?
Second, he ignores the fact that basically anyone will be able to register a .cam web site for basically any purpose. None of the applicants want to restrict the gTLD to camera-related stuff.
ICDR panelist Laeuchli, in the Demand Media .cam case, raised this precise point, saying:

“.com” and “.cam” would use the same channels appealing to a broad audience. Even though according to Applicant, its envisioned TLD will “likely appeal” to a specific audience, it plans to operate “.cam” as an open gTLD. This would lead to extensive overlap.

Panelist Smith has some other notions about confusion that seem to defy common sense. He wrote in the AC Webconnecting case:

The .com TLD is the most widely recognized string in the Internet world. No reasonable Internet user would fail to recognize the .com TLD. The very reputation of the .com name serves to limit the potential for an average Internet user to be confused by the proposed .cam TLD. It is indeed unlikely that an online consumer would confuse a .com website with a .cam website.

Does this not strike anyone else as bad thinking?
It seems to me to be a little like saying that it’s perfectly okay to market a brand of carbonated beverage called Cuke, because Coke is so famous that nobody could possibly be confused. I don’t know where the law stands on that issue, but I’m pretty sure Coke wouldn’t be happy about it.
There’s also some weirdness in Laeuchli’s decision in the Demand case.
He puts some weight on the similarity scores produced by the controversial Sword algorithm in his decision, but apparently without doing even the basic research. He writes in his findings:

No matter what the standards and purpose the ICANN SWORD algorithm includes, it has comparative value.
…
Since pairs such as “God” and “dog” (85%) reach similarity scores of 84% and higher, how much more similar would “cxm” and “cxm” be (x being replaced with a vowel)!

The answer is that, according to Sword, they’re less similar. Sword scores “cam” v “com” at 63%.
Laeuchli knows it’s 63%, because he makes reference to that fact in his summary of Verisign’s evidence. He doesn’t need to speculate about the number based on what “god” v “dog” scores (and if he did the “dog” v “god” query himself, why on earth didn’t he just query “com” v “cam” too?)
His finding that .cam and .com will cause probable confusion seems to be based largely on expert witness testimony provided by both Verisign and Demand, in which he found Verisign’s more persuasive.
This evidence seems to have largely comprised the opinions of linguists, examining mouth shapes and acoustic frequencies, and market research looking into internet user behavior. As none of it has been published, it’s difficult to judge which side had the better arguments.
But it’s undeniably about the similarity of the strings, rather than the proposed usage, which makes Demand Media’s statement today — that SCOs “are meant to be applicant agnostic and have nothing to do with the registration or use of the new gTLD” — quite confusing.
Demand lost its case based on the string similarity, whereas the other two applicants won theirs based on the usage.
Perhaps Demand senses that its .cam application will not be immediately rejected if ICANN reopens the debate about string similarity. If think it’s probably correct.

Google beats Donuts in objection — .pet and .pets ARE confusingly similar

Google has won a String Confusion Objection against rival new gTLD applicant Donuts, potentially forcing .pet and .pets into the same contention set.
The shock ruling by International Centre for Dispute Resolution panelist Richard Page goes against previous decisions finding singulars and plurals not confusingly similar.
In the 11-page decision, Page said he decided to not consider the reams of UDRP precedent or US trademark law submitted by the two companies, and seems to have come to his opinion based on a few simple facts:

Objector has come forward with the following evidence for visual, aural and meaning similarity. Visually, the words are identical but for the mere addition of the letter “s”. Aurally, the word “pets” is essentially phonetically equivalent to the word “pet”. The term “pet” is pronounced as it is spelled, “pet”. The term “pets” is likewise pronounced as “pets” in essentially a phonetically equivalent fashion. The terms each have only one syllable, and they have the same stress pattern, with primary accent on the initial “pe” portion of the words. In commercial meaning, the terms show no material difference. As English nouns, “pets” is the pluralization of “pet”.
The visual similarity and algorithmic score are high, the aural similarity is high, the meaning similarity is high. Objector has met its burden of proof. The cumulative impact of these factors is such that the Expert determines that the delegation of <.pet> gTLD and the <.pets> gTLD into the root zone will cause a probability of confusion.

Page did take into account the similarity score provided by the Sword algorithm — for .pet and .pets it’s actually a fairly weak 72% — in his thinking on visual similarity.
But he specifically rejected Donuts’ defense that co-existence of plurals at the second level was proof that plural/singular gTLDs could also co-exist at the top-level, saying:

The rapid historical development of the Internet and the proliferation of domain names over the past two decades has taken place without the application of the string confusion standard now established for gTLDs. Therefore, the Expert has not considered the current coexistence of pluralized second-level TLDs or similarities between country code TLDs and existing gTLDs in the application of the string confusion standard in this proceeding.

Can: open. Worms: everywhere.
The decision stands in stark contrast to the decision (pdf) of Bruce Belding in the .hotel v .hotels case, in which it was found that the two strings were “sufficiently visually and audibly different”.
Likewise, the panelist in .car v .cars (pdf) found that Google had not met the high evidential bar to proving the “probability” rather than mere “possibility” of confusion.
One has to assume that the evidence Google submitted in .car is fairly similar to the evidence it submitted in .pets.
Are String Confusion Objections just a crap shoot, the outcome depending on which panelist you get? It’s probably too early to say for sure, but it’s looking like a possibility.
The big test will come with the next .pets decision. Afilias, the other .pet applicant, has also filed an SCO against Donuts over its .pets bid.
What if the panel in the Afilias case goes the other way? Will Donuts be in a contention set with Google and Afilias or won’t it?
I asked Akram Atallah, president of ICANN’s Generic Domains Division, about this yesterday and he said that ICANN basically doesn’t know, and that it might have to refer back to the community for advice.
Read the Atallah interview here and the .pets decision (pdf) here.

Interview: Atallah on new gTLD objection losers

Filing a lawsuit against a competitor won’t stop ICANN rejecting your new gTLD application.
That’s according to Akram Atallah, president of ICANN’s Generic Domains Division, who spoke to DI yesterday about possible outcomes from new gTLD objection rulings.
He also said that applicants that believe they’ve been wronged by the objection process may have ways to appeal the decisions and addressed what happens if objection panels make conflicting decisions.
Lawsuits won’t stay ICANN’s hand
In light of the lawsuit by Del Monte International GmbH against Del Monte Corp, as reported by Domain Name Wire yesterday, I asked Atallah if ICANN would put applications on hold pending the outcome of legal action.
The GmbH lost a Legal Rights Objection filed by the Corp, which is the older company and owner of the “Del Monte” trademark pretty much everywhere, meaning the GmbH’s bid, under ICANN rules, must fail.
Atallah said lawsuits should not impact ICANN’s processes.
“For us it’s final,” Atallah said. “If they have to go outside and take legal action then the outcome of the legal action will be enforceable by law and we will have to abide by it. But from our perspective the [objection panel’s] decision is final.”
There might be ways to appeal
In some cases when an applicant loses an objection — such as a String Confusion Objection filed by an existing TLD or an LRO filed by a trademark owner — the only step left is for it to withdraw its application and receive whatever refund remains.
There have been no such withdrawals so far.
I asked Atallah whether there were any ways to appeal a decision that would lead to rejection.
“The Applicant Guidebook is very clear,” he said. “When an applicant loses an objection, basically their application will not proceed any further. We would like to see them withdraw their application and therefore finish the issue.”
“Of course, as with anything ICANN, they have some other avenues for asking for reconsidering the decision,” he added. “Basically, going to the Ombudsman, filing a Reconsideration Request, or even lobbying the board or something.”
I wondered whether the Reconsideration process would apply to decisions made by third parties such as arbitration panels, and Atallah admitted that the Guidebook was “murky” on this point.
“There are two mentions in the Guidebook of this, I think,” he said. “One mentions that it [the panel’s decision] is final — the application stops — the other mentions that it is advice to staff.”
That seems to be a reference to the Guidebook at 3.4.6, which states:

The findings of the panel will be considered an expert determination and advice that ICANN will accept within the dispute resolution process.

This paragraph suggests that ICANN staff have to accept the objection panel’s decision. That would make it an ICANN decision to reject the application, which can be challenged under Reconsideration.
Of course, the Reconsideration process has yet to see ICANN change its mind on any matter of substance. My feeling is that to prevail you’d at a minimum have to present the board with new information not available at the time the original decision was made.
What if different panelists reach opposite conclusions?
While the International Centre for Dispute Resolution has not yet published its panels’ decisions in String Confusion Objection cases, a few have leaked out.
(UPDATE: This turns out not to be correct. The decisions have been published, but the only way to find them is via obscured links in a PDF file buried on the ICDR web site. Way to be transparent, ICDR.)
I’ve read four, enough to see that panelists are taking diverse and sometimes opposing views in their decision-making.
For instance, a panelist in .car v .cars (pdf) decided that it was inappropriate to consider trademark law in his decision, while the panelist in .tv v .tvs (pdf) apparently gave trademark law a lot of weight.
How the applicants intend to use their strings — for example, one may be a single-registrant space, the other open — seems to be factoring into panelists’ thinking, which could lead to divergent opinions.
Even though Google’s .car was ruled not confusingly similar to Donuts’ .cars, it seems very possible that another panelist could reach the opposite conclusion — in one of Google’s other two .cars objections — based on trademark law and proposed usage of the gTLD.
If that were to happen, would only one .cars application find itself in the .car contention set? Would the two contention sets be linked? Would all three .cars applications wind up competing with .car, even if two of them prevailed against Google at the ICDR?
It doesn’t sound like ICANN has figured out a way to resolve this potential problem yet.
“I agree with you that it’s an issue to actually allow two panels to review the same thing, but that’s how the objection process was designed in the Guidebook and we’d just have to figure out a way to handle exceptions,” Atallah said.
“If we do get a case where we have a situation where a singular and a plural string — or any two strings actually — are found to be similar, the best outcome might be to go back to the GNSO or to the community and get their read on that,” he said. “That might be what the board might request us to do.”
“There are lots of different ways to figure out a solution to the problem, it just depends on how big the problem will be and if it points to an unclear policy or an unclear implementation,” he said.
But Atallah was clear that if one singular string is ruled confusing to the plural version of the same string, that panel’s decision would not cause all plurals and singulars to go into contention.
“If a panel decides there is similarity between two strings and another panel said there is not, it will be for that string in particular, it would not be in general, it would not affect anything else,” he said.
ICANN, despite Governmental Advisory Committee advice to the contrary, decided in late June that singular and plural gTLDs can coexist under the new regime.

Chehade hopes for lower round two gTLD fees

ICANN CEO Fadi Chehade has said he hopes that new gTLD application fees will be lower in the second round.
Speaking to Marketplace in a brief audio interview yesterday, he said:

As we go to round two, which everyone is clamoring for us to open, we will reassess the costs. We are a non-profit and therefore if the learnings from this first round lead us to a different fee — and I hope personally a lower fee so more people can participate — we will adjust that as we go.

The fees in the current round were $185,000, though the refund schedule means only successful applicants pay the full fee.
I’ve heard a couple of murmurings recently — nothing concrete as yet — that the cost of the program is actually running quite close to the original expectations that set the fee at $185,000.
Many applications have been withdrawn very close to the deadline for receiving their full pre-Initial Evaluation result refund, when one assumes that most of the IE costs have already been incurred.

Dotless domains are dead

ICANN has banned dotless gTLDs, putting a halt to Google’s plans to run .search as a dotless search service and confounding the hopes of some portfolio applicants.
ICANN’s New gTLD Program Committee, acting with the powers of its board of directors passed the resolution on Tuesday. It was published this morning. Here’s the important bit (links added):

Resolved (2013.08.13.NG02), in light of the current security and stability risks identified in SAC053, the IAB statement and the Carve Report, and the impracticality of mitigating these risks, the NGPC affirms that the use of dotless domains is prohibited.

The current version of the Applicant Guidebook bans dotless domains (technically, it bans apex A, AAAA and MX records) but leaves the door open for registries to request an exception via Extended Evaluation.
This new decision closes that door.
The decision comes a week after the publication of Carve Systems’ study of the dotless domain issue, which concluded that the idea was potentially “dangerous” and that if ICANN intended to allow them it should do substantial outreach to hardware and software makers, essentially asking them to change their products.
The Internet Architecture Board said earlier that “dotless domains are inherently harmful to Internet security.”
Microsoft, no doubt motivated in part at least by competitive concerns in the search market, had repeatedly implored ICANN to implement a ban on security grounds.
Google had planned to run .search as a browser service that would allow users to specify preferred search engines. I doubt the dotless ban will impact its application’s chances of approval.
Donuts and Uniregistry, which together have applied for almost 400 gTLDs, had also pushed for ICANN to allow dotless domains, although I do not believe their applications explicitly mentioned such services.

NTAG rubbishes new gTLD collision risk report

The New gTLD Applicants Group has slated Interisle Consulting’s report into the risk of new gTLDs causing security problems on the internet, saying the problem is “overstated”.
The group, which represents applicants for hundreds of gTLDs and has a non-voting role in ICANN’s GNSO, called on ICANN to reclassify hundreds of “Uncalculated” risk strings as “Low” risk, meaning they would not face as substantial a delay before or uncertainty about their eventual delegation.
But NTAG said it “agreed” that the high-risk .corp and .home “should be delayed while further studies are conducted”. The current ICANN proposal is actually to reject both of these strings.
NTAG was responding to ICANN’s proposal earlier this month to delay 523 applications (for 279 strings) by three to six months while further studies are carried out.
The proposal was based on Interisle’s study of DNS root server logs, which showed many millions of daily queries for gTLDs that currently do not exist but have been applied for.
The worry is that delegating those strings would cause problems such as downtime or data leakage, where sensitive information intended for a recipient on the same local network would be sent instead to a new gTLD registry or one of its (possibly malicious) registrants.
NTAG reckons the risk presented by Interisle has been overblown, and it presented a point-by-point analysis of its own. It called for everything except .corp and .home to be categorized “Low” risk, saying:

We recognize that a small number of applied for names may possibly pose a risk to current operations, but we believe very strongly that there is no quantitative basis for holding back strings that pose less measurable threat than almost all existing TLDs today. This is why we urge the board to proceed with the applications classified as “Unknown Risk” using the mitigations recommended by staff for “Low Risk” strings. We believe the 80% of strings classified as “Low Risk” should proceed immediately with no additional mitigations.

The group pointed to a recent analysis by Verisign (which, contrarily, was trying to show that new gTLDs should be delayed) which included data about previous new gTLD delegations.
That report (pdf) said that .xxx was seeing 4,018 look-ups per million queries at the DNS root (PPM) before it was delegated. The number for .asia was 2,708.
If you exclude .corp and .home, both of those PPM numbers are multiples larger than the equivalent measures of query volume for every applied-for gTLD today, also according to Verisign’s data.
NTAG said:

None of these strings pose any more risk than .xxx, .asia and other currently operating TLDs.
…
the least “dangerous” current gTLD on the chart, .sx, had 331 queries per million in 2006. This is a higher density of NXDOMAIN queries than all but five proposed new TLDs. 4 Again, .sx was launched successfully in 2012 with none of the problems predicted in these reports.

Verisign’s report, which sought to provide a more qualitative risk analysis based on some data-supported guesses about where the error traffic is coming from and why, anticipated this interpretation.
Verisign said:

This could indicate that there is nothing to worry about when adding new TLDs, because there was no global failure of DNS when this was done before. Alternately, one might conclude that traffic volumes are not the only indicator of risk, and the semantic meaning of strings might also play a role. We posit that in some cases, those strings with semantic meanings, and which are in common use (such as in speech, writing, etc.) pose a greater risk for naming collision.

The company spent most of its report making somewhat tenuous correlations between its data (such as a relatively large number of requests for .medical from Japanese IP addresses) and speculative impacts (such as “undiagnosed system failures” at “a healthcare provider in Japan”).
NTAG, by contrast, is playing down the potential for negative outcomes, saying that in many cases the risks introduced by new gTLDs are no different from collision risks at the second level in existing TLDs.

Just as the NTAG would not ask ICANN to halt .com registrations while a twelve month study is performed on these problems, we believe there is no reason to introduce a delay in diversifying the Internet’s namespace due to these concerns.

While it stopped short of alleging shenanigans this time around, NTAG also suggested that future studies of root server error traffic could be gamed if botnets were engaged to crapflood the roots.
Its own mitigation plan, which addresses Interisle’s specific concerns, says that most of the reasons that non-existent TLDs are being looked up are either not a problem or can be easily mitigated.
For example, it says that queries for .youtube that arrived in the form of a request for “www.youtube” are probably browser typos and that there’s no risk for users if they’re taken to the YouTube dot-brand instead of youtube.com.
In another example, it points out that requests for “.cisco” or “.toshiba” without any second-level domains won’t resolve anyway, if dotless domains are banned in those TLDs. (NTAG, which has influential members in favor of dotless domains, stopped short of asking for a blanket ban.)
The Interisle report, and ICANN’s proposal to deal with it, are open for public comment until September 17. NTAG’s response is remarkably quick off the mark, for guessable reasons.