A million domains taken down by email checks

Over 800,000 domain names have been suspended since the beginning of the year as a result of Whois email verification rules in the new ICANN Registrar Accreditation Agreement.
That’s according to the Registrars Stakeholder Group, which collected suspension data from registrars representing about 75% of all registered gTLD domain names.
The actual number of suspended domains could be closer to a million.
The 2013 RAA requires registrars to verify the email addresses listed in their customers’ Whois records. If they don’t receive the verification, they have to suspend the domain.
The RrSG told the ICANN board in March that these checks were doing more harm than good and today Tucows CEO Elliot Noss presented, as promised, data to back up the claim.
“There have been over 800,000 domains suspended,” Noss said. “We have stories of healthcare sites that have gone down, community groups whose sites have gone down.”
“I think we can safely say millions of internet users,” he said. “Those are real people just trying to use the internet. They are our great unrepresented core constituency.” 
The RrSG wants to see contrasting data from law enforcement agencies and governments — which pushed hard for Whois verification — showing that the RAA requirement has had a demonstrable benefit.
Registrars asked at the Singapore meeting in March that law enforcement agencies (LEA) be put on notice that they can’t ask for more Whois controls until they’ve provided such data and ICANN CEO Fadi Chehade said “It shall be done by London.”
Noss implied that the majority of the 800,000 suspended names belong to innocent registrants, such as those who had simply changed email addresses since registering their names.
“What was a lovely political win that we said time and time again in discussion after discussion was impractical and would provide no benefit, has demonstrably has created harm,” Noss said.
He was received with cautious support by ICANN board members.
Chair Steve Crocker wonder aloud how many of the 800,000 suspended domains are owned by bad guys, and he noted that LEA don’t appear to gather data in the way that the registrars are demanding.
“We were subjected, all of us, to heavy-duty pressure from the law enforcement community over a long period of time. We finally said, ‘Okay, we hear you and we’ll help you get this stuff implemented,'”, he added. “That creates an obligation as far as I’m concerned on their part.”
“We’re in a — at least from a moral position — in a strong position to say, ‘You must help us understand this. Otherwise, you’re not doing your part of the job'”, he said.
Chehade also seemed to support the registrars’ position that LEA needs to justify its demands and offered to take their data and concerns to the LEA and the Governmental Advisory Committee.
“They put restrictions on us that are causing harm, according to these numbers,” he said. “Let’s take this back at them and say, hey, you ask for all these things, this is what happened.”
“If you can’t tell me what good this has done, be aware not to come back and ask for more,” he said. “I’m with you on this 100%. I’m saying let’s use the great findings you seem to have a found and well-package them in a case and I will be your advocate.”
Director Mike Silber also spoke in support of the RrSG’s position.
“My view is if what you are saying is correct, the LEA’s have blown their credibility,” he said. “They’re going to have to do a lot of work before we impose similar disproportional requirements on actors that are not proven to be bad actors.”
So what does this all mean for registrants?
I don’t think there’s any ongoing process right now to get the Whois verification requirements overturned — that would require a renegotiation of the RAA — but it does seem to mean demands from governments and police are going to have to be much more substantiated in future.
Noss attempted to link the problem to the recommendations of the Whois Expert Working Group (EWG), which propose a completely revamped, centralized Whois system with much more verification and not much to benefit registrants.
To paraphrase: if email verification causes so much harm, what harms could be caused by the EWG proposal?
The EWG was not stuffed with LEA or governments, however, so it couldn’t really be characterized as another set of unreasonable demands from the same entities.

Four reasons Google Domains isn’t a Go Daddy killer

Judging by DI’s traffic spike last night, there’s a lot of interest in Google Domains, Google’s forthcoming entry into the domain name registrar market.
And judging by some of the early commentary, it seems that many people are already assuming that the service will be an overnight success.
Some people already seem to be willing to write off market leader Go Daddy specifically, for some peculiar reason.
I’ve even heard speculation that Google timed its announcement to screw with Go Daddy’s imminent IPO, which strikes me as veering into conspiracy theory territory.
While I’ve no doubt Go Daddy and other mass-market retail registrars will be watching Google’s move with interest and concern — and there are some reasons to be worried — let’s not jump the gun here.
Let’s calm the hyperbole a little. Off the top of my head, here are a handful of reasons not to get excited just yet.
1. It could be a really shitty product
There seems to be an assumption in some quarters that whatever Google brings to market will be automatically incredible, but the company really doesn’t have the track record to support that assumption.
Sure, its search engine may be great and services such as Gmail and Adsense may be pretty good, but have you ever tried Blogger?
Do you actually use Google+, or do you only have an account because Google forced you?
The truth is that lots of Google products fail.
And we haven’t even seen Google Domains yet. Nobody has. Only Google employees and their buddies are going to get beta access, so it seems we’re going to be waiting a while before we can judge.
2. There’s no 24×7 support
Google Domains will launch with support via email and phone from 9am to 9pm US Eastern time, Monday to Friday.
Would you switch to a registrar that doesn’t have round-the-clock support seven days a week? As a small business owner who makes his living from his web site, I sure wouldn’t.
If Google Domains gains traction you can expect support hours to be expanded pretty quickly, but a lack of 24×7 support at launch will keep many customers away.
3. It’s not free
Some people seem to be obsessed with the notion that Google is going to give away free domains, and that kind of commentary is continuing even though we know Google Domains will charge $12 for a .com.
Its email service may come at no additional cost, but its email service is Gmail, and that’s already free. Google could hardly start charging an add-on fee for something that’s always been free.
Google Domains may offer free privacy too, but so do lots of other registrars.
In future, Google registry arm Charleston Road Registry may give away free names in some of its new gTLDs, but if it does so that price will have to be available to all registrars, not just Google Domains.
Google Domains isn’t free. It’s not even the cheapest registrar on the market.
4. Go Daddy is gigantic
According to its recent regulatory filings, Go Daddy has 57 million domains under management and 12 million customers.
How many of those do you think will make the switch to Google? How many will even know that such a switch is possible?
Switching registrars may be relatively straightforward if everything you own is parked, but it becomes more complex when you’re running your web site, email and so forth on your registrar’s platform.
These kinds of small business owners are the customers being targeted by Google and Go Daddy, and if they already have web sites they’re likely already experiencing registrar lock-in.
According to its announcement, Google is targeting greenfield opportunities — the 55% of small businesses it estimates don’t have an online presence today — rather than grabbing market share from rivals.
The “small businesses need to get online” story is common to every press release issued by every web host and domain registrar with a price promotion to plug.
When Google teamed up with Blacknight to give away domains for free — for FREE, so it is, so it is — to Irish small businesses, it managed to sign up 10,000 in one year.
How long do you think it will take Google to get to 57 million names under management?

Shakeup coming as Google becomes a registrar, sells names at $12 with free privacy and email

Google has announced its first foray into the domain name registrar business with Google Domains.
The company tells me that the upcoming service will allow customers to buy or transfer domains for $12 a year.
Privacy protection, up to 100 email addresses and up to 100 subdomains — things existing leading registrars charge extra for — will be included at no additional cost.
Right now, the service is in an invitation-only beta. The first beta users are not expected to get access for a couple of weeks and the beta will likely last a couple of months.
Google says it wants to make domain registration a “simple and transparent experience”.
It’s not entirely clear which TLDs will be supported at first — .com, .net and .eu seem to be three of them — but the company plans to support “many” new gTLDs in future.
The service is unfinished, according to the company, but beta users will be able to buy and transfer domain names.
They’ll also be able to use web site creation tools supplied by the likes of Squarespace, Wix, Weebly and Shopify, which will carry an additional cost.
The $12 a year fee is comparable to market-leader Go Daddy’s annual rate for a .com, but Go Daddy charges about $8 extra per year for privacy and about $5 a month for email.
Google joins the likes of Minds + Machines and Uniregistry as new gTLD registries that have made the move into the registrar side of the business, hoping to bring a fresh approach to the market.
Google has actually been accredited by ICANN as a registrar for years — over a decade if memory serves — but to date has never used its accreditation to sell domains.
With its Google Apps service, the company refers domain buyers to Go Daddy and eNom. While there’s no confirmation from Google yet, I suspect those relationships may be in jeopardy in future.

Breaking: Go Daddy files for $100 million IPO

Go Daddy has filed its S-1 registration form with the US Securities and Exchange Commission, signalling its intention to go public.
The filing reveals the company plans to raise $100 million with the share sale.
Go Daddy’s revenue for 2013 was $1.1 billion, up from $910.9 million in 2012, the filing reveals.
But the company said it uses “bookings” as a measure of its success, due to the way its revenue is collected up-front but recognized on its books over the term of the domain or hosting contract.
Bookings were $1.4 billion in 2013, up from $1.25 billion in 2012.
Go Daddy is loss-making, recording a net loss of $199.8 million in 2013 and $279 million in 2012.
The company has 57 million domains under management and hosts 8.5 million web sites, according to the S-1. Those are spread between 12 million customers, a number that grew by 1.3 in 2013.
A surprising 24% of its sales come via its customer service people; the rest comes through its web site.
Go Daddy planned to IPO in 2006, but subsequently yanked the offering due to “market uncertainties” and then-CEO Bob Parsons’ apparent discomfort with the process.
In 2011 the company was taken over by the investment firms KKR, Silver Lake Partners, and Technology Crossover Ventures, paying a reported $2.25 billion for a 65% stake.
Since then, an eventual IPO has not been a matter of if, but when.
I’m tweeting more nuggets from the S-1 as I find them.

How NetSol opts you in to cybersquatted .xyz names

Clear-cut cases of cybersquatting seem to be among those .xyz domain names that Network Solutions has registered to its customers without their explicit request.
Some of the domains I’ve found registered in .xyz, via NetSol to the registrants of the matching .com or .net names, include my-twitter.xyz, facebook-liker.xyz and googledia.xyz.
Domains including other brands, such as Rolex, Disney, iPhone, Amazon and Pepsi can also be found registered to third parties, via NetSol, in .xyz’s zone today.
They’re all registered via NetSol’s Whois privacy service, which lists the registrant’s “real” name in the Whois record, but substitutes mailing address, email and phone number with NetSol-operated proxies.
I think the chance of these names being paid for by the registrant is slim. It seems probable that many (if not all) of the squatty-looking names were registered via NetSol’s promotional program for .xyz.
As previously reported, NetSol has been giving away domain names in .xyz to owners of the matching .com names. Tens of thousands of .xyz names seem to have been registered this way in the last week.
The “registrants” did not have to explicitly accept the offer. Instead, NetSol gave them the option to “opt-out” of having the name registered on their behalf and placed into their accounts.
The effect of this has been to propel .xyz into the leading spot in the new gTLD league table. It had 82,236 names in today’s zone file. a clear 15,000 names ahead of second-place .club.
But it’s not clear how much, if any, support NetSol has received from the registry, XYZ.com. CEO Daniel Negari told Rick Schwartz, in a coy interview last week:

The Registry Operator is unable to “give away” free domain names. I never even saw the email that the registrar sent to its customers until I discovered it on the blogs.

The opt-out giveaway has also prompted speculation about NetSol’s right to register domains without the explicit consent of the registrant, both under the law and under ICANN contract.
Under the Registrar Accreditation Agreement, in order to register a domain name, registrars “shall require” the registrant “to enter into an electronic or paper registration agreement”.
That agreement requires the registrant to agree to, among many other things, the transfer or suspension of their domains if (for example) they lose a UDRP or URS case.
But that doesn’t seem to be happening with the opt-out names,
Barry Shein, president of The World, had shein.xyz registered on his behalf by NetSol on Saturday. He already owns shein.com, also registered with NetSol.
NetSol’s email informing him of the registration, which Shein forwarded to DI, reads as follows:

Dear Valued Network Solutions Customer,
Congratulations, your complimentary SHEIN.XYZ domain has arrived!
Your new .XYZ domain is now available in your Network Solutions account and ready to use. To go along with your new .XYZ domain, you have also received complimentary access to Professional Email and Private Registration for your .XYZ domain.
If you choose not to use this domain no action is needed and you will not be charged any fees in the future. Should you decide to keep the domain after your complementary first year, simply renew it like any other domain in your account.
We appreciate your business and look forward to serving you again.
Sincerely,
Network Solutions Customer Support
www.networksolutions.com
http://www.networksolutions.com/help/index.jsp

Importantly, a footnote goes on to describe how NetSol will take a refusal to opt out as “continued acceptance” of its registration agreement:

Please note that your use of this .XYZ domain name and/or your refusal to decline the domain shall indicate acceptance of the domain into your account, your continued acceptance of our Service Agreement located online at http://www.networksolutions.com/legal/static-service-agreement.jsp, and its application to the domain.

So, if you’re a NetSol customer who was picked to receive a free .xyz name but for whatever reason you don’t read every marketing email your registrar sends you (who does?) you’ve agreed to the registration agreement without your knowledge or explicit consent, at least according to NetSol.
I am not a lawyer, but I’ve studied enough law to know that this is a dubious way to make a contract. Lawyers I’ve shown this disclaimer to have laughed out loud.
Of course, because each registrant already owns a matching .com, they’ve already accepted NetSol’s registration agreement and terms of service at least once before.
This may allow NetSol to argue that the initial acceptance of the contract also applies to the new .xyz domains.
But there are differences between .com and .xyz.
Chiefly, as a new gTLD, .xyz registrants are subject to policies that do not apply to .com, such as the Uniform Rapid Suspension policy.
URS differs from UDRP in that there’s a “loser pays” model that applies to complaints involving over 15 domains.
So these .xyz registrants have been opted into a policy that could leave them out of pocket, without their explicit consent.
Of course, we’re talking about people who seem to be infringing famous trademarks in their existing .com names, so who gives a damn, right?
But it does raise some interesting questions.
Who’s the registrant here? Is it the person who owns the .com, or is it NetSol? NetSol is the proxy service, but the .com registrant’s name is listed in the Whois.
Who’s liable for cybersquatting here? Who would Twitter file a UDRP or URS against over my-twitter.xyz? Who would it sue, if it decided to opt for the courts instead?

RADAR to be down at least two weeks after hack

ICANN expects its RADAR registrar database to be offline for “at least two weeks” following the discovery of a security vulnerability that exposed users’ login names and encrypted passwords.
ICANN seems to have been quick to act and to disclose the hack.
The attack happened last weekend and ICANN was informed about it by an “internet user” on Tuesday May 27, according to an ICANN spokesperson. RADAR was taken offline and the problem disclosed late May 28.
The spokesperson added that “we do not believe the user is affiliated with a current or previously accredited registrar.”
ICANN isn’t disclosing the nature of the vulnerability, but said RADAR will be offline for some time for a security audit. The spokesperson told DI in an email:

It will be at least two weeks. It is more important to complete a thorough security assessment of the site than to rush this process. First of all, we’re keeping the system offline until we complete a thorough audit of the system. We are also currently engaged in a security review of all systems and procedures at ICANN to assess and implement ongoing improvements as appropriate.

RADAR is a database used by registrars to coordinate stuff like emergency contacts and IP address whitelisting for bulk Whois access.
The downtime is not expected to impact registrants, according to ICANN. The spokesperson said: “Nothing that occurred has raised any concerns that registrants could or would be adversely affected.”

ICANN registrar database hacked

ICANN’s database of registrar contact information has been hacked and user data has been stolen.
The organization announced this morning that the database, known as RADAR, has been taken offline while ICANN conducts a “thorough review” of its security.
ICANN said:

This action was taken as a precautionary measure after it was learned that an unauthorized party viewed data in the system. ICANN has found no evidence of any unauthorized changes to the data in the system. Although the vulnerability has been corrected, RADAR will remain offline until a thorough review of the system is completed.

Users of the system — all registrars — have had their usernames, email addresses and encrypted passwords compromised, ICANN added.
ICANN noted that it’s possible to brute-force a hashed password into plaintext, so it’s enforcing a password reset on all users, but it has no evidence of any user accounts being accessed.
RADAR users may want to think about whether they have the same username/password combinations at other sites.
RADAR is a database used by registrars in critical functions such as domain name transfers.
Registrars can use it, for example, to white-list the IP addresses of rival registrars, enabling them to execute large amounts of Whois queries that would usually be throttled.
The news follows hot on the heels of a screwup in the Centralized Zone Data Service, which enabled any new gTLD registry to view data belonging to rival registries and other CZDS users.

KnujOn scores a win as BizCN gets first breach notice

The Chinese registrar BizCN has received its first breach notice from ICANN’s compliance department, following a sustained campaign by anti-abuse activist KnujOn.
The notice concerns Whois accuracy, specifically for the domain names rapetube.org and onlinepharmacy4.org, and a bunch of other peripheral breaches of the Registrar Accreditation Agreement.
The “porn” site rapetube.org was the subject of a Washington Post article last December, in which KnujOn’s Garth Bruen said he feared the site might contain footage of actual crimes.
Bruen has been chasing BizCN about Whois inaccuracy, and specifically the rapetube.org domain, since 2011.
He said in a September 2013 CircleID post that he’s filed Whois inaccuracy complaints about the domain with ICANN “multiple times”.
His campaign against ICANN Compliance led to an Ombudsman complaint (which was rejected) last year.
Now Compliance appears to be taking the case more seriously. ICANN, according to the breach notice, has been on BizCN’s case about rapetube.org’s Whois since March 24 this year.
At that time, the name was registered to a Vietnamese name with a French address and phone number and a contact email address at privacy-protect.cn.
According to Bruen’s interview with the Post, this email address bounced and nobody answered the phone number. The privacy-protect.cn domain does not appear to currently resolve.
ICANN evidently has some unspecified “information” that shows the email “does not appear to be a valid functioning email address”.
But BizCN told ICANN April 2 that it had verified the registrant’s contact information with the registrant, and provided ICANN with correspondence it said demonstrated that.
ICANN says the correspondence it provided actually predated KnujOn’s latest complaint by six months.
In addition, when BizCN forwarded a scanned copy of the registrant’s ID card, ICANN suspected it to be a fake. The notice says:

Registrar provided copies of correspondence between the reseller and registrant. The response included the same email address that was still invalid according to information available to ICANN, and included a copy of a government identification card to confirm the registrant’s address. According to information available to ICANN, the identification card did not conform to any current or previous form of government identification for that jurisdiction.

Despite repeated follow-up calls, ICANN said it still has not received an adequate response from BizCN, so its accreditation is now in jeopardy.
BizCN has something like 450,000 gTLD names under management and is in the top 50 registrars by volume.
As for rapetube.org, it’s still registered with BizCN, but its Whois changed to a Russian company “Privat Line LLP”, at privatlinellp.me, on or about April 17.
That change is not going to help BizCN, however, which is being asked to provide evidence that it took “reasonable steps to investigate and reasonable steps to correct the Whois inaccuracy claims”.
It has until May 29 to sort out the breaches or face termination. Read the breach notice here.

NameCheap gets contract breach notice

ICANN has sent a formal breach notice to top ten registrar NameCheap, saying the company failed to comply with a mandatory audit.
ICANN also claims in the notice (pdf) that the company has failed to keep its web site up to date with pricing information required by policies.
NameCheap, which says it has over three million domains under management, may be the largest registrar to get to the formal, published breach notice stage of the ICANN compliance process.
But it should be noted that while the company is accredited and must comply with its Registrar Accreditation Agreement, it does almost all of its business as an eNom reseller.
Just a handful of domain names are registered under NameCheap’s own IANA number.

101domain shifts blame to Google as premium buyers offered 50% discount

101domain has offered a 50% discount to customers that were sold premium new gTLD domains for a vastly reduced price, and has tried to shift some of the blame to the registry, Google.
The offer was made in a letter (pdf) to affected registrants — previously hit with delayed invoices for thousands of dollars for domains they bought for $12.99 — sent yesterday.
It indicates that the registrar is prepared to eat at least part of its pricing error on both first-year registrations and subsequent annual renewals.
101domain told customers:

• You now have until June 23, 2014 to make a decision whether to delete the name or pay for the premium name.
• If you want to keep the name(s), 101domain will offer you a 50% discount on the first year premium price and a 25% discount on premium annual renewals.
• If you give up your name(s), we will give you a credit on 101domain.com for any future purchases equal to 25% of the price of the premium name.

Previously, affected registrants had been told to pay up or have their domains deleted the following day.
As we reported last week, almost 50 domains in Google’s .みんな (“.everyone”) were sold for $12.99, despite some being earmarked by the registry as “premiums” with annual fees of up to $7,000.
In its letter to customers yesterday, 101domain characterized Google’s system for handling premiums as non-standard and difficult for registrars to work with.
Google’s list of premium names was circulated to registrars via an email, and the registry had no EPP commands for checking out whether a name was premium in real-time, the registrar says.
There was also no way for registrars to prevent the registration of premiums and no way to check with the registry for premium sales, it added.
It seems clear from the letter that the discounts now on offer mean that if registrants choose to keep their names they’ll be getting them at less than the registry fee — 101domain will eat the difference.

We contacted Google and requested them to work with us on the matter since we felt strongly that both sides were responsible to right the situation. Google offered no assistance other than extending the date to delete the names — telling us it was our problem.

Despite this seemingly generous response to domainer outrage, at the least one affected customer is not impressed.
In an email to DI last night the original registrant that first alerted us to the pricing problem described the latest 101domain offer as “lame”.