ICANN reveals 12 more data breaches

Twelve more new gTLD applicants have been found to have exploited a glitch in ICANN’s new gTLD portal to view fellow applicants’ data.
ICANN said last night that it has determined that all 12 access incidents were “inadvertent” and did not disclose personally identifiable information.
The revelation follows an investigation that started in April this year.
ICANN said in a statement:

in addition to the previous disclosures, 12 user credentials were used to access contact information from eight registry operators. Based on the information collected during the investigation it appears that contact information for registry operators was accessed inadvertently. ICANN also concluded that the exposed registry contact information does not appear to contain sensitive personally identifiable information. Each of the affected parties has been notified of the data exposure.

The glitch in question was a misconfiguration of a portal used by gTLD applicants to file and view their documents.
It was possible to use the portal’s search function to view attachments belonging to other applicants, including competing applicants for the same string.
Donuts said in June that the prices it was willing to pay at auction for gTLD string could have been inferred from the compromised data.
ICANN told compromised users in May that the only incidents of non-accidental data access could be traced to the account of Dirk Krischenowski, CEO of dotBerlin.
Krischenowski has denied any wrongdoing.
ICANN said last night that its investigation is now over.

English beats Portuguese in $2.2m .hotels auction

Booking.com has won the right to operate .hotels after an auction concluded a protracted fight over the gTLD.
In an ICANN-run auction yesterday, Booking.com prevailed with a winning bid of $2.2 million.
Its sole competitors was Travel Reservations (formerly Despegar Online), which had applied for the Portuguese word .hoteis.
In 2012, a String Similarity Review panel concluded that .hotels and .hoteis look too similar to coexist, due to the likelihood of confusion between I and l in sans-serif fonts.
Neither applicant agreed with that decision, knowing that it would result in a expensive auction, and Booking.com filed a Request for Reconsideration and then, in March 2013, an Independent Review Process complaint.
After two years, it lost the IRP. But the panel said it had “legitimate concerns” about the fairness of the SSR process and ordered ICANN to pay half of its costs.
Now, Booking.com has had to fork out another $2.2 million for the string.
That’s not particularly expensive as ICANN-auctioned gTLDs go. Eight of the 13 other strings ICANN has auctioned have sold for more.
ICANN’s auction proceeds to date now stands at $63,489,127, which is being held in a separate bank account for purposes yet to be determined.

.pro now open to all

Afilias today made the .pro gTLD available to anyone, regardless of their professional qualifications.
The previously restricted TLD was able to do so as a result of its six-week-old contract with ICANN, which loosened many of the conditions former registry RegistryPro originally agreed to when the TLD was delegated 13 years ago.
Under the original Registry Agreements, RegistryPro — since acquired by Afilias — had to verify the professional credentials of potential registrants.
Now that .pro has been brought under something that looks a lot like the 2012 new gTLD RA, it’s pretty much a free-for-all.
The registry said in a press release:

despite demand from registrants and registrars alike, .PRO names have historically been denied to professionals from a wide range of fields such as policemen, firefighters, journalists, programmers, artists, writers, and many others.

In my personal experience, it has been possible to register a .pro domain without providing credentials. I’ve been paying for one for a few years, though I’ve been unable to actually use it.
The gTLD was approved in the original, first round of new gTLD applications, back in 2000.
Part of the original deal was that it would be restricted to three classes of professions — lawyer, doctor, accountant — and only available to buy at the third level.
The third-level limitation was lifted many years ago, but .pro continued to be restricted to people who could show a credential.
However, even as recently as 2012 then-RegistryPro-CEO Karim Jiwani was telling DI that the secret to growth was more restrictions, not less.
He’s no longer with the company.
.pro’s registration numbers have have been suffering the last few years.
The registry peaked at roughly 160,000 names in July 2012, and has been on a downward track ever since. It started this July with about 122,000 registrations.
As part of its new deal with ICANN, Afilias no longer has price caps — previously set around .com prices — and has had to implement some of the provisions of the new gTLD Registry Agreement.
One such provision is the Uniform Rapid Suspension policy, which continues to cause controversy in the industry.

.feedback regs Fox trademark to itself during sunrise

Top Level Spectrum, the new .feedback registry, has painted a second gigantic target on itself by registering to itself a .feedback domain matching one of the world’s largest media brands.
The company has registered fox.feedback and put up a web site soliciting comment on Fox Broadcasting Company.
This has happened whilst .feedback is still in its sunrise period.
The intellectual property community is, I gather, not particularly happy about the move.
The domain fox.feedback points to a web site that uses TLS’ standard feedback platform, enabling visitors to rate and comment on Fox.
The site has a footnote: “Disclaimer: This site is provided to facilitate free speech regarding fox. No direct endorsement or association should be conferred.”
Fox had no involvement with the registration, which Whois records show is registered to Top Level Spectrum itself.
Registry CEO Jay Westerdal said that the domain is one of the 100 “promotional” domains that new gTLD registries are allowed to set aside for their own use under the terms of their ICANN contracts.
Registries usually register names like “buy.example” or “go.example”, along with the names of early adopter anchor tenant registrants, using this mechanism.
I’m not aware of any case where a registry has consciously registered a famous brand, without permission, as part of its promotional allotment.
“The website is hosted automatically by the Feedback platform,” Westerdal said. “Fox Television Network has raised no concerns and has not applied for the domain during sunrise. We are testing out promotion of the TLD with the domain as per our ICANN contract.”
Fox may still be able to buy the domain during sunrise, he said.
“This is a Registry Operation name. During sunrise, If we receive an application from a sunrise-eligible rights holders during sunrise for a Registry Operations name we may release the name for registration,” he said.
Fox’s usual registrar is MarkMonitor. Matt Serlin, VP there, said in an email that the TLS move could be raised with ICANN Compliance:

I find it curious that this branded domain name would have been registered to the registry prior to the sunrise period which is restricted to the 100 registry promotional names. The fact that the domain is actually resolving to a live site soliciting feedback for The Fox Broadcasting Company is even more troubling. MarkMonitor may look to raise this to ICANN Compliance once the registry is able to confirm how this domain was registered seemingly outside of the required process.

The IP community originally fought the introduction of the 100-domain pre-sunrise exception, saying unscrupulous registries would use it to stop trademark owners registering their brands.
While there have been some grumblings about registries reserving dictionary terms that match trademarks, this may be the first case of a registry unambiguously targeting a brand.
Top Level Spectrum courted controversy with the trademark community last week when it told DI that it plans to sell 5,000-brand match domains to a third party company after .feedback goes into general availability in January.
Westerdal told us this is not “cybersquatting”, as the sites contain disclaimers and are there to facilitate free speech.
What do you think about this use of brands as “promotional” domains?
It’s indisputably pushing the envelope of what is acceptable, but is it fair? Should registries be allowed to do this?

XYZ says it won’t block censored Chinese domains

New gTLD registry XYZ.com has said it will not preemptively censor domain names based on the wishes of the Chinese government.
Over the last couple of days, CEO Daniel Negari has sought to “clarify” its plans to block and suspend domain names based on Chinese government requests.
It follows XYZ’s Registry Services Evaluation Request for a gateway service in the country, first reported by DI and subsequently picked up by the Electronic Frontier Foundation, a Wall Street Journal columnist, Fortune magazine and others.
The clarifications offered up by XYZ probably did more to confuse matters.
A blog post on Wednesday said that XYZ will not reserve any .xyz domain names from being registered, except those ICANN makes all new gTLD registries reserve.
Subsequent comments from Negari stated that XYZ will, as the RSEP stated, prevent names that have been banned in China from being registered.
However, there’s one significant difference.
Now, the registry is saying that it will only put those bans in place for domain names that have been specifically banned by the Chinese government when the name had already been registered by a Chinese registrant.
So, if I understand correctly, it would not preemptively ban anyone anywhere from registering [banned term].xyz.
However, if [banned term].xyz was registered to a Chinese resident and the Chinese government told the registry to suspend it, it would be suspended and nobody would be able to re-register it anywhere in the world.
Negari said in a blog comment yesterday:

if we receive a Chinese legal order tomorrow (before the gateway has launched) which requires disabling a domain name registered in China and properly under Chinese jurisdiction, then it will be disabled at the registry level, and not by the gateway. When the gateway launches the name will continue to be unavailable, and the gateway will not implement the action on a localized basis only in China. The normal registry system would continue to be the only system used to resolve the name globally. Again — the specific stability concern ICANN had was that we would use the Chinese gateway to make .xyz names resolve differently, depending on what country you are in. I completely agree that our [RSEP] re-draft to address that concern came out in a way that can be read in a way that we sincerely did not intend.

So there is a list of preemptively banned .xyz, .college, .rent, .security and .protection domains, compiled by XYZ from individual Chinese government requests targeting names registered to Chinese registrants.
Negari said in an email to DI yesterday:

To clarify the statement “XYZ will reserve domains,” we meant that XYZ will takedown domains in order to comply with “applicable law.” Unfortunately, the inaccuracies in your post caused people to believe that we were allowing the Chinese government to control what names could be registered or how they could be used by people outside of China. The idea that XYZ is going to impose Chinese law and prevent people outside of China from registering certain domain names is simply incorrect and not true. To be 100% clear, there is no “banned list.”

That was the first time anyone connected with XYZ had complained about the October 12 post, other than since-deleted tweets that corrected the size of the list from 40,000 domains to 12,000.
The RSEP (pdf) that causes all this kerfuffle has not been amended. It still says:

XYZ will reserve names prohibited for registration by the Chinese government at the registry level internationally, so the Gateway itself will not need to be used to block the registration of of any names. Therefore, a registrant in China will be able to register the same domain names as anyone else in the world.

This fairly unambiguous statement is what XYZ says was “misinterpreted” by DI (and everyone else who read it).
However, it’s not just a couple of sentences taken out of context. The context also suggests preemptive banning of domains.
The very next sentence states:

When the Gateway is initially implemented we will not run into a problem whereby a Chinese registrant has already registered a name prohibited for registration by the Chinese government because Chinese registrars are already enforcing a prohibition on the registration of names that are in violation of Chinese law.

This states that Chinese residents are already being preemptively banned, by Chinese registrars, from registering domains deemed illegal in China.
The next few paragraphs of the RSEP deal with post-registration scenarios of domains being banned, clearly delineated from the paragraph dealing with pre-registration scenarios.
In his blog post, Negari said the RSEP “addressed the proactive abuse mitigation we will take to shut down phishing, pharming, malware, and other abuse in China”.
I can’t believe this is true. The consequence would be that if China sent XYZ a take-down notice about a malware or phishing site registered to a non-Chinese registrant, XYZ would simply ignore it.
Regardless, the takeaway today is that XYZ is now saying that it will not ban a domain before it has been registered, unless that domain has previously been registered by a Chinese resident and subsequently specifically banned by the Chinese government.
The registry says this is no different to how it would treat take-down notices issued by, for example, a US court. It’s part of its contractual obligation to abide by “applicable law”, it says.
Whether this is a policy U-turn or a case of an erroneous RSEP being submitted… frankly I don’t want to get into that debate.
Disclosure: during the course of researching this story, I registered .xyz domains matching (as far as this monoglot can tell) the Chinese words for “democracy”, “human rights”, “porn” and possibly “Tiananmen Square”. I have no idea if they have value and have no plans to develop them into web sites.

Forget .sucks, .feedback will drive trademark owners nuts all over again

Top Level Spectrum, the new gTLD registry behind .feedback, plans to give sell domains matching 5,000 of the world’s top brands to a third party that does not own the trademarks.
That’s one novel element of a .feedback business model that is guaranteed to drive the intellectual property community crazy in much the same way as .sucks did earlier this year.
The other piece of ‘innovation’ will see all .feedback domains — including the 5,000 brands — point by default to a hosted service that facilitates comment and criticism.
An example of such a site can be seen at www.eggsample.feedback. The registry’s CEO, Jay Westerdal, has a .feedback site at www.jay.feedback
If you agree to use the hosted service with your domain, the domain and service combined will cost a minimum of just $20 per year.
However, if you want to turn off the hosted service and use your .feedback like a regular domain, pointing to the web site of your choice, the price will ratchet up to $50 a month, or $620 a year.
Those are the wholesale prices. Both services will be offered through registrars, where some markup is to be expected.
The hosted service is being offered by Feedback SAAS LLC, a company that, judging by its web site, appears to share ownership with Top Level Spectrum, though Westerdal says the two firms have different employees.
It’s not dissimilar to the model employed by .tel, where name servers by default point to a registry-hosted service.
Unlike .tel, .feedback registrants will be able to opt out of using the SAAS service and point their domains to whatever name servers they want.
Westerdal told DI that .feedback is in the process of making a deal with a “third party” he could not yet name to have 5,000 branded .feedback domains deployed during the Early Access Period of the .feedback launch. That’s scheduled to start January 6.
“We are striking a deal to get feedback sites out there. We want everything to have feedback,” he said. “We are signing an agreement to get the ball rolling by doing a founders program to get names out there. Your favorite shoe, your pizza place, your everything.”
“The sites are all geared towards free speech and giving reviews,” he said. He said:

No trademark infringement will occur though, the sites are all geared towards free speech and giving reviews. Confusing the public that the brand is running the site will not happen, each site has a disclaimer and makes it clear the brand is not running the site.

Asked whether we were talking about a genuine third party or a shell set up by the registry, he said: “A real third party. I am not playing games.”
He said the higher pricing for the naked domain registration is intended to discourage companies from turning off the domains matching their brands.
The whole point of .feedback is to solicit feedback.
The as-yet unspecified third-party taking possession of the 5,000 brand names would not be prevented from selling the domains to the matching brand owner, or to any third parties, he said, though he would not be in favor of such a move.
He said that $20 a year to run a configurable .feedback site, with moderator privileges, is a “great deal” compared to the $300-a-month service he said consumer review site Yelp offers.
The SAAS service will make additional revenue by selling added features, suitable for enterprises, he said.
.feedback went into its sunrise period last week with a $2,000 wholesale fee — the same high price that attracted criticism for .sucks.
The original Registry Service Evaluation Process for the .feedback service hit ICANN over a year ago (pdf).
I missed it then. Sorry.
I noticed it today after corporate registrar MarkMonitor blogged about it.
Matt Serlin, VP of MarkMonitor, who blogged his opinion on .feedback’s strategy earlier today, said in an email that the .feedback strategy was “more objectionable” than he had thought, and that “[W]e would most likely look to raise to ICANN if that is his stated intent.”

Pro-.com analyst “sponsored” by Verisign. Is this a big deal?

Verisign has admitted it “sponsors” an analyst who has written more than a dozen articles singing the praises of .com and questioning the value of new gTLDs over the last few years.
Zeus Kerravala is the founder and principal analyst at ZK Research. He writes a regular column for Network World called Network Intelligence.
Last week, domain industry eyebrows were raised by the latest in a series of pro-.com articles — all of which seem to have been removed by Network World in the last 24 hours — to appear in the column.
The latest article was entitled “Why more companies are ditching new domain names and reverting to .com“.
Kerravala basically mined domain industry blogs, including this one, for examples of companies preferring .com over ccTLDs and new gTLDS, to support a view that .com is awesome and other TLDs are not.
He could have quite easily have used the same method to reach the opposite conclusion, in my view.
The Halloween-themed article concluded:

The good news is that .com will be here now and into the future, just like it has been for the past 30 years to provide treats to businesses after they have been “tricked” by other TLDs.

The article, and 12 more before it dating back to August 2012, looked to some like Verisign spin.
Other headlines include “Why .com is still the domain of choice for businesses” and “New generic top-level domain names do more harm than good” and “Companies are movin’ on up to .com domain names”.
They’re all basically opinion pieces with a strongly pro-.com slant.
The opinion that .com is better than the alternatives is not uncommon, especially among domainers who have lots of money tied up in .com investments.
The fact that Kerravala, who doesn’t usually touch the domain industry in his column, has written a dozen stories saying essentially the same thing about .com over the last couple of years looked a bit odd to some in the domain industry.
And it turns out that he is actually on the Verisign payroll.
A Verisign spokesperson told DI: “ZK Research is a sponsored industry analyst and blogger.”
The company declined to answer a follow-up question asking whether this meant he was paid to blog.
Kerravala told DI that Verisign is one of his clients, but denied blogging on its behalf. He said in an email:

they are a client like many of the other large technology firms. Although I blog, like many analysts, I am first an foremost an analyst. I have paid relationships with tech vendors, service providers, end user firms, resellers and the financial community.
Verisign pays me for inquiry time and to have access to my research. Verisign has many relationships like this with many analyst firms and I have this type of relationship with many other technology firms.
In no way do vendors pay me to write blogs nor do they influence my research or my opinions. Sometimes, I may choose to interview a vendor on a certain topic and include them in the article.

Kerravala had not disclosed in his Network World articles or boilerplate biography that Verisign is one of his clients.
In a January 2014 article published on SeekingAlpha, “New Generic Top Level Domain Names Pose No Threat To VeriSign“, contains a disclosure that reads in part “I have no business relationship with any company whose stock is mentioned in this article.”
Kerravala said in an email that although his relationship with Verisign started in 2013, the company was not a client at the time the SeekingAlpha article appeared.
The relationship came to light after new gTLD registry Donuts emailed Kerravala via a third party — and Kerravala says under false pretenses — claiming to have liked his most recent article and asking for a contact name at Verisign.
He would have responded honestly to just being asked directly by Donuts, he said.
In a telephone conversation yesterday, he said that his articles about .com represent his genuinely held beliefs which, as we agree, are not particularly unusual.
He observed that DI has a generally pro-TLD-competition point of view, and that many of my advertisers are drawn from the new gTLD industry, and said that his relationship with Verisign is not dissimilar to DI’s relationship to its advertisers.

.apple goes live

Apple’s .apple new gTLD was delegated today.
It’s going to be a strict dot-brand gTLD, in which only Apple can register domain names, but could wind up being highly influential.
While .apple now appears in the DNS root zone, no second-level names (not even nic.apple) are yet resolving.
Should Apple actually use its new TLD in a prominent way, it would be good news for the visibility of new gTLDs internationally.
The company has sold hundreds of millions of devices over the last decade or so.
But the company has a spotty history of paying attention to domain names, regularly launching products without first securing matching domain names.
It did recently adopt a .news domain name for one of its apps, however.
.apple could wind up being purely defensive, at least in the near term.
Apple’s 2012 application to ICANN describes its plans in literally one sentence, repeated five times:

Apple seeks to obtain the new .apple gTLD in order to provide consumers with another opportunity to learn about Apple, and its products and services.

Apple division Beats Electronics, which makes headphones, also had its dot-brand, .beats, delegated today.

Correction: .shop auction weirder than I thought

The upcoming auction for .shop and .shopping new gTLDs is weird, but in a different way to which I reported on Friday.
The actual rules, which are pretty complicated, mean that one applicant could win a gTLD auction without spending a single penny.
The nine applicants for .shop and the two applicants for .shopping are not necessarily all fighting it out to be a single victor, which is what I originally reported.
Rather, it seems to be certain that both .shop and .shopping will wind up being delegated.
The ICANN rules about indirect contention are not well-documented, as far as I can tell.
When I originally reported on the rules exactly two years ago today, I thought an animated GIF of a man’s head exploding was an appropriate way to end the story.
In the .shop/.shopping case, it seems that all 11 applications — nine for .shop and two for .shopping — will be lumped into the same auction.
Which applicant drops out first will determine whether both strings get delegated or only one.
Uniregistry and Donuts have applied for .shopping, but only Donuts’ application is in contention with Commercial Connect’s .shop application (due to a String Confusion Objection).
As Donuts has applied for both .shop and .shopping, it will be submitting separate bids for each application during the auction.
The auction could play out in one of three general ways.
Commercial Connect drops out. If Commercial Connect finds the .shop auction getting too rich for it and drops out, the .shopping contention set will immediately become an entirely separate auction between Uniregistry and Donuts. In this scenario, both .shop and .shopping get to become real gTLDs.
Donuts drops its .shopping bid. If Donuts drops its bid for .shopping, Uniregistry is no longer in indirect contention with Commercial Connect’s .shop application, so it gets .shopping for free.
Commercial Connect wins .shop. If Commercial Connect prevails in .shop, that means Donuts has withdrawn from the .shopping auction and Uniregistry wins.
It’s complicated, and doesn’t make a lot of logical sense, but it seems them’s the rules.
It could have been even more complex. Until recently, Amazon’s application for .通販 was also in indirect contention with .shop.
Thanks to Rubens Kuhl of Nic.br for pointing out the error.

.shop among four gTLDs heading to auction

The new gTLDs .shop, .shopping, .cam and .phone are all set to go to auction after their various delays and objections were cleared up.
It seems that .shop and .shopping contention sets remain merged, so only one string from one applicant will emerge victorious.
That’s due to a completely mad String Confusion Objection decision that ruled the two words are too confusingly similar to coexist in the DNS.
That SCO ruling was made by the same guy who held up both sets of applications when he ruled that .shop and .通販 (“.onlineshopping”) were also too confusingly similar.
The two rulings combined linked the contention sets for all three strings.
.通販 applicant Amazon appealed its SCO loss using a special process that ICANN created especially for the occasion, and won.
But .shop and .shopping applicants were not given the same right to appeal, meaning the auction will take place between nine .shop applicants and .shopping applicants Uniregistry and Donuts.
Donuts is an applicant for .shop and .shopping, meaning it will have to make its mind up which string it prefers, if it intends to win the auction.
If it’s a private auction, Donuts would presumably qualify for a share of its own winning bid. Weird.
(UPDATE: That was incorrect).
The other contention set held up by an inconsistent SCO decision was .cam, which was originally ruled too similar to .com.
Rightside won its appeal too, meaning it will be fought at auction between Famous Four, Rightside and AC Webconnecting.
.phone had been held up for different reasons.
It’s a two-way fight between Donuts and Dish DBS, a TV company that wanted to run .phone as a closed generic. Like almost all closed generic applicants, Dish has since changed its plans.