New gTLDs are the new Y2K: .corp and .home are doomed and everything else is delayed

The proposed gTLDs .home and .corp create risks to the internet comparable to the Millennium Bug, which terrorized a burgeoning internet at the turn of the century, and should be rejected.
Meanwhile, every other gTLD that has been applied for in the current round could be delayed by months in order to mitigate the risks they pose to internet users.
These are the conclusions ICANN has drawn from Interisle Consulting’s independent study into the problems that could be caused when new gTLDs clash with widely-used internal naming systems.
The extensive study, which drew on 8TB of traffic data provided by 11 of the 13 DNS root server operators, is 197 pages long and absolutely fascinating. It was published by ICANN today.
As Interisle CEO Lyman Chapin reported at the ICANN meeting in Durban a few weeks ago, the large majority of TLDs that have been applied for in the current round already receive large amounts of error traffic:

Of the 1,409 distinct applied-for TLD strings, 1,367 appeared at least once in the 2013 DITL [Day In the Life of the Internet] data with the string at the TLD position.

We’ve previously reported on the volume of queries new gTLDs get, such as the fact that .home gets half a billion hits a day and that 3% of all requests were for strings that have been applied for in the current round.
The extra value in Interisle’s report comes when it starts to figure out how many end points are making these requests, and how many second-level domains they’re looking for.
These are vitally important factors for assessing the scale of the risk of each TLD.
Again, .home and .corp appear to be the most dangerous.
Interisle capped the number of second-level domains it counted in the 2013 data at 100,000 per TLD per root server — 1,100,000 domains in total — and .home was the only TLD string to hit this cap.
Cisco Systems’ proposed .cisco TLD came close, failing to hit the cap in only one of the 11 root servers providing data, while .box and .iinet (both also used widely on home routers) hit the cap on at least one root server.
The lowest count of second-level domains of the 35 listed in the report came from .hsbc, the bank brand, but even that number was a not-inconsiderable 2,000.
Why are these requests being made?
Surprisingly, interactions between a security feature in Google’s own Chrome browser and common residential routers appear to be the biggest cause of queries for non-existent TLDs.
That issue, which impacts mainly .home, accounts for about 46% of the requests counted, according to the report.
In second place, with 15% of the queries, are requests for real domain names that appear to have had a non-existent TLD — again, usually .home — appended by a residential router or cable modem.
Apparent typos — where a user enters a URL but forgets to type the TLD — were a relatively small percentage of requests, coming in at under 1% of queries.
The study also found that bad requests come from many thousands of sources. This table compares the number of requests to the number of sources.
[table id=14 /]
The “Count” column is the number, in thousands, of requests for each TLD string. The “Prefix Count ” column refers to the number of sources providing this traffic, counted by the /24 IP address block (each of which is up to 256 potential hosts).
As you can see, there’s not necessarily a correlation between the number of requests a TLD gets and the number of people making the requests — .google gets queried by more sources than the others, but it’s only ranked 24 in terms of overall query volume, for example.
Interisle concluded from all this that .corp and .home are simply too dangerous to delegate, comparing the problem to the year 2000 bug, where a global effort was required to make sure software could support the four-digit dating scheme required by the turn of the century.
Here’s what the report says about .corp:

users could be taken to the wrong web site (and possibly be exposed to phishing attacks) or told that web sites do not exist when they do, depending on how the .corp TLD is resolved. A corporate mail system might attempt to deliver email to the wrong server, and this could expose sensitive or confidential information to someone who was not supposed to receive it. In essence, everything deployed in the private network would need to be checked.
There are no easy solutions to these problems. In an ideal world, the operators of these private networks would get a timely notification of the new TLD’s delegation and then take action to address these issues. That seems very improbable. Even if ICANN generated sufficient publicity about the new TLD’s delegation, there is no guarantee that this will come to the attention of the management or operators of the private networks that could be jeopardized by the delegation.
…
It seems reasonable to estimate that the amount of effort involved might be comparable to a wholesale renumbering of the internal network or the Y2K problem.

It notes that applied-for TLDs such as .site, .office, .group and .inc appear to be used in similar ways to .home and .corp, but do not appear to present as broad a risk.
To be clear, the risk we’re talking about here isn’t just people typing the wrong things into browsers, it’s about the infrastructure on many thousands of private networks starting to make the wrong security assumptions about domain names.
ICANN, in response, has outlined a series of measures sure to infuriate many gTLD applicants, but which are consistent with its goal to protect the security and stability of the internet.
They’re also consistent with some of the recommendations put forward by Verisign over the last few months in its campaign to show that new gTLDs pose huge risks.
First, .corp and .home are dead. These two strings have been categorized “high risk” by ICANN, which said:

Given the risk level presented by these strings, ICANN proposes not to delegate either one until such time that an applicant can demonstrate that its proposed string should be classified as low risk

Given the Y2K-scale effort required to mitigate the risks, and the fact that the eventual pay-off wouldn’t compensate for the work, I feel fairly confident in saying the two strings will never be delegated.
Another 80% of the applied-for strings have been categorized “low risk”. ICANN has published a spreadsheet explaining which string falls into which category. Low risk does not mean they get off scot-free, however.
First, all registries for low-risk strings will not be allowed to activate any domain names in their gTLD for 120 days after contract signing.
Second, for 30 days after a gTLD is delegated the new registries will have to reach out to the owners of each IP address that attempts to query names in that gTLD, to try to mitigate the risk of internal name collisions.
This, as applicants will no doubt quickly argue, is going to place them under a massive cost burden.
But their outlook is considerably brighter than that of the remaining 20% of applications, which are categorized as “uncalculated risk” and face a further three to six months of delay while ICANN conducts further studies into whether they’re each “high” or “low” risk strings.
In other words, the new gTLD program is about to see its biggest shake-up since the GAC delivered its Advice in Beijing, adding potentially millions in costs and delays for applicants.
ICANN’s proposed mitigation efforts are now open for public comment.
One has to wonder why the hell ICANN didn’t do this study two years ago.

Uniregistry not happy about Donuts-Tucows deal

Uniregistry would never have withdrawn its applications for .media and .marketing if it had known that Tucows would later take money from Donuts to also withdraw, according to CEO Frank Schilling.
Schilling told DI tonight that Uniregistry had pulled out of both new gTLD contention sets after having made a deal with Tucows, the details of which he was unable to explain due to a non-disclosure agreement.
But he said that the deal would never have happened if he’d known the eventual outcome.
“Tucows left us under the impression that they were going to win this and had I known that they would fold in a subsequent private auction I would not have done this,” he said.
Tucows withdrew its bids for .media and .marketing weeks after Uniregistry, after making its own deal with Donuts, which is now the sole remaining applicant for the two strings.
As reported earlier today, Tucows and Donuts settled the two contention sets with a “cut and choose” arrangement, where Tucows named the price at which it was willing to withdraw and Donuts could choose to buy its withdrawals or sell its own withdrawals for the same price.
Donuts characterized the deal as a kind of private auction.
Uniregistry is on record as saying it doesn’t like the idea of private auctions, which it believes may fall foul of US antitrust law.

Donuts says Tucows deal “just another type of private auction”

Donuts has confirmed that it paid Tucows for the rights to the .media and .marketing new gTLDs, but says it was actually “just another type of private auction”.
The existence of a deal for the two strings emerged in a tongue-in-cheek Tucows video on Friday.
I blogged over the weekend that it was the first example I was aware of of Donuts settling a contention set outside of the private auction process it helped kick-start with Innovative Auctions.
But in a statement sent to DI today, Donuts characterized the Tucows deal as auction-like, saying:

Contention was resolved privately between the two applicants by a “cut and choose” method, whereby Tucows named a price at which it would withdraw its applications, and Donuts would decide either to “buy” or “sell” the position as sole remaining applicant.
Donuts elected to pay Tucows its stated price, and Donuts will continue as the sole applicant and exclusive operator for both TLDs, with no joint venture or revenue sharing agreement with any party.
Donuts remains strongly committed to private auctions as the preferred method of resolving contention for its applications and this was just another type of private auction.

Spoof video reveals Donuts paid Tucows for two gTLDs

This has to be the strangest way to announce a new gTLD partnership to date.
Judging by a spoof video uploaded to YouTube yesterday, Tucows withdrew its applications for the .media and .marketing new gTLDs after receiving a pay-off from rival applicant Donuts.
Presented as “the hotly contested .media and .marketing gTLD bout” between Tucows CEO Elliot Noss and Donuts co-founder Jon Nevett, the video humorously documents the negotiation process.

If you don’t have four minutes to spare, or if awkward office-based spoof videos make you want to beat yourself to death with a bright red stapler, here’s the money shot:

While I’ve not yet received confirmation that the video is based on true events (it’s Saturday), the facts all fit.
Tucows withdrew both its .media and .marketing applications around July 26, according to the DI PRO new gTLD timeline, giving Donuts a clear run at delegation.
Uniregistry was the only other applicant in both contention sets, but withdrew its applications for .media and .marketing July 19 and June 21 respectively.
There’s nothing in the video to suggest that Uniregistry made a similar deal, but it seems likely.
It’s the first example I’m aware of of Donuts settling a contention set outside of the private auction process.

Clean sweep for gTLD applicants as 91 pass

Ninety-one new gTLD applications passed Initial Evaluation this week, as ICANN enters the final month of results.
There were no failures to report. The following strings, with links to the relevant applicant on DI PRO, achieved passing scores:

.staples .gmo .hot .organic .degree .quebec .ricoh .guardian .hiphop .llp .ram .ieee .kpmg .obi .game .style .blackfriday .vlaanderen .tennis .baseball .afl .android .restaurant .sca .llc .rich .porn .gay .data .ink .nec .mzansimagic .moto .map .gap .zero .aarp .football .loans .schwarz .flsmidth .box .cloud .expert .stream .store .tunes .shopping .gmx .scot .tmall .dentist .live .app .tools .hair .ggee .bing .loans .video .golf .free .exposed .world .kerrylogisitics .llc .broker .coupons .eco .news .video .store .flights .comsec .inc .app .tours .abarth .edeka .locker .star .events .page .rent .financialaid .family .services .studio .honda .buy .click

There are now 1,377, passing applications and just 14 that are headed to Extended Evaluation.
With just 438 remaining in IE, ICANN remains on track to clean up the bulk of the process by the end of August as promised.
I expect there will be stragglers that do not receive their results until after the initial timeline is over, however, due to delays answering clarifying questions and such.

Tucows and TLDH buddy up on three gTLD auctions

Top Level Domain Holdings and Tucows have made a complex deal on new gTLD applications for .store, .tech and .group.
The partnership will see TLDH take a majority stake in .group, which it hasn’t also applied for, while Tucows will take minority interests in .tech and .store, which it in turn has not also applied for.
All three strings are heading to auction, with four applicants for .group, five for .tech, and six for .store.
How much each company owns of each registry will depend on how much they contribute to a winning auction bid.
TLDH CEO Antony Van Couvering said in a press release:

By combining our financial resources on these three domains not only are our chances of success improved in the auction round, but TLDH has the opportunity to acquire an interest in an additional top-level domain, .GROUP.

Tucows already plans to use TLDH subsidiary Minds + Machines as the registry back-end for the five new gTLDs it has applied for.

New gTLD revenue projections revealed in leaked Famous Four presentation

Famous Four Media expects to make an average of almost $30 million revenue in year one from each of the new gTLDs it secures.
That’s according to a PowerPoint presentation (pdf), written for potential investors, that was provided by an anonymous source (I suspect not a fan of the company) to DI this week.
According to the presentation, “potential year 1 revenues for an average Registry” could amount to $28.4 million, the vast majority of which would come from sunrise, landrush and premium domain sales.
The presentation, dated June 2013, was prepared by Domain Venture Partners, the immediate parent of the 60 shell companies that Famous Four is using to apply for its 60 gTLDs.
The company was unable to provide an executive to discuss this story until August 14.
But according to the PowerPoint, the Domain Venture Partners II fund is an investment vehicle set up to “bridge the gap” in Famous Four’s funding requirements:

Domain Venture Partners II shall provide a unique structured regulated investment opportunity to participate in the new gTLD programme to provide secured fixed annual returns along with additional venture type returns at a time in the process where most of the major risks have been removed.

DVP is looking to raise up to $400 million, having raised £48.3 million ($73.2 million) in 2011 via the Domain Venture Partners I fund, it says. The current round opened in March and is expected to close in November.
Famous Four has applied for 60 gTLDs — mostly highly sought-after strings such as .poker, .music, .shop, .search and .buy — 10 of which were initially uncontested.
According to the presentation, landrush period auctions would account for about a third of year-one revenue in each gTLD: $9.7 million. That’s based on selling 45,697 domains for an average price of $213.34.
Revenue from trademark owners is the second-largest chunk. An average sunrise period could raise $6.9 million, assuming 39,679 domains at an average of $173.5 each, according to the PowerPoint.
Sales of regular domains during the first first year of general availability could raise $4.1 million, based on 225,759 registrations at $18.47 apiece, the presentation says.
Here’s the full slide, one of 33 in the deck:

The presentation says that the projections are “based on historical data points established by the existing operational gTLD Registries”, adding:

The figures are averages and therefore would represent projections for a standard gTLD Registry. Potential year 1 revenues for specific Registries may be below or above this average.

Some of the numbers strike me as optimistic. While the likes of .asia and .mobi may have seen these registration volumes due to the novelty and scarcity of new gTLD namespaces, my feeling is that those days are over.
The new gTLD program is likely to see scores of overlapping sunrise and landrush periods; it’s difficult to see registries benefiting from the same focus and excitement as their predecessors.
There’s a limited amount of domainer capital to spread around landrush sales and trademark owners are likely to be much more selective about where they defensively register their brands in a world of 1,300 gTLDs.
That said, Famous Four has applied for some of the nicest strings in the round so I may be wrong.
An appendix to the presentation discussing the first DVP funding round says that while Famous Four hopes to sign contracts for 30 new gTLDs, it has only secured 32% of the money it is looking for.
Securing investment appears to have been tough due in part to the complexity of the ICANN process and investors’ lack of familiarity with it, which looks like risk. It also says:

The costs associated with applications in the new gTLD have increased, the financial strength of most applicants has been reduced and the knowledge barrier to entry is too high to interest large standard venture investors.

Famous Four’s business model is based around consolidation and keeping costs down, according to the pitch. For the most part, this is due to the economies of scale of running a large number of TLDs.
With Neustar as its back-end provider, Famous Four says it has found the “lowest fees in the industry”.
But the model also involves keeping tax to a minimum. Famous Four is based in Gibraltar, where it says it will pay no tax on domain sales:

FFM is operating in a fiscal environment that has multiple advantages over others in the industry. Domain names sales are treated as royalty income which is currently zero rated in Gibraltar. This would result in an instant bottom line gain.

There’s a strong suggestion in the presentation that DVPII is not limiting its ambitions to the new gTLDs it has applied for.
It also seems to discuss acquiring other applicants and ccTLD rights, then bringing them into the Famous Four fold, but the plan was not completely clear to me and executives were unavailable for clarification.

Afilias wants registrar ownership ban lifted on .mobi and .pro

Afilias has applied to ICANN to have its ban on owning registrars in two of its own gTLDs, .mobi and .pro, lifted.
With requests to ICANN a few days ago (here and here), the company said it wants to be able to own more than 15% of an ICANN-accredited registrar that sells both TLDs, which is currently forbidden by the two Registry Agreements in question.
Afilias’ proposed new .info contract, which was renegotiated this year (because it expired) and closed for public comment last week, would also enable the company to vertically integrate with a .info registrar.
A process for relaxing the cross-ownership rules on a per-TLD basis was approved by ICANN’s board of directors last October.
The only registry so far to have its contractual ban lifted is puntCat, the .cat registry operator.
When an ICANN working group was discussing the vertical integration issue a couple of years ago, Afilias was one of the participants that held fast against any relaxation of the 15% ownership cap, eventually driving the working group into stalemate and forcing the ICANN board’s hand.

L’Oreal takes the red pill, withdraws .matrix bid

L’Oreal has withdrawn another of its dot-brand new gTLD applications.
This time it’s .matrix, for one of its hair-care product brands.
It’s the eighth of L’Oreal’s 14 original new gTLD applications to be withdrawn, after .欧莱雅, .kiehls, .loreal, .garnier, .maybelline, .kerastase, and .redken.
Only .lancome remains of its dot-brand applications. It has already passed Initial Evaluation, unlike the others which tend to get dropped shortly before results are posted, to secure a bigger refund.
Its “closed generic” bids for .skin, .beauty, .hair, .makeup and .salon are all still active and have all passed IE.

Is social media the answer to the dot-brand problem?

With many dot-brand gTLD applicants still unsure about how they will use their new namespaces, the maker of the Kred reputation service is proposing social media as the answer.
Speaking to DI today, Kred CEO Andrew Grill said that one dot-brand applicant — a bank — has already committed to use parent company PeopleBrowsr’s new Social OS platform for its gTLD.
Social OS is being marketed as a way for companies to quickly launch their own social media networks along the lines of Facebook or LinkedIn.
Dot-brands would be able to own the customer relationship and get access to much more data about their users than they get with the limited “Like”-oriented Facebook platform, Grill said.
End users would be able to use these vertical networks using their existing social media log-in credentials, he said.
The company plans to use the platform in its own gTLD, .ceo, which it has applied for uncontested.
Grill said he talked to about 100 people at the recent ICANN meeting in Durban and expects to come away with five to 10 additional customers for the Social OS platform.
While the value proposition for new gTLD owners seems fairly reasonable, in general I’m quite skeptical about the internet’s need for more social media sites.
Any such service operated by a dot-brand would have to have a fairly compelling value proposition for end users.
Grill said that a car maker, for example, could use its own gTLD social media network to keep in touch with its customers — giving them a second-level domain when they buy one of its vehicles.
A bank, meanwhile, could offer services such as customer-to-customer transaction apps for users who have second-level domains in its gTLD. If registrations were limited to existing banking customers, a greater level of security would be baked in from the start, he said.