Facebook’s war on privacy claims first registrar scalp

China’s oldest accredited registrar says it will shut up shop permanently next week after being sued into the ground by Facebook, apparently the first victim of the social media giant’s war against Whois privacy.

Facebook sued OnlineNIC in 2019 alleging widespread cybersquatting of its brands. The complaint cited 20 domains containing the Facebook or Instagram trademarks and asserted that the registrar, and not a customer, was the true registrant.

The complaint named ID Shield, apparently OnlineNIC’s Hong Kong-based Whois privacy service, as a defendant and was amended in March this year to add as a defendant 35.cn, another registrar that Facebook says is an alter ego of OnlineNic.

The amended complaint listed an addition 15 squatted domains, for 35 in total.

This week, OnlineNIC director Carrie Yu (aka Carrie Arden aka Yu Hongxia), told the court:

Defendants do not have the financial resources to continue to defend the instant litigation, and accordingly no longer intend to mount a defense. Defendants do not intend to file any oppositions to any pending filing… Subject to any requirements of ICANN, Defendants intend to cease business operations on July 26, 2021.

But Facebook reckons the registrar is about to do a runner to avoid paying almost $75,000 in court fees already incurred and avoid the jurisdiction of the California court where the case is being heard.

Facebook had asked for $3.5 million in penalties in a proposed judgment and OnlineNIC had not opposed.

While it presents itself as American, it appears that OnlineNIC is little more than a shell in the US.

Its official headquarters are little more than a lock-up garage surrounded by builders’ merchants in a grim, windowless facility just off the interstate near Oakland, California.

Its true base appears to be a business park in Xiamen, China, where 35.cn/35.com operates. The company has boasted in the past of being China’s first and oldest ICANN-accredited registrar, getting its foot in the door when the floodgates opened in 1999.

Facebook is now asking the court for a temporary restraining order freezing the defendants’ financial and domain assets, and for a domain broker to be appointed to liquidate its domain portfolio.

If you’re a legit OnlineNIC customer, you might be about to find yourself in a world of hurt.

OnlineNIC had just over 624,000 gTLD domains under management at the last count. 35.cn had another 200,000.

The lawsuit is one of three Facebook is currently fighting against registrars, one prong of its strategy to pressure the ICANN community to open up Whois records rendered private by EU law and consequent ICANN policy.

OnlineNIC is the low-hanging fruit of the trio and the first to be sued. It already faced cybersquatting cases filed by Verizon, Yahoo and Microsoft in 2009. The Verizon case came with a $33 million judgment.

Facebook has also sued the rather less shady registrars Namecheap and Web.com (now Newfold Digital) on similar grounds.

Panel hands .sucks squatter a WIN, but encourages action against the registry

A UDRP panel has denied a complaint against .sucks cybersquatter Honey Salt on a technicality, but suggested that aggrieved trademark holders instead sic their lawyers at the .sucks registry itself.

The three-person World Intellectual Property Organization panel threw out a complaint about six domains — covestro.sucks, lundbeck.sucks, rockwool.sucks, rockfon.sucks, grodan.sucks, tedbaker.sucks, tedbaker-london.sucks, and tedbakerlondon.sucks — filed jointly by four separate and unrelated companies.

The domains were part of the same operation, in which Turks & Caicos-based Honey Salt registers trademarks as .sucks domains and points them at Everything.sucks, a wiki-style site filled with content scraped from third-party sites.

Honey Salt has lost over a dozen UDRP cases since Everything.sucks emerged last year.

But the WIPO panel dismissed the latest case without even considering the merits, due to the fact that the four complainants had consolidated their grievances into a single complaint in an apparent attempt at a “class action”.

The decision reads:

although the Complainants may have established that the Respondent has engaged in similar conduct as to the individual Complainants, which has broadly-speaking affected their legal rights in a similar fashion, the Complainants do not appear to have any apparent connection between the Complainants. Rather it appears that a number of what can only realistically be described as separate parties have filed a single claim (in the nature of a purported class-action) against the Respondent, arising from similar conduct. As the Panel sees it, the Policy does not support such class actions

The panel decided that to force the respondent to file a common response to these complaints would be unfair, even if it is on the face of it up to no good.

Making a slippery-slope argument, the panel suggested that to allow class actions might open up the possibility of mass UDRP complaints against, for example, domain parking companies.

So the case was tossed without the merits being formally considered (though the panel certainly seemed sympathetic to the complainants).

But the sting in the tale comes at the end: the panel allowed that the complainants may re-file separate complaints, but also suggested they invoke the Trademark Post Delegation Dispute Resolution Procedure.

That’s interesting because the Trademark PDDRP, an ICANN policy administered by WIPO and others, is a way to complain about the behavior of the registry, not the registrant.

It’s basically UDRP for registries.

The registry for .sucks domains is Vox Populi, part of the Momentous group of companies. It’s denied a connection to Honey Salt, which uses Vox sister company Rebel for its registrations.

According to ICANN: “The Trademark PDDRP generally addresses a Registry Operator’s complicity in trademark infringement on the first or second level of a New gTLD.”

Complainants under the policy much show by “clear and convincing evidence” that the registry operator or its affiliates are either doing the cybersquatting themselves or encouraging others to do so.

There’s no hiding behind shell companies in tax havens — the policy accounts for that.

The trick here would be to prove that Honey Salt is connected to Vox Pop or the Momentous group.

Nothing is known about the ownership of Honey Salt, though Whois records and UDRP decisions identify a person, quite possibly a bogus name, as one “Pat Honeysalt”, who has no digital fingerprint to speak of.

The most compelling piece of evidence linking Honey Salt to Vox is gleaned by following the money.

The current business model is for Everything.sucks to offer Honey Salt’s domains for “free” by publishing transfer authorization codes right there on the squatted domain.

But anyone attempting to claim these names will still have to pay a registrar — such as Rebel — a transfer/registration fee that could be in excess of $2,000, most or all of which flows through to Vox Pop.

If we ignore the mark-up charged by non-Rebel registrars, the only party that appears to be profiting from Honey Salt’s activities appears to be the .sucks registry itself, in other words.

On its web site, Everything.sucks says it’s a non-profit and makes the implausible claim that it’s just a big fan of .sucks domains. Apparently it’s a fan to the extent that it’s prepared to spend millions registering the names and giving them away for free.

An earlier Everything.sucks model saw the domains listed at cost price on secondary market web sites.

The Trademark PDDRP, which appears to be tailor-made for this kind of scenario, has not to my knowledge been used to date. Neither WIPO nor ICANN have ever published any decisions delivered under it.

It costs complainants as much as $30,500 for a three-person panel with WIPO and has a mandatory 30-day period during which the would-be complainant has to attempt to resolve the issue privately with the registry.

The six domains in the UDRP case appear to have all gone into early “pending delete” status since the decision was delivered and do not resolve.

Will you use SSAD for Whois queries?

ICANN is pinging the community for feedback on proposed Whois reforms that would change how people request access to private registrant data.

The fundamental question is: given everything you know about the proposed System for Standardized Access and Disclosure (SSAD), how likely are you to actually use it?

The SSAD idea was dreamed up by a community working group as the key component of ICANN’s response to privacy laws such as GDPR, and was then approved by the Generic Names Supporting Organization.

But it’s been criticized for not going far enough to grant Whois access to the likes of trademark lawyers, law enforcement and security researchers. Some have called it a glorified ticketing system that will cost far more than the value it provides.

Before the policy is approved by ICANN’s board, it’s going through a new procedure called the ODP, for Operational Design Phase, in which ICANN staff, in coordination with the community, attempt to figure out whether SSAD would be cost-effective, or even implementable.

The questionnaire released today will be an input to the ODP. ICANN says it “will play a critical role in assessing the feasibility and associated risks, costs, and resources required in the potential deployment of SSAD.”

There’s only eight questions, and they mostly relate to the volume of private data requests submitted currently, how often SSAD is expected to be used, and what the barriers to use would be.

ICANN said it’s asking similar questions of registries and registrars directly.

There’s a clear incentive here for the IP and security factions within ICANN to low-ball the amount of usage they reckon SSAD will get, whether that’s their true belief or not, if they want ICANN to strangle the system in its crib.

It’s perhaps noteworthy that the potential user groups the questionnaire identifies do not include domain investors nor the media, both of which have perfectly non-nefarious reasons for wanting greater access to Whois data. This is likely because these communities were not represented on the SSAD working group.

You can find the questionnaire over here. You have until July 22.

Did Harry and Meghan squat the Queen? [clickbait]

With tabloid rags everywhere continuing to clamor for any scrap of information that might drive a rift between the Duke and Duchess of Sussex and Queen Elizabeth II, perhaps it was inevitable that domain names would one day enter the fray.

And now they have, with the registrations of lilibetdiana.com and lilidiana.com making headlines this week.

Lilibet Diana Mountbatten-Windsor, Harry and Meghan’s second child and first daughter, was born at 1940 UTC on June 4.

“Diana” is of course a tribute to the Duke’s late mother, the Princess of Wales, while “Lilibet” is a reference to the Queen’s childhood nickname and the pet name by which her recently deceased husband, Phillip, addressed her.

The choice of name has been seen partly as an effort to renovate bridges that were charred when the Sussexes decoupled themselves from the taxpayer’s teat, abandoned royal duties, and buggered off to America to talk smack about their family on Oprah.

Reports quickly emerged that the choice of name might have been made without first seeking the Queen’s permission — reports that have been strenuously denied, backed by a threat of legal action.

But Whois records, as mostly useless as they are nowadays, have now stepped in to complicate matters.

According to Whois, lilibetdiana.com was registered just a few hours prior to the birth, June 4, presumably while the Duchess was in labor. But lilidiana.com was registered a few days earlier, on May 31. Both were registered via GoDaddy.

The Sussexes spokespeople tole The Telegraph that the names were merely two among many that were registered defensively in advance of the birth, before the couple had committed to a name:

Of course, as is often customary with public figures, a significant number of domains of any potential names that were considered were purchased by their team to protect against the exploitation of the name once it was later chosen and publicly shared.

Interestingly, lilibetdiana.uk and lilibetdiana.co.uk, which one might imagine would be on the defensive reg checklist, were only registered after the announcement of her birth on June 6, and via a different registrar, suggesting third-party ownership.

Three questions emerge from the Whois-related revelations:

First, do the records support the assertion by anonymous Palace sources that the Queen was not consulted in advance, or the contrary claim from the Sussexes?

Two, does anyone actually really care? I lost interest several paragraphs ago.

And C), am I really about to hit “Publish” on this article?

If you’re reading this, I guess I did. I’m sorry. I’m off to take a long, hot shower, to wash away the shame.

Registries unveil plan to tackle botnet abuse with mass takedowns

Domain name registries have thrown a bone to critics who say they’re not doing enough to tackle DNS abuse by revealing a framework for rapidly taking down domains associated with large-scale botnets.

In a nutshell, the new Framework on Domain Generating Algorithms (DGAs) Associated with Malware and Botnets (pdf) would enable registries to preemptively register potentially abusive names without paying ICANN fees.

It is hoped that the framework will give law enforcement an easier time in tackling botnets, and perhaps cool down some of the heat the domain name industry is taking over the DNS abuse problem.

Botnets, you’ll recall, are large networks of compromised computers that can be deployed to, for example, carry out damaging distributed denial of service attacks.

The endpoint malware on botted machines is often controlled by regularly pinging a predetermined domain name to ask for instructions.

Rather than a single domain name, which would be easy to block, the malware often use algorithms, seeded with the current time or date, to create apparently random, gobbledygook names.

Botnet controllers need only run the same algorithm at home to determine the appropriate domain to register at any given time.

Other times, lists of thousands of domains are generated in advance and hard-coded into the malware.

Either way, DGAs can give law enforcement a way to effectively shut down a botnet by having all the potential command and control domains blocked or registered, but only with the cooperation of the registries.

A notable example of such cooperation was during the Conficker crisis over a decade ago, which ultimately saw a broad coalition of LE, registries and security companies come together to reverse engineer and preemptively block the huge numbers of domains the malware was expected to generate.

The new framework, which was created by ICANN’s Registries Stakeholder Group in cooperation with the Governmental Advisory Committee, essentially formalizes and expedites that kind of countermeasure.

It’s not official ICANN consensus policy, nor is it binding on all registries. It’s purely voluntary.

It appears primarily concerned with reducing the administrative and financial burden on registries that choose to participate.

It asks law enforcement to submit takedown requests as part of “a well thought-out, comprehensive abuse disruption strategy” that gives registries sufficient time to implement them.

It further asks (and provides a template letter) that ICANN waives the fees it collects when registries register botnet domains, which with some DGAs could amount to many tens or hundreds of thousands of dollars.

It also lists several reasons why registries might refuse to comply with LE without a court order — such as when the names are already registered and need to be seized, or when they’ve been identified as potentially high-value domains.

For registries, offering up the framework appears to be low-hanging fruit in their ongoing conflict with governments, cops and security researchers that argue the industry should do more to tackle abuse.

What it doesn’t do is expand the current industry definition of “abuse”, which is currently limited to botnets, phishing, pharming and malware distribution. Spam can also be considered DNS abuse when it is used to perpetrate any of the other four malfeasances.

But that definition is also voluntary, and only a few dozen registries and registrars have signed up to it. ICANN contracts are pretty much toothless when it comes to abuse.

The fight about DNS abuse is pretty amorphous, and overlaps with intellectual property interests’ demand for more access to private Whois data and the issue of when to start the next new gTLD application round.

Cade and Dammak win ICANN awards

Marilyn Cade and Rafik Dammak have been named joint winners of this year’s ICANN Community Excellence Award, formerly the Ethos Award.

The award acknowledges those community members deemed to have embodied ICANN’s values and devoted a lot of time to community work.

As I previously blogged, policy consultant Cade, who died last year to a wide outpouring of tributes, was pretty much a shoo-in.

“This award is not intended to be a memorial. Instead, it is a well-deserved recognition of Marilyn’s contributions and commitment to ICANN and our multistakeholder community,” the awards selection committee noted.

Dammak has for over a decade contributed “countless volunteer hours” on various ICANN policy working groups, mainly in the GNSO, the committee noted. His impartiality was called out by the selection committee for praise.

He last year stepped in to fill a leadership vacuum in the working group devoted to reviewing Whois privacy policy.

More non-rules proposed for Whois privacy

An ICANN working group has come up with some extra policy proposals for how registries and registrars handle Whois records, but they’re going to be entirely optional.

The ongoing Expedited Policy Development Process team has come up with a document answering two questions: whether registrars should differentiate between people and companies, and whether there should be a system of uniform, anonymized email addresses published in Whois records.

The answer to both questions is a firm “Maybe”.

The EPDP working group seems to have been split along the usual party lines when it comes to both, and has recommended that contracted parties should get to choose whether they adopt either practice.

Under privacy laws, chiefly GDPR, protections only extend to data on natural persons — people — and not to legal persons such as companies, non-profits and other amorphous entities.

Legally, registries and registrars are not obliged to fully redact the Whois records of domains belonging to companies, but many do anyway because it’s easier than putting systems in place to differentiate the two types of registrant.

There’s also the issue that, even if the owner of the domain is a company, the contact information may belong to a named, identifiable person who is protected by GDPR. So ICANN’s contracted parties may reduce their potential liability by redacting everything, no matter what type of entity the domain belongs to.

The EPDP’s has decided to stick to the status quo it agreed to in an earlier round of policy talks: “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.

Contracted parties will get the option to ask their registrants if they’re a natural person (yes/no/not saying) and capture that data, but they’ll have to redact the answer from public Whois output.

They’d have to “clearly communicate” to their customers the fact that their data will be treated differently depending on the choice they make.

On the second question, related to whether a system standardized, published, anonymized email addresses is feasible or desirable, the EPDP is also avoiding any radical changes:

The EPDP Team recognizes that it may be technically feasible to have a registrant-based email contact or a registration-based email contact. Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time.

Again, the working group is giving registries and registrars the option to implement such systems or not.

The benefit (or drawback, depending on your perspective) of giving each registrant a single anonymous email address that is published in all their Whois records is that it makes it rather easy to reverse-engineer that registrant’s entire portfolio.

If you’re a political insider running a whistle-blower blog, a bar owner who also moderates a forum for closeted gays in a repressive regime, or a domain name news blogger running a furry porn site on the side, you might not want your whole collection of domains to be easily doxxed.

But if you’re a trademark lawyer chasing cybersquatters or a security researcher tracking spammers, being able to take action against a ne’er-do-well’s entire portfolio at once could be hugely useful.

So the EPDP working group proposes to leave it up to individual registries and registrars to decide whether to implement such a system, basically telling these companies to talk to their lawyers.

The EPDP Team recommends that Contracted Parties who choose to publish a registrant- or registration-based email address in the publicly accessible RDDS should ensure appropriate safeguards for the data subject in line with relevant guidance on anonymization techniques provided by their data protection authorities and the appended legal guidance in this recommendation

An appendix to the recommendations, compiled by the law firm Bird & Bird, says there’s “a high likelihood that the publication or automated disclosure of such email addresses would be considered to be the processing of personal data”.

The EPDP recommendations are now open for public comment until July 19, and could become binding if they make it through the rest of the ICANN policy development system.

ICANN chair reins in new gTLD timeline hopes

Don’t get excited about the next round of new gTLDs launching any time soon.

That’s my takeaway from recent correspondence between ICANN’s chair and brand-owners who are apparently champing at the bit to get their teeth into some serious dot-brand action.

Maarten Botterman warned Brand Registry Group chair Cole Quinn that “significant work lies ahead” before the org can start accepting applications once more.

Quinn had urged ICANN to get a move on last month, saying in a letter that there was “significant demand” from trademark owners.

The last three-month application window ended in March 2012, governed by an Applicant Guidebook that said: “The goal is for the next application round to begin within one year of the close of the application submission period for the initial round.”

That plainly never happened, as ICANN proceeded to tie itself in bureaucratic knots and recursive cycles of review and analysis.

Any company that missed the boat or was founded in the meantime has been unable to to even get a sniff of operating its own dot-brand, or indeed any other type of gTLD.

Spelling out some of the steps that need to be accomplished before the next window opens, Botterman wrote:

the 2012 Applicant Guidebook must be updated with more than 100 outputs from the SubPro PDP WG; we will need to apply lessons learned from the previous round, many of which are documented in the 2016 Program Implementation Review, and appropriate resources for implementing and conducting subsequent rounds must be put in place. At present it appears that WG recommendations will benefit from an Operational Design Phase (ODP) to provide the Board with information on the operational implications of implementing the recommendations. As part of such an ODP, the Board may also task ICANN org to provide an assessment of some of the issues of concern that the Board raised in its comments on the Draft Final Report, as well as those topics that did not reach consensus and were thus not adopted by the GNSO Council. The outcome of such an assessment could also add to the work that would be required before launching subsequent rounds.

…

The Board notes your views regarding SAC114. We are aware of discussions that took place during ICANN70 and the Board is in communication with the Security and Stability Committee (SSAC) and its leadership, as per the ‘Understand’ phase of the Board Advice Process. As with all advice items received, the Board will treat SAC114 in accordance with that process.

Breaking that down for your convenience…

The reference to “more than 100 outputs from the SubPro PDP WG” refers to the now six-year old Policy Development Process for New gTLD Subsequent Procedures working group of the GNSO.

SubPro delivered its final report in January and it was adopted by the GNSO Council in February.

ICANN asked the Governmental Advisory Committee for its formal input a few weeks ago, has opened the report for a public comment period that ends June 1, and will accept or reject the report at some point in the future.

SubPro’s more significant recommendations include the creation of a new accreditation mechanism for registry back-end service providers and a gaming-preventing overhaul of the contention resolution process.

The “the 2016 Program Implementation Review” is a reference to a self-assessment of the 2012 round that the ICANN staff carried out six years ago, producing a 215-page report (pdf).

That report contains about 50 recommendations covering areas where staff thought the system of actually processing new gTLD applications could possibly be improved or streamlined in subsequent rounds.

The Operational Design Phase (ODP) Botterman refers to is a brand-new phase of ICANN bureaucracy that is currently untested. It fits between GNSO Council approval of recommendations and ICANN board consideration.

The ODP is basically a way for ICANN staff to insert itself into the process, between community policy-making and community policy-approval, to make sure the GNSO’s tenuous consensus-building exercise has not produced something too crazily complicated, ineffective or expensive to implement.

Staff denies this is a power-grab.

The ODP is currently being deployed to assess proposed changes to Whois privacy policy, and ICANN has already stated multiple times that it will also be used to vet SubPro’s work.

Botterman’s reference to “issues of concern that the Board raised in its comments on the Draft Final Report” seems to mean this September 2020 letter (pdf) to SubPro’s chairs, in which the ICANN board outlined some of its initial concerns with SubPro’s proposed policies.

One fairly important concern was whether ICANN has the power under its bylaws (which have changed since 2012) to enforce Public Interest Commitments (now called Registry Voluntary Commitments) that SubPro thinks could be used to make some sensitive gTLDs more trustworthy.

The reference to SAC144 may turn out to be a big stumbling block too.

SAC114 is the bombshell document (pdf) submitted by the Security and Stability Advisory Committee in February, in which ICANN’s top security community members openly questioned whether allowing more new gTLDs is consistent with ICANN’s commitment to keep the internet secure.

While SAC114 seems to reluctantly acknowledge that the program will likely go ahead regardless, it asks that ICANN do more to address so-called “DNS abuse” before proceeding.

Given that the various factions within the ICANN community can’t even agree on what “DNS abuse” is, how ICANN chooses to “understand” SAC114 will have a serious impact on how much further the runway to the next round gets extended.

In short, Botterman is warning brand owners not to hold their breath anticipating the next application window. I think I even detect some serious skepticism as to whether demand is really as high as Quinn claims.

And quite beyond the stuff Botterman outlines in his letter, there’s presumably going to be at least one round of review and revision on the next Applicant Guidebook, as well as the time needed for ICANN to build or upgrade the systems it needs to process the applications, to hire evaluators and resolution providers, and to make sure it conducts a sufficiently long and broad global marketing program so that potential applicants in the developing world don’t feel left out. And that’s a non-exhaustive list.

Introducing competition into the registry space is of course one of ICANN’s foundational raisons d’être.

After the org was founded in September 1998, it took less than two years before it opened up the first new gTLD application round.

It was another three years before the second round launched.

It then took eight and a half years for the 2012 window to open.

It will be well over a decade from then before anyone next gets the opportunity to apply for a new gTLD. It’s entirely feasible that we’ll see an applicant in the next round headed by somebody who wasn’t even born when the first window opened.

Pheenix goes AWOL, gets canned

Drop-catch registrar Pheenix has had its registrar contract terminated by ICANN after apparently going AWOL.

ICANN has been chasing the company for breaches related to Whois and access to registrant data since October 2019, but hasn’t heard a peep out of the outfit for a year.

As I noted when ICANN published its first breach notice last month, ICANN hasn’t been able to connect with Pheenix via email or phone or fax since May 2020.

Since then, it’s also discovered that the company is no longer at the mailing address it has on record.

The registrar has not added any domain names since April 2020. It seems clear it no longer has any interest in doing, or perhaps ability to do, business.

The de-accredited registrar bulk transfer process will now kick in. ICANN will select a registrar to move Pheenix’s 6,000-odd domains to.

Pheenix once specialized in drop-catching, and had over 500 ICANN-accredited registrars to its name. Almost all of those were ditched in November 2017.

Formerly massive drop-catcher faces ICANN probe

Pheenix, which used to operate a network of hundreds of accredited registrars, now faces potentially losing its last remaining accreditation, due to an ICANN probe.

ICANN told the US-based company in a breach notice last week that it faces additional action unless it fixes a bunch of problems related to domain transfers and Whois before May 14.

According to ICANN, for over a year Pheenix has been declining to provide data showing it is in compliance with the Expired Registration Recovery Policy and the Transfer Policy, related to dozens of domains.

Pheenix was told about at least one such disputed domain as far back as February last year, but ICANN says it’s been unresponsive to its outreach.

It’s also failed to implement an RDAP server, which ICANN has been nagging it about since October 2019. RDAP, the Registration Data Access Protocol, is the successor protocol to Whois.

A quick spot-check reveals that the disputed names are traffic domains once belonging to legitimate organizations, usually with inbound Wikipedia links, that were captured after the organization in question folded and its domains expired. Most were repurposed with low-quality content and advertising.

That fits in with Pheenix’s registrar business model. It was until a few years ago a huge drop-catching player, with over 500 shell accreditations it used to gain speedy access to dropping domains.

But it dumped almost 450 of these in November 2017, and another 50 the following April.

Since then, Pheenix’s primary IANA number (the coveted “888”) has been associated with fewer and fewer domains.

It had 6,930 domains under management at the end of 2020, down from a November 2017 peak of 71,592.

It hasn’t recorded any new domain adds in any gTLDs since April 2020.

According ICANN’s chronology of events, it’s sent dozens of emails, faxes and voicemails over the last year, related to multiple domain names, and it’s only received a single email in response. And that was in May 2020.