Facebook WILL sue more registrars for cybersquatting

Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.
Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.
In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.
In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.
Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.
The complaint is very similar to one filed against OnlineNIC (pdf) in October.
And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.
Speaking at the second public forum at ICANN 67 yesterday, she said:

This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.

Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.
Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.
The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:

We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.

UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.
Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.
Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.
The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.

Covid-19: It’s official, domainers are faster than journalists

The .com domains matching the new name of Coronavirus were registered today before even the first news reports emerged.
The World Health Organization today officially named the deadly disease Covid-19. CO for Corona, VI for virus, D for disease and 19 for 2019, the year in which it was discovered.
The announcement was made at a WHO press conference in Geneva this afternoon. The press conference, which streamed live on YouTube seems to have kicked off shortly after 1500 UTC.
WHO director-general Tedros Adhanom Ghebreyesus officially named the disease Covid-19 not too long after the press conference started.
At 1509 UTC, WHO’s official Twitter account tweeted:

🚨 BREAKING 🚨

"We now have a name for the #2019nCoV disease:

COVID-19.

I’ll spell it: C-O-V-I-D hyphen one nine – COVID-19"

–@DrTedros #COVID19 pic.twitter.com/Kh0wx2qfzk

— World Health Organization (WHO) (@WHO) February 11, 2020

Within five minutes, an anonymous domainer had picked up covid-19.com — according to Whois records, it was created at NameCheap at at 1513 UTC.
But domainers hate hyphens, right?
Even after Tedros spelled it out for clarity, including the hyphen, a domainer with an even fastest trigger finger decided to omit it, registering the domain covid19.com at 1510 UTC, three whole minutes before the hyphen version and an extremely impressive ONE MINUTE after the WHO tweet.
As far as print journalists go, you have to wait a full thirty minutes before you start to see lines from the likes of Reuters and the AFP.
The lesson here is clear: if you’re one of those domainers who tries to snap up novel terms from the news as quickly as possible, you need to cut out the middleman and go directly to source.
And ignore the bloggers, too. It took me two and a half hours after the WHO tweet to publish this post.
I’m pathetic.

Is the .co rebid biased toward Afilias? Yeah, kinda

The Colombian government has come under fire for opening up the .co registry contract for rebid in a way that seems predetermined to pick Afilias as the winner, displacing its fierce rival Neustar.
As I blogged in November, Colombia thinks it might be able to secure a better registry deal, so it plans to shortly open .co up to competitive proposals.
A company called .CO Internet, acquired by Neustar for $109 million in 2014, has been running the ccTLD for the last decade. There are currently around 2.3 million .co domains under management, according to Colombia.
With the renewal deadline looming, the government’s technology ministry, MinTIC, published an eyebrow-raising request for proposals last month.
What’s surprising about the RFP is that some of the four main technical performance criteria listed are so stringent that probably only two companies in the industry qualify — Verisign and Afilias, and so far Verisign has not been involved in the RFP process.
The companies that have been engaging with the government to date are Afilias, Neustar/.CO, Nominet, CentralNic and Donuts.
First, MinTIC wants a registry that’s had at least two million domains under management across its portfolio continuously for two years. All five registries qualify there.
Second, it wants a registry that’s been involved in the migration of a TLD of at least one million names, either as the gaining or losing back-end.
That immediately narrows the pack to just two of the five aforementioned registries — Neustar and Afilias.
Verisign would also qualify, if it’s in the bidding, but I suspect it’s not. Taking over .co would look like a “buy it to kill it” strategy, which would be horrible optics for the Colombian government.
There have only ever been three migrations over one million names, to my knowledge: the Verisign->Afilias .org transition of 2003, the Neustar->Afilias .au move of 2018, and last year’s Afilias->Neustar .in handover.
CentralNic, Nominet and Donuts have all moved numerous TLDs between back-ends, but with much smaller per-TLD domain volumes.
Third — and here’s the kicker — the successful .co bidder will have to show that it processes on average 25 million registry transactions — defined as “billable EPP (write) transactions, as well as all EPP search (read) transactions” — per day. (All of the RFP quotes in this post have been machine-translated from Spanish by Google and run by a few generous Spanish speakers for verification.)
The RFP is not entirely clear on what exact data points it’s looking at here, but my take is that qualifying transactions include, at an absolute minimum, attempts to create a domain, renew a domain, transfer a domain and check whether a domain is registered.
The vast majority of such transactions are in the check and create functions, and I believe a great deal of that activity relates to drop-catching, where registries are flooded with add requests for just-deleted domains.
Whichever way you split it, 25 million a day is a ludicrously high number. Literally only .com, which sees 2.3 billion checks and 1.5 billion adds per month, sees that kind of action.
According to Neustar, which actually runs .co, it only sees 6.4 million transactions per day on average. The requirement to handle 25 million a day is “exaggerated, unjustified and discriminatory” against Neustar, Neustar told MinTIC.
But the RFP allows for the bidding registries to spread their 25-million-a-day quota across all of the TLDs they manage, and this MAY sneak Afilias over the line.
I say MAY in big letters because I don’t believe the numbers that Afilias (and probably other registries too) reports to ICANN every month are reliable.
If you add up the reported, qualifying EPP transactions for September in Afilias’ top four legacy gTLDs — .org, .info, .mobi and .pro — you get to over 25 million per day.
But those same records show that, for example, .mobi, .pro and .info had exactly the same number of EPP availability checks that month — 215,988,497 each.
This is clearly bad data.
I reported on this issue last May, when ICANN’s Security and Stability Advisory Committee informed ICANN that major registries were providing “not reliable” or possibly “fabricated” data about port 43 Whois queries.
Afilias, which was one of the apparent offenders, told me at the time that it was addressing the issue with ICANN, but it does not yet appear to have fully fixed its reporting to enable TLD-by-TLD breakdowns of its registry activity.
It is of course quite possible, even very likely, that Afilias has on average more than 25 million qualifying EPP transactions per day, but how’s it going to prove that to the Colombian government when the numbers it reports under contract to ICANN are clearly unreliable?
It’s a little harder to determine whether Neustar would qualify under the 25-million transaction rule, because some of its largest zones are ccTLDs — .co, .in and .us — that do not publicly report this kind of data. Its comments to the RFP suggest it would not.
Numbers aside, I’ll note that there’s very probably an inherent bias towards legacy gTLD operators like Afilias and against relative newcomers such as CentralNic if you’re counting EPP transactions. As I noted above, a lot of these transactions are coming from drop-catch activity, which is more prevalent on larger, older TLDs where there are more dropping domains that are more likely to have existing backlinks and traffic.
The fourth technical requirement in the Colombian RFP that looks a bit fishy is the requirement that the new registry must have channel relationships with at least 10 of the largest 25 registrars, as listed by a web site called domainstate.com.
I can’t say I’ve looked at domainstate.com very often, if at all, but a quick look at its numbers for September strongly suggests to me that it does not count post-2012 new gTLD registrations in its registrar league table. One registrar with almost four million domains under management doesn’t even show up on the list. This arguably could give an advantage to a registry that plays strongly in legacy gTLDs.
That said, it’s probably an academic point — I don’t think any of the bidders for the .co contract would have difficulty showing that they have 10 of the top 25 registrars on board, whichever way you calculate that league table.
Cumulatively, these four technical hurdles have led some to suggest that Afilias has somehow steered MinTIC towards creating an RFP only it could win.
Apart from what I’ve discussed here, I’ve no evidence that is the case, and Afilias has not yet responded to my request for comment today.
Luckily for the bidding registries, the Columbian RFP has not yet been finalized. Comments submitted by the bidders and others are apparently going to be taken on board, so the barriers to entry for respondents could be lowered before bids are finally accepted.
MinTIC posted an update last night that extends the period that the RFP could run, and the transition period should Neustar lose the contract. A handover, should one happen at all, could now happen as late as February next year.

Registrar terminated after what looks like domain hijacking

ICANN has canned its first registrar of the year.
Los Angeles-based World Biz Domains will be going out of bizness after ICANN terminated its registrar contract earlier this week, following its non-responsiveness to what appears to be case of domain hijacking.
It’s a nothing registrar, with fewer than 100 domains under management, but it once had over 5,000.
The termination comes following the suspension I blogged about in October, which was related to the transfers to World Biz of 15 potentially valuable domains in late 2018.
The names were all either short numerics or the names of famous places in Singapore and Malaysia.
ICANN spent most of last year demanding records showing that the transfers were legit, but was ghosted.
World Biz allegedly also had failed to deliver Whois records in the proper format, and was behind on its ICANN accreditation fees.
The company will lose its accreditation officially on January 22.

Verisign pays ICANN $20 million and gets to raise .com prices again

Verisign is to get the right to raise the price of .com domains by 7% per year, under a new contract with ICANN.
The deal, announced this hour, will also see Verisign pay ICANN $20 million over five years, starting in 2021, “to support ICANN’s initiatives to preserve and enhance the security, stability and resiliency of the DNS”.
According to ICANN, the pricing changes mean that the maximum price of a .com domain could go as high as $10.26 by October 2026.
Verisign getting the right to once more increase its fees — which is likely to be worth close to a billion dollars to the company’s top line over the life of the contract — was not unexpected.
Pricing has been stuck at $7.85 for years, due to a price freeze imposed by the Obama-era US National Telecommunications and Information Administration, but this policy was reversed by the Trump administration in late 2018.
The amendment to the .com registry agreement announced today essentially takes on the terms of the Trump appeasement, so Verisign gets to up .com prices by 7% in the last four years of the six-year duration of the contract.
ICANN said:

ICANN org is not a price regulator and will defer to the expertise of relevant competition authorities. As such, ICANN has long-deferred to the [US Department of Commerce] and the United States Department of Justice (DOJ) for the regulation of pricing for .COM registry services.

But ICANN will also financially benefit from the deal over and above what it receives from Verisign under the current .com contract.
First, the two parties have said they will sign a binding letter of intent (pdf) committing Verisign to give ICANN $4 million a year, starting one year from now, to help fund ICANN’s activities:

conducting, facilitating or supporting activities that preserve and enhance the security, stability and resiliency of the DNS, which may include, without limitation, active measures to promote and/or facilitate DNSSEC deployment, Security Threat mitigation, name collision mitigation, root server system governance and research into the operation of the DNS

That’s basically describing one of ICANN’s core missions, which is already funded to a great extent by .com fees, so quite why it’s being spun out into a separate agreement is a little bit of a mystery to me at this early stage.
Don’t be surprised if you hear the words “bung” or “quid pro quo” being slung around in the coming hours and days by ICANN critics.
The second financial benefit to ICANN comes from additional payments Verisign will have to make when it sells its ConsoliDate service.
This is the service that allows .com registrants, via their registrars, to synchronize the renewal dates of all of the domains in their portfolio, so they only have to worry about renewals on a single day of the year. It’s basically a partial-year renewal.
Under the amended .com contract, ICANN will get a piece of that action too. Verisign has agreed to pay ICANN a pro-rated fee, based on the $0.25 per-domain annual renewal fee, for the number of days any given registration is extended using ConsoliDate.
I’m afraid to say I don’t know how much money this could add to ICANN’s coffers, but another amendment to the contract means that Verisign will start to report ConsoliDate usage in its published monthly transaction reports, so we should get a pretty good idea of the $$$$ value in the second half of the year.
The amended contract — still in draft form (pdf) and open for public comment — also brings on a slew of new obligations for Verisign that bring .com more into line with other gTLDs.
There’s no Uniform Rapid Suspension policy, so domain investors and cybersquatters can breath a sigh of relief there.
But Verisign has also agreed to a new Registry-Registrar Agreement that contains substantial new provisions aimed at combating abuse, fraud and intellectual property infringement — including trademark infringement.
It has also agreed to a series of Public Interest Commitments, along the same lines as all the 2012-round new gTLDs, covering the same kinds of dodgy activities. The texts of the RRA addition and PICs are virtually identical, requiring:

a provision prohibiting the Registered Name Holder from distributing malware, abusively operating botnets, phishing, pharming, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law and providing (consistent with applicable law and any related procedures) consequences for such activities, including suspension of the registration of the Registered Name;

There are also many changes related to how Verisign handles data escrow, Whois/RDAP and zone file access. It looks rather like users of ICANN’s Centralized Zone Data Service, including yours truly, will soon have access to the humongous .com zone file on a daily basis. Yum.
The proposed amendments to the .com contract are now open for public comment here. You have until February 14. Off you go.

DI Leaders Roundtable #4 — Big predictions for 2020

Hindsight is 2020, right? Not this time!
We’re rolling up to the end of the year, so for the fourth DI Leaders Roundtable I thought I’d task my panel of industry experts with the wholly original and unpredictable question:

What do you think will be the major trends or developments in the domain name industry in 2020?

I’m wonderfully happy to report that the panel grasped the opportunity with both hands and delivered an absolute smorgasbord (selection of open sandwiches) of informed opinion about how they reckon 2020 will play out.
From potential changes to security practices to ongoing consolidation to increased government regulation to the death of new gTLDs to the growth of new gTLDs, 2020 is certainly going to be a fun year to report on.
In no particular order, this is what they said:
Rick Schwartz, domain investor

2020 is going to be just a fabulous year.
It comes down to two words: re-branding and upgrading.
Businesses that have gotten domains that may have not been prime to begin with want prime domains now to help them grow and be taken more seriously.
Businesses, especially global businesses that made the mistake of using non-dotcom domains, have realized their mistake and want to upgrade to a dotcom domain because of their own self-interest. They don’t care what domainers think! They only care about what they think and their bottom line, and in that regard they only have one choice and they all know it.
It’s mandatory if they want to grow and become part of the largest franchise ever known to mankind. The dotcom franchise.
If you add up all the net worth of every company on earth using the dotcom brand, the number is unfathomable.
As we go into the seventh year of the new gTLD experiment, they are meaningless. They haven’t been adopted by almost anybody. Circulation is poor. So many registrations are questionable or penny-promotional. The majority are parked and not in use nor will they ever be. And 99.9% of the people on this planet could not name a single one of them! Not a one!
The poor roll-out, poor marketing, poor circulation, questionable tactics and rolling out hundreds of extensions at one time was a death wish. A demolition derby as I have described and look at the HUNDREDS that are truly dying on the vine. They are not viable!
The registries themselves wanted the same result as dotcom but they smothered their own product by holding back anything they deemed to have any value whatsoever. They wanted the same result as dotcom but they certainly didn’t use the same playbook. There was no such thing as premium domains with Network Solutions. That was what gave life to the aftermarket.
They changed the recipe and it is what it is. Instead of replacing dotcom domains they should have marketed them as an on-ramp to their main dotcom website. That was a fatal choice.
Country-code extensions with dual purposes have outperformed all the new gTLDs put together.
.org has legs. Even .net domains seem to be in better shape than any of the new extensions.
According to NTLDStats.com there are 400 extensions with less than 20,000 registrations. Not viable! Over 300 of them have less than 10,000 and more than 200 have less than 5,000 and most of those have 2,000 or less.
On the other hand, there have been a lot of gimmicks used by the top 10 to gain HOLLOW registrations. Those 10 control 63% of all new gTLD registrations. Leaving the other 37% to be divided by over 500 other extensions. It’s laughable.
And when it comes to aftermarket sales, 2019 was worse than 2018 and 2017. Wrong direction for something that is supposed to be “emerging.”
According to TheDomains.com reported sales, of new gTLD’s are in a nosedive for 2019 vs 2018 and 2017. And most were done by registries themselves and not individual domain investors. Wrong direction!
2017
1,007 Total Sales
$5.2m Dollar Volume
$5,118 Average Price
$500.3k High Price
2018
1,490 Total Sales
$5.7m Dollar Volume
$3,847 Average Price
$510k High Price
2019
865 Total Sales
$3.4m Dollar Volume
$3,940 Average Price
$335k High Price
To me, 2020 is a year of total clarity. The experiment is over.
Get on board or get run over.

Sandeep Ramchamdani, CEO, Radix Registry

Within the new domains space, we will see a clear separation between the top 10 most popular extensions, and everything else. Many new TLDs have been able to jump volumes by operating at ultra-low prices. As the reality of renewals hit next year, the top TLDs by DUMs will more closely represent the most popular strings overall. Registrars will naturally tend towards focusing on these strings at the cost of everything else.
We will continue to see the normalization of new strings, as its visibility driven by legitimate end-user usage, rises. Our hope is that more registries play an active role in driving adoption by highly visible end-users and accelerate this evolution.

Jeff Neuman, Senior VP, Com Laude

Looking into my domain name industry crystal ball for 2020, I can see the continuation of some of the same activities, the start of some new debates, and even more maturation of the industry. Here are my views on three of the policy issues likely to be center-stage in 2020 (in no particular order).
Transitioning to a new Steady State of New TLDs.
OK, so the next round of new gTLDs will not open in 2020. However, there will be some real progress made towards the next round. The Subsequent Procedures PDP will complete its policy work on its review of the 2012 round and deliver it to the Council, who in turn will approve (hopefully) the policy work and submit to the Board.
The ICANN Board will put out the report for public comment and we will see those that oppose any new more new TLDs come back out of the woodwork to file the same type of comments reminiscent of 2009/2010. They will claim that more TLDs are not needed, we should not be moving too fast (despite nearly a decade between rounds), and that we should not be adding new TLDs until we solve DNS Abuse, Name Collision, WHOIS/SSAD/GDPR/RDAP/UAM, (insert your own issue), etc.
Despite the likely negativity from some, the community will realize that there is value to additional new gTLDs and maintaining a competitive landscape. There is still value in innovation, encouraging consumer choice and competition. The community will rise above the negativity to realize that many of the issues we experience in the industry are in fact related to the artificial scarcity of TLDs and that we need to continue to push forward towards completing one of the original missions of ICANN.
Rights Protection Mechanisms move to Phase 2.
Admittedly most of the community has not been paying attention to the Rights Protection Mechanisms (RPMs) Policy Development Process PDP. Currently it is working on Phase 1: Reviewing the RPMs introduced for the 2012 Round of New gTLDs. This work includes looking at the Trademark Clearinghouse, Sunrise Processes, the URS and the Trademark Claims process.
2020 may likely see the beginning of its second phase, the first ever review of the Uniform Dispute Resolution Policy (UDRP).
The UDRP was the first of ICANN’s Consensus Policies, and one that has been in place for more than to decades. Great care must be taken in the review of this policy which most will argue has been ICANN’s most successful policy in its relatively young history. The UDRP not only protects the intellectual property community by going after the bad faith registration and use of gTLD domains, but it also has been instrumental for registries and registrars to stay out of the middle of domain name disputes.
Prior to the UDRP, the one domain name registry/registrar was constantly in court defending itself against claims of contributory infringement and hoping that courts would not impose liability on it for allowing the registration of domain names by cybersquatters and not taking back names when notified about the abuse that was occurring on those names.
The passage of the UDRP drastically changed all of that. Registries and Registrars could extricate themselves from domain name disputes by referring the parties to the UDRP and agreeing to following/implementing the decisions. Courts agreed that following the UDRP served as a shield of liability for those registries and registrars that faithfully followed the policy. The bottom line in my view is that domain name registries and registrars need the UDRP as much as the IP Community.
The DNS Abuse Debate continues.
Although some progress has been made in defining and mitigating DNS Abuse with a number of registries and registrars signing a Framework to Address DNS Abuse, more discussions by the ICANN community will continue to take place both within and outside of ICANN. In my opinion, those registries and registrars that are serious of addressing true DNS abuse, will continue to educate the community on the already positive steps that they have been taking to combat phishing, pharming, malware, botnets, etc. as well a number of other non-DNS abuse issues (illegal pharmaceuticals, child exploitation, etc.).
Other groups will continue to press registries and registrars to do more to combat all sorts of other non-DNS forms of abuse, while others will strenuously argue that the more that is done, the more we threaten the civil liberties of domain name registrants. The community will realize that there is no right side or wrong side in this debate. Each side of those complicated debate is right.
Hopefully, a true sense of “multi-stakeholderism” will arise where domain name registries and registrars continue to mitigate abuse while disassociating themselves from those that are not as serious about combating abuse, ICANN will develop tools that will constructively assist with mitigating abuse (as opposed to focusing on contractual regulations), and the rest of the community will work on how to combat the growing problem without trampling on the rights of registrants. At the end of the day, all of us have a role in protecting end users on the Internet.
Note: I know the ePDP work on Universal Access will of course be ongoing, but I am sure others will give their thoughts on that. From a non-policy perspective, the domain name industry will continue to consolidate. We may very well see more registry/registrar combinations, registries purchasing other registries and private equity investment. We will see some more innovative uses of brand TLDs and others following suit.

Christa Taylor, CMO, MMX

1. The predicted 2020 recession will reward agile organizations who embrace machine learning to enhance operational efficiencies, customer experiences and protect corporate profit margins. Naturally, organizations with high operating costs will be the hardest hit with impacts being felt in the second half of 2020.
2. The potential recession combined with mounting pressures to increase efficiency will lead to a renewed focus on reaching niche markets to expand business.
3. Protection and representation movement of identities will continue to gain strength and momentum in 2020 as more and more people recognize the importance of controlling their own personal data.
4. Horizontal and vertical consolidation along with increased synergies will continue throughout the industry.
5. The 4th industrial revolution (IoT, VR, AI, BC) will gather momentum and provide additional opportunities for the use of domain names.
6. The next round of new gTLD applications will encounter unanticipated challenges causing delays.
7. New gTLDs registrations will continue to grow in 2020.

Michele Neylon, CEO, Blacknight

I suspect we’ll see more consolidation across the domain and hosting space. Afilias will probably acquire a few more under-performing registry operators. Some will already be on their platform, while others will be using their competitors. CentralNic will continue to acquire companies that fit with their portfolio of services.
There’ll be more mergers and acquisitions across the hosting and domain registrar space with a small number of companies dominating most developed markets.
The PIR acquisition by Ethos Capital will close and the sky won’t fall. PIR will increase their wholesale price by a few percentage points which will upset domain investors. There’ll be increased calls on ICANN to take action, but these will be rebutted.
More country code operators will start using AI to combat abusive registrations. In some cases I suspect we’ll see more stringent registrant validation and verification policies being introduced, though many ccTLD operators will find it hard to balance maintaining new registration volumes while also increasing the overall “quality” of the registration base.
There’ll be an increase in internet shutdowns in less-developed democracies, while governments in Europe and elsewhere will increase pressure on social media companies to stop the spread of propaganda. Internet infrastructure companies will come under more pressure to deal with content issues.
As we enter a new decade the role of the internet in our daily lives, both business and personal will continue to grow.
The big challenges that lie ahead are going to be complex. Without increasing security there’s a tangible risk that consumers will lose trust in the system as a whole and governments will want to impose more regulations to ensure that. One of the challenges is going to be balancing those increased levels of security and consumer confidence while not stifling innovation.
It’s going to be a fun future!

Dave Piscitello, Partner, Interisle Consulting Group

Expect increased scrutiny of the domain registration business. Our study and others to follow will continue to expose enormous concentrations of abuse and criminal domain registrations at a small number of registrars.
Domains registered using bulk registration services will attract the most attention. We call these “burner domains”, because cybercriminals use these in a “register, use, and abandon” fashion that’s similar to how drug dealers use disposable or burner mobile phones.
Governments will become more insistent that ICANN does more than acknowledge their recommendations and then defer adoption. They will increase pressure to validate domain registration data and legitimate businesses will happily comply with the additional validation overhead because of the abuse mitigation benefits they’ll receive.
There’s a possibility that a government other than the EU will adopt a data protection regulation that exposes the flawed logic in the ill-conceived Temp Spec “one redaction fits all”. Having decided to “run with GDPR”, what will ICANN do when faced with a government that insists that email addresses be made public?
The governance model will also fall under scrutiny, as the “multi” in multi-stakeholder appears to be increasingly dominated by two stakeholder interests and public interest barely receives lip service.

Ben Crawford, CEO, CentralNic

• There will be more creative ways to bake identity, cyber security, crime prevention and policing, and IP protection measures into domains and registration services
• More registries will be auctioning their own deleting domains
• Large tech firms, finance players and telcos will play and increasing role in the domain industry
• Further consolidation of gTLDs as the bigger registry operators continue to acquire some of the smaller ones
• More regulations impacting the domain name industry
• Smart independents like .XYZ, Radix and .ICU (which went from zero to 4+ million DUMs in 18 months) will continue to dominate the nTLD space (without blowing $100m on the rights to their TLDs)

Jothan Frakes, Executive Director, Domain Name Association

Consolidation will continue — look for a lot of M&A activity and corporate development. Lots of moves and role changes with people changing companies as the consolidation occurs. With change comes great opportunity, and there will be a lot of change.
The industry is kicking off the year with oomph — the new location and format for NamesCon, billed as as the Domain Economic Forum in Austin. The event looks promising, as it begins refreshed and demonstrates the strengths of the team who produce Cloudfest. Austin, like Las Vegas, is a mecca for tech startups, but larger, so hopefully the convenience of the venue to the local tech companies, along with with GoDaddy demonstrating a heavier presence at the event this year will be a big lure to attract more new faces to this great industry (and event).
There will be more focus on making things easier for new customers to use and activate services on domain names. Cool technologies such as DomainConnect or other methods that enable “app store” type activation of domain names will continue to make it simpler for a domain name owner to activate, build and use their domains. This is a crucial evolutionary step in the business, as it plays a significant role in renewal rates and overall customer growth.
We’ll see further innovation in the use of domain names become more mainstream. IoT, GPS/Geo, AI, Bots, voice, AR/VR and other technologies will drive expanded use of domain names. Even Blockchain, which seems to have gotten more pragmatic about purpose, has a lot of promise with how it can interact with DNS now that the hype has scaled back and the designated drivers that remain are plowing forth with their efforts to deliver on the core purpose/benefits they set out to deliver.
Domains, as well as the cool things that you can do with them, will continue to be a growing business that enables people and organizations to build and do great things.

A very happy new year to all DI readers and supporters!

AlpNames died months ago. Why is it still the “most-abused” registrar?

Despite going out of business, being terminated by ICANN, and losing all its domains several months ago, defunct AlpNames is still being listed as the world’s most-abused registrar by a leading spam-fighting organization.
SpamHaus currently ranks the Gibraltar-based company as #1 on its list of the “The 10 Most Abused Domain Registrars”, saying 98.7% of its domains are being used to send spam.
But AlpNames customers and regular DI readers will recall that AlpNames mysteriously went titsup in March, then got terminated by ICANN, then had its entire customer base migrated over to CentralNic in April.
So what’s this about?

I asked SpamHaus earlier this week, and it turns out that Whois query throttling is to blame.
It seems SpamHaus only pings Whois to update the registrar associated with a specific domain when the domain expires, or the name servers change, or where it’s a new registration with an unknown registrar.
I gather that when CentralNic took over AlpNames’ customer base, it did so with all the original name server information intact.
So, SpamHaus’ database still associates the domains with AlpNames even though it’s been out of business for the better part of a year.
A SpamHaus spokesperson said:

This is a very unusual situation, as a huge majority of the domains that contribute to the Top 10 list in question are created, abused, and burnt quickly; meaning a change of registrar is exceptionally rare. However, in the case of these particular domains registered with AlpNames we can only assume that the sheer volume of unused domains was too high for the owner to use in one single hit.

The actual number of “AlpNames” domains rated as spammy by SpamHaus is pretty low — 1,976 of the 2,002 domains it saw were rated as “bad”.
GMO, at #4 on the list, had over 40,000 “bad” domains, but a lower percentage given the larger number of total domains seen.

DI Leaders Roundtable #3 — What did you think of ICANN 66?

It’s time for the third in the series of DI Leaders Roundtables, in which I pose a single question to a selection of the industry’s thought leaders.
With ICANN 66 taking place a couple of weeks ago in Montreal, Canada, a multitude of topics came under public discussion, among them: DNS abuse, the .amazon gTLD application, access to Whois data and geographic names protections.
So, this time around, I asked:

What was your biggest takeaway from ICANN 66?

And this, in no particular order, is what they said:
Frank Schilling, CEO, Uniregistry

What a great industry… So many stable players with fresh ideas. Innovators who cross pollinate and stay with the industry in spite of the fact that there is no new gold and obvious money-making opportunity at the moment. Many stable operators trying new things and growing the industry from the inside out.

Michele Neylon, CEO, Blacknight

There weren’t any big surprises at ICANN 66. As I expected there were a couple of topics that many people were focussed on and they ignored pretty much everything else.
The biggest single topic was “abuse”. It’s not a “new” topic, but it’s definitely one that has come to the fore in recent months.
Several of us signed on to a “framework to address abuse” in the run up to the ICANN meeting and that, in many respects, may have helped to shift the focus a little bit. It’s pretty clear that not all actors within the eco system are acting in good faith or taking responsibility for their actions (and inactions). It’s also pretty clear that a lot of us are tired of having to pay the cost for other people’s lack of willingness to deal with the issues.
Calls for adding more obligations to our contracts are not welcome and I don’t think they’ll help deal with the real outliers anyway.
There’s nothing wrong in theory with offering cheap domain names but if you consciously choose to adopt that business model you also need to make sure that you are proactive in dealing with fraud and abuse.

Ben Crawford, CEO, CentralNic

That M&A has become the dominant business activity in the domain industry.

Milton Mueller, Professor, Georgia Tech

My takeaways are shaped by my participation on the EPDP, which is trying to build a “standardized system of access and disclosure” for redacted Whois data. The acronym is SSAD, but it is known among EPDP aficionados as the “So-SAD.” This is because nearly all stakeholders think they want it to exist, but the process of constructing it through an ICANN PDP is painful and certain to make everyone unhappy with what they ultimately get.
The big issue here concerns the question of where liability under the GDPR will sit when private data is released through a So-SAD. Registrars and registries would like to fob off the responsibility to ICANN; ICANN tells the world that it wants responsibility to be centralized somehow in a So-SAD but ducks, dodges and double-talks if you ask it whether ICANN org is willing to take that responsibility.
ICANN’s CEO, who fancies himself a European politician of sorts, has driven the EPDP team batty with a parallel process in which he ignores the fact that the EPDP team has all stakeholders represented, lawyers from contracted parties and data users, and privacy experts on it, as well as formal legal advice from Bird and Bird. Instead he feels compelled to launch a parallel process in which ICANN org goes about trying to make proposals and then ask European authorities about them. He has asked a bunch of techies unaware of the policy issues to design a So-SAD for us and is now badgering various European agencies for “advice” and “guidance” on whether such a system could centralize legal responsibility for disclosure decisions. The parallel process, known as the Strawberry team, was featured in the public meeting on Whois reform as if it was of equal status as the formally constituted EPDP.
But a great ICANN 66 takeaway moment occurred during that moment. The European Commission’s Pearce O’Donoghue told the assembled multitudes that a SoSAD “WOULD NOT…REMOVE THE LIABILITY OF THE DATA CONTROLLER, WHICH IS THE REGISTRAR OR THE REGISTRY. SO WE WOULD HAVE A QUESTION AS TO WHETHER IT IS ACTUALLY WORTH THAT ADDED COMPLEXITY.” So, bang, the request for European advice blew up right in Goran Marby’s face. Not only did he get a critical piece of advice on the most important issue facing the SoSAD and the EPDP, but he got it without going through the elaborate parallel process. No doubt there is now furious behind the scenes lobbying going on to reverse, change or step back from O’Donoghue’s comment. Marby has been quoted (and directly seen, by this writer) as claiming that with the submission of the Strawberry team’s formal request for “guidance” from the European Data Protection Board being submitted, he is now “done” with this. Let’s hope that’s true. My takeaway: ICANN org and all of its fruity concoctions needs to get out of the way and let the PDP work.
The final EPDP-related takeaway is that the biggest decision facing the EPDP as it makes policy for the So-SAD is who makes the disclosure decision: registrars who hold the data, or ICANN? Everyone agrees with centralizing the process of requesting data and hooking up to a system to receive it. But who makes the decision is still contested, with some stakeholders wanting it to be ICANN and others wanting it to reside with the contracted parties. It seems obvious to me that it has to be the registrar, and we should just accept that and get on with designing the So-SAD based on that premise.

Jothan Frakes, Executive Director, Domain Name Association

A few: WHOIS (or Lookup) remains challenging territory, registries and registrars > are not inactive about addressing abuse while avoiding becoming content police, and poutine is delicious.

Christa Taylor, CMO, MMX

From my perspective, the biggest takeaway is the level of industrious efforts, transformation and passion throughout the industry. Every meeting and dinner consisted of a broad range of organizations and people with diverse perspectives on industry topics resulting in thought-provoking debates or conceptual brainteasers. Compared to a year ago, the conversations have materially changed — impacted from industry consolidations, system updates and developments along with organizational transitions to streamline business in one method or another. While there is still plenty of work ahead of us, both within the industry and ICANN, it’s satisfying to reflect and realize that progress is being achieved, cooperation benefits all and no matter how long the tunnel might be, there is light.

I attempt to answer ICA’s questions about the “terrible blunder” .org acquisition

The Internet Commerce Association launched a withering attack on ICANN late last week, accusing the organization of a “terrible blunder” by lifting pricing restrictions on .org domain names.
As by now you’re no doubt aware, .org manager Public Interest Registry was acquired last week by a private equity firm with ties to ICANN’s former CEO, in a deal likely to have delivered hundreds of millions of dollars, if not more, to former owner the Internet Society.
The deal means PIR is now almost certain to exercise its newfound right to raise its prices arbitrarily, adding tens of millions to its annual top line at the expense of .org registrants.
While such a price increase is likely to have little impact on most registrants — an annual increase of even 100% would only add about $10 to the per-domain cost — it would certainly prove onerous to many of the high-volume domain investors ICA represents.
So ICA chief Zak Muscovitch whipped off a letter to ICANN (pdf) on Friday, demanding that ICANN use its contractual powers to terminate PIR’s registry agreement and put .org out for open tender. He wrote:

If you were led to believe that removing price caps on .Org domain names was a sound approach because the registry would remain in the hands of a nonprofit foundation, you have clearly been misled. If you were led to believe that despite being the effective owner of the .org registry, you were somehow forced to let your service providers tell you how much they can charge, instead of the other way around, you have been led astray. If you have been told that .Org does not have market power within the nonprofit sector, you have been led astray. If you have been told that competition from other gTLDs will constrain .org prices, you have been led astray.

I think the letter has about as much chance of working as an ice sculptor in hell, but Muscovitch does include a list of seven questions for ICANN that I’m going to attempt to answer to the best of my ability here.
First, he asks:

Were you aware whether ISOC was in talks to sell the registry when you approved the removal of the price caps?

I put the same question to PIR CEO Jon Nevett last week, and he told me: “I don’t know when the talks started with ISOC and the buyer, but neither ICANN nor PIR knew about it when finalizing the .ORG [Registry Agreement].”
I’ve no particular reason to believe he’s lying.

If ISOC was in such talks at that time, why was this material fact not disclosed to you by the registry operator, prior to you approving the renewal agreement?

The acquisition talks between ISOC and Ethos Capital certainly could have been going on prior to the .org contract being signed, which happened June 30 this year.
The main piece of evidence here is that Fadi Chehadé of private equity firm and presumed Ethos affiliate Abry Partners registered the domain ethoscapital.org on May 7, according to Whois records. A company of the same name was formed in Delaware a week later.
Given that Ethos appears to be an Abry vehicle set up purely to acquire PIR, it seems likely that talks were already underway at this point.
The domain ethoscapital.com, which Ethos is currently using as its primary, seems to have been acquired on the secondary market around August. The acquisition was announced November 13.
To Muscovitch’s question, though, I return to Nevett’s line that PIR knew nothing about the acquisition talks before the RA was finalized.
The RA was finalized and opened to public comment in March.
It’s quite possible Ethos and ISOC entered talks in the three months after the deal had been finalized but before it had been signed.

When did you first learn of the negotiations to sell the .Org registry?

An excellent question I’ve also posed but as yet have no answer to.

Did you base your decision to approve the removal of price caps, at least in part, on the expectation or belief that the registry would continue to be operated by a nonprofit organization with a public commitment to maintaining a stable pricing environment, instead of on behalf of a private equity firm whose objective is to maximize profits for its funders?

Cheekily, I’m going to take ICANN at its word and say the answer is “yes”.
One of the controversies concerning the .org renewal was that ICANN seemingly ignored thousands of comments calling for the retention of price caps.
This, ICANN has denied, saying that it “reviewed and evaluated” every comment.
Among the very few comments that weren’t outright condemnations of the decision to remove price caps were two nuanced, arguably ambivalent, analyses from two influential ICANN structures — the At-Large Advisory Committee and the Non-Commercial Stakeholders Group.
ALAC’s eight-page comment (pdf) was very much of the “on the one hand…” variety, but it paid special attention to ISOC’s public interest works when putting forward the view that uncapped pricing might be a good thing, noting (and quoting itself):

a significant portion of .ORG registration fees “are returned to serve the Internet community [through] redistribution of .org funds into the community by the Internet Society, to support Internet development.”… ISOC’s goals and priorities, while far broader than At-Large (and even ICANN), parallel those of At-Large and the interests of end-users. Many At-Large Structures are also ISOC Chapters, further demonstrating the commonality of interests.

NCSG, meanwhile, said in its comments (pdf) that price caps should remain, but increased from the 10%-per-year level. It acknowledged that some .org money flows into funding NCSG.
So there’s two influential groups, both with organizational and/or funding ties to ISOC, saying price increases may be a good thing because ISOC acts in the public interest.
And ICANN said it read and absorbed all the comments, so I’m cheekily going to say that yes, ICANN at least in part renewed the .org contract in the belief that PIR would continue to be a non-profit and act in the public interest.

Had you been aware of the planned sale of the .Org registry to a private equity firm, would you have treated the renewal of the .Org registry agreement and the removal of price caps as worthy of robust discussion and a vote by the Board, such that perhaps the terms of the agreement would have been modified?

I’m going to go out on a limb here and say hell, no. ICANN doesn’t want to be a pricing regulator, regardless of the registry operator, in my view. It’s only the US government that’s preventing it lifting price restrictions on .com, I reckon.

What involvement did your former CEO, Mr. Chehade and your former SVP, Ms. Abusitta-Ouri, have in the decision to employ the base gTLD registry agreement for legacy TLDs during their tenure, if any?

In Chehadé’s case, the answer is fairly clear. Even if he did not have a hands-on role in the decision to cajole legacy gTLD registries toward the 2012 agreement, it all happened on his watch so he bears ultimate responsibility.
It’s worth noting, perhaps, that most of the legacy gTLD agreements that migrated over to the new gTLD agreement’s standard language happened not only while Chehadé was at the helm, but also after he’d already accepted his new job at Abry.
He announced his early resignation in May 2015, telling the AFP at the time that he already had a job lined up in the commercial sector, but he declined to give specifics.
He’d probably made his mind up to quit some time before the announcement. He registered the domain name chehade.company, which he now uses for his investment vehicle Chehadé & Company, in the April.
He revealed he was joining Abry as senior advisor on digital strategy in August that year, but didn’t actually leave until March 2016.
During that interim, lame-duck period ICANN negotiated and signed (all in October 2015) renewals for 2003-round gTLDs .pro, .cat and .travel, all of which incorporated 2012 contract language related to, for example, the Uniform Rapid Suspension process.
Three months before Chehadé’s resignation announcement, ICANN signed a very similar deal with .jobs, the first time it had incorporated 2012 language into a legacy gTLD contract.
These contracts were all signed for ICANN not by Chehadé but by his long-time buddy, frequent co-worker and then-president of the Global Domains Division, Akram Atallah (who is now CEO of Donuts, which is owned by Abry).
Since Chehadé’s departure, ICANN has also taken the same contract renewal stance with TLDs including .xxx, .mobi, .museum and .aero.
By 2016 it had become standard operating practice at ICANN to nudge registries towards the 2012-round contract, as Atallah explained to then-ICA lead Phil Corwin at ICANN’s Hyderabad meeting in November 2016. Atallah stated (pdf):

So basically the negotiations are — the registries come and ask for something, and we tell them please adopt the new gTLD contract. And if they push back on it and they say they don’t want something, we can’t force them to take it. It’s a negotiation between two parties. And I think it’s within the remit of the corporation to negotiate its contracts. If the policy comes back and says that the URS is not something that we want to have as a policy, of course, we would support that.

As regards Nora Abusitta-Ouri, Ethos’s “chief purpose officer”, her former job title of “senior VP for development and public responsibility programs” suggests she had little to no involvement in gTLD contractual issues.
While her LinkedIn profile doesn’t mention it, she appears to have become chief engagement officer at Chehadé & Company after her stint at ICANN ended in July 2016.

What restrictions do you have in place with respect to cooling-off periods for former executives?

Fuck all, clearly.

DI Leaders Roundtable #2 — Should we kill off “Whois”?

Should we stop using the word “Whois” to describe registration data lookup services?
That’s the question I posed for the second DI Leaders Roundtable.
I’m sure you’re all very well aware that the Registration Data Access Protocol (RDAP) is the imminent replacement for the Whois protocol, as the technical method by which domain registrant contact information is stored, transmitted and displayed.
ICANN also regularly refers to Registration Data Directory Services (RDDS) as a protocol-independent blanket term covering the concept of looking up Whois or RDAP data.
You may also recall that ICANN, which is ostensibly a technical body, appears to bedeprecating the word “Whois” in favor of “Lookup” on its own web-based query service.
ICANN has a track record of introducing new acronyms to describe already well-understood functions. The IANA has technically been called “Public Technical Identifiers” for years, but does anyone actually call it “PTI”? No, everyone still talks about “IANA”.
So I wanted to know:

Should we continue to call it “Whois” after the technical transition to RDAP is complete? Will you continue to refer to “Whois”? Should we change to a different word or acronym? Should the industry standardardize its language one way or the other?

There seems to be a general consensus that “Whois” ain’t going anywhere.
The responses, in no particular order.
Jothan Frakes, Executive Director, Domain Name Association

The term WHOIS won’t quickly leave the zeitgeist due to the decades of its use as a description of the lookup process. Lookup is somewhat confusing, as there is DNS Query lookup that works across the resolution system, and WHOIS Lookup that works to find registrant info via the registration system. As far as the term “Lookup” as the label for the new normal that is poised to replace WHOIS? It is better than the acronym “RDDS”. The general public probably would not assume that RDDS is a way to find out about a domain owner or registration information, because it sounds like it involves dentistry (DDS) if one is not following the ICANN world as close as insiders. Despite the evolutionary path the basic function seems to be on, it is likely that WHOIS continues to be what the nickname for the lookup process called, regardless of the support technology layers below it not literally being WHOIS.

Frank Schilling, CEO, Uniregistry

WHOIS IS DEAD, LONG LIVE WHOIS.
The echo of “Whois” will live long after Whois is dead and gone. The very nature of its replacement word “Lookup” ensures that the information hungry public will expect more fulsome data than ICANN intends the word to provide. There will continue to be services who try to engineer a Whois hack and provide accurate underlying data for paying customers. Whois is going to outlive all of us. Even those who diet, exercise, and eat organic food.

Dave Piscitello, Partner, Interisle Consulting Group

Just as most of the world isn’t familiar with new TLDs, most have no appreciation for the differences between Whois and RDAP. The term “Whois” is convenient, memorable, and embedded. It also represents a service to most users, not a protocol, so if we do “standardize” we should use “RDS”. While we sort out the disastrous effects of ICANN’s Temp Spec policy on both investigators and victims of DNS abuse, most parties involved with educating policy makers and legislators should continue to use Whois for consistency’s sake.

Christa Taylor, CMO, MMX

As the old adage goes, “Don’t fix what’s not broken.” While “Whois” may have lost some of its luster due to GDPR I prefer to retain the term — it’s simple, representative of the information it provides and avoids adding any confusion especially for people outside of ICANN. Employing standardized language is, of course, logical and after twenty years of using “Whois” it is the accepted term both inside and outside the industry.

Sandeep Ramchamdani, CEO, Radix Registry

First up, the transition to the RDAP system is much needed given the fundamental flaws of Whois.
It would help in placing some guardrails around customers’ privacy while still providing agencies such as law enforcement authenticated access that they need to do their work.
Whois is a major cause of spam and in the age where privacy is top currency, public, unauthenticated availability of personal data is unacceptable.
It should also smooth out inter-registrar transfers and lower customer frustration while moving out to a different service provider.
When it comes to its name, calling it “RDAP” or “Lookup” would be a branding error. It would cause some confusion and for those not intimately involved in the industry, who may find it hard to discover the new system.
In my mind, keeping the original nomenclature “Whois”, while making it clear that it’s a newer avatar of the same solution would be the way to go.
Can’t think of a better term than “Whois 2.0”.
Very easy to understand that it’s a newer, more advanced iteration of the same product.

Michele Neylon, CEO, Blacknight

Whois was originally a simple little protocol that allowed network operators to contact each other to address technical issues. It predates the usage of domain names or the “web”.
When domains were introduced the same concept was simply transposed over to the new identifiers.
However over the past 20 plus years the way that people viewed Whois has morphed dramatically. The first time I spoke at an ICANN meeting 12 years ago was on the subject of Whois!
Now the term is used both to talk about the technical protocol, which is being replaced in the gTLD space and the data that it is used to store and possibly display. We talk about “Thin Whois”, “Thick Whois” and so many other services and issues linked back to it.
Whois as a protocol is far from perfect, which is why replacing the technical side of it makes a lot of sense.
So with the world slowly moving towards a new technical method for processing domain registration data then maybe we should come up with another word for it. However I’m not sure if there’s much to be gained by doing that.
We are all used to the floppy disk icon to save a document, even if floppy disks are no longer used. With the term “Whois” being part of people’s vocabulary for the nearly a quarter of a century. it’d be pretty hard to find a simple replacement and have people adopt it widely. Sure, in the more technical conversations it makes sense to use more accurate terms like “RDAP”, but the average punter just wants to be able to use a term that they can understand.
Those of us who work with domains and internet technology in our day jobs might care about the “correct” terminology, but we’re in a minority. We all get excited when the mainstream media picks up on a story involving domain names or the DNS and even gets half of it right! If we conjure up some new term that we think is accurate it’ll take years before anyone outside our bubble is comfortable with it. So I don’t think we should.
We should simply accept that “Whois” is a term used to refer to domain registration data no matter what technology under the hood is used to handle it.

Rick Schwartz, domain investor

Hate to give the same basic answer to two questions in a row, but who cares?
Really!! Who cares? Nobody!
This is inside baseball that doesn’t affect anyone on the entire planet except for a handful of domain investors and ICANN etc.
Call it whatever you like just make sure it’s public info.