Karklins beats LaHatte to chair ICANN’s Whois privacy team

Latvian diplomat and former senior WIPO member Janis Karklins has been appointed chair of the ICANN working group that will decide whether to start making private Whois records available to trademark owners.
Karklins’ appointment was approved by the GNSO Council last week. He beat a single rival applicant, New Zealand’s Chris LaHatte, the former ICANN Ombudsman.
He replaces Kurt Pritz, the former ICANN Org number two, who quit the chair after it finished its “phase one” work earlier this year.
Karklins has a varied resume, including a four-year stint as chair of ICANN’s Governmental Advisory Committee.
He’s currently Latvia’s ambassador to the United Nations in Geneva, as well as president of the Arms Trade Treaty.
Apparently fighting for Latvia’s interests at the UN and overseeing the international conventional weapons trade still gives him enough free time to now also chair the notoriously intense and tiring Expedited Policy Development Process on Whois, which has suffered significant burnout-related volunteer churn.
But it was Karklins’ one-year term as chair of the general assembly of WIPO, the World Intellectual Property Organization, that gave some GNSO Council members pause.
The EPDP is basically a big bloodless ruck between intellectual property lawyers and privacy advocates, so having a former WIPO bigwig in the neutral hot seat could be seen as a conflict.
This issue was raised by the pro-privacy Non-Commercial Stakeholders Group during GNSO Council discussions last week, who asked whether LaHatte could not also be brought on as a co-chair.
But it was pointed out that it would be difficult to find a qualified chair without some connection to some interested party, and that Karklins is replacing Pritz, who at the time worked for a new gTLD registry and could have had similar perception-of-conflict issues.
In the end, the vote to confirm Karklins was unanimous, NCSG and all.
The EPDP, having decided how to bring ICANN’s Whois policy into compliance with the General Data Protection Regulation, is now turning its attention to the far trickier issue of a “unified access model” for private Whois data.
It will basically decide who should be able to request access to this data and how such a system should be administered.
It will not be smooth sailing. If Karklins thinks international arms dealers are tricky customers, he ain’t seen nothing yet.

.blog tops 200,000 regs due to WordPress partnership

Knock Knock Whois There, the WordPress-affiliated .blog registry, said today that it has topped 200,000 names for the first time.
The milestone comes after about 28 months of general availability, during which growth has been slow but stable.
The company said it has a respectable renewal rate of 72.74%, which is only a couple of points behind .com.
KKWT’s relationship with its parent company, Automattic, owner of WordPress.com and an accredited registrar in its own right, has been crucial to .blog’s growth.
According to registry transaction reports, two-thirds of all .blog domains are sold via Automattic, which had over 128,000 .blog domains under management at the end of 2018.
Tucows is a distant second, with about 10,000 names.
Automattic promotes .blog prominently on its registrar site, selling for $18.95 a year.
But it’s still sold more .com domains, over half a million so far, at the slightly cheaper price of $15 per year.

XYZ weighs into Epik controversy with .monster fundraising domain

New gTLD registry XYZ.com has set up a domain to help raise money for victims of the terrorist attack in Christchurch, New Zealand last week.
The domain is give.monster. It redirects to a page on Givealittle.co.nz, a Kiwi crowdfunding site, that has so far raised almost NZD 7.8 million ($5.3 million) for the victims of the attack, which killed 50 and injured many more last Friday.
Given the amount of coverage in the New Zealand press, it appears that the fundraising page is legit.
The domain is obviously a reference to Epik.com CEO Rob Monster, who has come in for criticism this week for hosting and sharing the terrorist’s video of the attack, and then suggesting it might be a hoax, as I blogged earlier today.
XYZ is able to create this domain because it is the registry for .monster, a gTLD it acquired last year that is currently slap-bang in the middle of its early access launch period.
Whois records show that the domain was created a little over an hour ago and belongs to XYZ.com LLC.
I learned about it through this comment on DI:

We are sorry to see this in our industry… Please visit http://www.Give.Monster and donate to support victims of the horrific Christchurch shootings. Thank you for your support.

XYZ.com is the registry for .xyz, .college, .rent and other gTLDs. .monster previously belonged to recruitment web site Monster.com.

After NZ shooting, Epik has a Monster PR problem

Domain name registrar Epik.com has come under fire from prominent domain investors and others after CEO Rob Monster suggested that video of the recent mosque shootings in New Zealand, which he hosted on an Epik service and shared on social media, was a hoax.
Domainer-bloggers including Shane Cultra, Konstantinos Zournas, and DNPlaybook.com have questioned Monster’s decision, and one of his own senior staffers, former DomainNameWire contributor Joseph Peterson, took to a domainer forum to in parts criticize and defend his boss.
Cultra was particularly harsh in his criticism this week, calling for domainers to move their domains out of Epik and for his friend, Epik director Braden Pollock, to remove himself from the board.
He wrote: “I would like to think that any respectable domain investor remove their domains from Epik… Rob Monster’s agenda has no place in our industry”.
DNPlaybook wrote that Monster has become “Facilitator of Hate and Promoter of Conspiracies”.
Other domainers have written that they have removed, or will remove, their domains from Epik, though Monster wrote earlier this week that the impact on its business so far has been minimal.
Epik is an ICANN-accredited registrar with about 400,000 gTLD names under management at the last count. It’s almost doubled in size over the last two years.
The company and its CEO have been subject to criticism for months over their decision to provide services to web sites that enable the promotion of far-right ideologies such as white supremacism and Nazism.
But the latest row kicked off on March 15, when Monster used his personal Twitter account to share a link to the self-shot, first-person video of one of the terrorist attacks at a mosque in Christchurch.
Fifty people, all Muslims attending Friday prayers or in the vicinity of the mosques, were killed by the same person during the attacks.
The first attack was live-streamed on Facebook from a head-mounted camera. Apparently viewed live by fewer than 200 people, copies were nevertheless widely circulated on social media and elsewhere.
The copy of the video linked to by Monster was hosted by Epik-owned privacy services provider Anonymize.com, on an “effectively uncensorable” file-sharing service the company is currently developing.
In a subsequent tweet, Monster threw doubt upon whether the footage was real, writing: “Shell casings simply vanish into thin air. Etc. It looks like low budget CGI”.
Anyone with a grain of common sense who has seen the video will tell you that Monster is clearly talking absolute bollocks here. It’s not a fake.
Monster’s Twitter account has since been deleted. According to Peterson, Epik’s director of operations, Monster deleted it himself. Reading between the lines, it appears he was pressured to do so by his staff, including Peterson.
Monster has not yet deleted — and is in fact still actively using — his @epik account on Gab.com, the Twitter clone often used by far-right activists who have been banned from or choose not to use Twitter due to their views.
A March 15 post on Gab by Monster links to a copy of the Christchurch killer’s rambling “manifesto”, again hosted on anonymize.com. This link is still live, but I’ve redacted it in the screen-cap below, which shows Monster effectively using the manifesto to promote the forthcoming Anonymize service.

I’ve been unable to confirm whether Epik is still hosting the video of the attack, though there are reports that it was taken down a matter of hours after posting. (UPDATE 1816 UTC: the video is in fact still live on the Anonymize service).
Epik and Monster drew attention last November when Monster publicly offered to become the registrar for Gab.com, after the domain was suspended by GoDaddy.
Monster at the time said the move was to protect freedom of speech online.
Epik again attracted attention last month when it acquired BitMitigate, a denial-of-service protection startup which has been providing services to unapologetic Nazi propaganda site The Daily Stormer since August 2017, when Cloudflare told the site to GTFO.
It’s also taken on the domain business of video hosting site BitChute, which is often used as a refuge for political vloggers (including some on the far right) who have been demonetized or banned by YouTube.
For these reasons, in January Epik attracted the attention of the Southern Poverty Law Center, an anti-racist group based in the US. The SPLC wrote that “Epik is cornering the market on websites where hate speech is thriving”.
The post, and other news reports, strongly hint that Monster’s own political views might be more aligned with those of his customers than he cares to admit.
Monster naturally rebuts these suggestions, calling the SPLC post “highly defamatory and inaccurate”. In one of his most recent posts on Namepros, before his staff asked him to back away from the public square for a while, he wrote:

As for those members of the domain community who have taken the opportunity this week to rebuke me for allowing free speech to continue on the Internet, please know that I am neither seeking publicity or controversy. I am of sound mind. I am not a Nazi, an anti-semite, a homophobe, a misogynist, a bigot, or a racist. I believe love and understanding will overcome hate and divisiveness.
The future of the domain industry is being determined in 2019. Censorship, WHOIS privacy, sinkholing, DDoS, deplatforming, demonetization, unpersoning, are all symptoms of the disease which is a relentless desire by the few to dictate the narratives and choices to be consumed by the many.

Peterson has also denied that his boss harbors secret extremist views, in a series of lengthy, nuanced posts (starting here) on Namepros this week.
He writes that Monster has a “weird conspiratorial streak” and a natural inclination to believe in “false flag” conspiracy theories. He doubts the official story on 9/11 and believes the moon landings were faked, Peterson said. Monster is also a “Bible-believing Christian”, according to his Gab profile.
Peterson also writes that a significant portion of Epik’s employees, including some in important roles, are Muslims. He writes that he was “appalled” by Monster’s decision to post the video, but added:

But to infer that he did this because he hates muslims and condones murder is not just simplistic; it is LUDICROUS. One person murders 30+ muslims. The other person hires them and works with them closely on a daily basis. To equate these 2 is simply wrong. Whatever the reasons Rob felt it necessary to re-publish a link to content others had decided to censor, hatred of muslims was NOT the reason.

He goes on to say:

I object to Epik — the team I work with and the customers we look after — being portrayed falsely as some epicenter of “hate speech” or the alt right. We are not. We are a domain registrar and marketplace with a wide range of services. We are a company whose boss has taken controversial (and in some ways courageous) steps to protect free speech. Unfortunately, that same boss has stepped on that message with some very bad PR moves. When Rob does that, it irritates me to the point of exasperation. And I tell him so.

According to Peterson, Monster and his wife came under attack last year with a leafleting campaign in his local neighborhood, denouncing him as a Nazi.
He suspects this kind of behavior may have caused his boss to “double-down” on exactly the same kinds of activities that invited the controversy in the first place.
Whatever the reason, Epik certainly has got a PR problem on its hands right now.
I doubt this is the last we’ll hear of it.

Whois vacuum AppDetex raises $10 million

Brand protection registrar AppDetex, which counts Facebook as its key customer, has raised $10 million in funding.
It’s the second round of venture capital for the six-year-old Boise, Idaho company. This one was led by First Analysis, with first-round investors EPIC Ventures and Origin Ventures each also taking an extra piece.
AppDetex says it has raised $17.5 million to date.
The company will be best known to registrars and other DI readers for its attempts last year to vacuum up vast amounts of Whois data, post-GDPR, on behalf of mainly Facebook.
The AppDetex WHOIS Requestor System (AWRS) is a semi-automated service that streamlines the process of requesting unredacted Whois records from registrars. I was given a demo last October.
The company came in for criticism for allegedly misrepresenting the results of its initial testing of the system, using the data to lobby ICANN and to market its product.
But AppDetex is apparently not just about the domains. It also offers brand monitoring services for social media platforms, app stores and web sites.
As a registrar, the company had a little over 1,500 gTLD domains under management at the last count, so the new investment is clearly not based upon its prowess as a volume registrar but rather on its value-added managed services.
AppDetex was founded by Faisal Shah (a founder of MarkMonitor) and Chris Bura (previously of AllDomains.com) in 2012.
The company has been closely affiliated with Facebook for some time.
Back in 2016, Facebook acquired RegistrarSEC, a registrar accreditation run by Shah and Bura that at the time was actually doing business under the name “AppDetex”, in order to protect Instagram.com from a Chinese court.
AppDetex has also hired staff from Facebook, and its general counsel is married to Facebook’s head of domain strategy.
According to data Tucows released a month ago, almost two thirds of the Whois requests it received since GDPR came into effect came from Facebook and AppDetex.

UDRP complaints hit new high at WIPO

The World Intellectual Property Organization handled 3,447 UDRP cases in 2018, a new high for the 20-year-old anti-cybersquatting policy.
The filings represent an increase of over 12% compared to the 3,074 UDRP cases filed with WIPO in 2017. There were 3,036 cases in 2016
But the number of unique domains complained about decreased over the same period, from 6,370 in 2017 to 5,655 domains in 2018, WIPO said today.
The numbers cover only cases handled by WIPO, which is one of several UDRP providers. They may represent increases or decreases in cybersquatting, or simply WIPO’s market share fluctuating.
The numbers seem to indicate that the new policy of redacting Whois information due to GDPR, which came into effect mid-year, has had little impact on trademark owners’ ability to file UDRP claims.
UPDATE: This post was updated a few hours after publication to remove references to the respective shares of the UDRP caseload of .com compared to new gTLDs. WIPO appears to have published some wonky math, as OnlineDomain noticed.

At eleventh hour, most .uk registrants still don’t own their .uk names

Less than a quarter of all third-level .uk registrants have taken up the opportunity to buy their matching second-level domain, just a few months before the deadline.
According to February stats from registry Nominet, 9.76 million domains were registered under the likes of .co.uk and .org.uk, but only 2.27 million domains were registered directly under .uk, which works out at about 23%.
Nominet’s controversial Direct.uk policy was introduced in June 2014, with a grandfathering clause that gave all third-level registrants five years to grab their matching .uk domain before it returns to the pool of available names.
So if you own example.co.uk, you have until June 25 this year, 110 days from now, to exercise your exclusive rights to example.uk.
Registrants of .co.uk domains have priority over registrants of matching .org.uk and .me.uk domains. Nominet’s Whois tool can be used to figure out who has first dibs on any given string.
At least two brand protection registrars warned their clients this week that they will be at risk of cybersquatting if they don’t pick up their direct matches in time. But there’s potential for confusion here, after the deadline, whether or not you own a trademark.
I expect we could see a spike in complaints under Nominet’s Dispute Resolution Service (the .uk equivalent of UDRP) in the back half of the year.
Nominet told DI in a statement today:

The take up right now is roughly in line with what we envisaged. We knew from the outset that some of the original 10 million with rights would not renew their domain, some would decide they did not want the equivalent .UK and some would leave it to the last minute to decide or take action. The feedback from both registrants and registrars, and the registration data, bears this out.

The statement added that the registry has started “ramping up” its outreach, and that in May it will launch “an advertising and awareness campaign” that will include newspapers, radio and trade publications.

Trademark posse fails to block Whois privacy policy

The ICANN community’s move to enshrine Whois privacy into formal consensus policy is moving forward, despite votes to block it by intellectual property interests.
During a special meeting yesterday, the GNSO Council voted to approve a set of recommendations that would (probably) bring ICANN’s Whois policy into compliance with the General Data Protection Regulation.
But four councilors — Paul McGrady and Flip Petillion of the Intellectual Property Constituency and Marie Pattullo and Scott McCormick of the Business Constituency — voted against the compromise deal.
Their downvotes were not enough to block it from passing, however. It has now been opened for a month of public comments before being handed to the ICANN board of directors for final approval, whereupon it will become ICANN’s newest consensus policy and binding on all contracted parties.
McGrady, an lawyer with Winston Strawn, claimed that the Expedited Policy Development Process working group that came up with the recommendations failed to reach the level of consensus that it had claimed.
“The consensus call was broken,” he said, adding that the EPDP’s final report “reflects consensus where there really wasn’t any.”
The GNSO was due to vote 10 days ago, but deferred the vote at the request of the IPC and BC. McGrady said that both groups had tried to muster up support in their communities for a “yes” vote in the meantime, but “just couldn’t get there”.
Speaking for the BC from a prepared statement, Pattullo (who works for European brand protection group AIM) told the Council:

The report is a step backwards for BC members’ interests compared to the Temp Spec, especially as the legitimate purposes for collecting and processing data are insufficiently precise, and do not include consumer protection, cybercrime, DNS abuse and IP protection.

The Temp Spec is the Temporary Specification currently governing how registries and registrars collect and publish Whois data. It was created as an emergency measure by the ICANN board and is due to expire in May, where it will very probably be replaced by something based on the EPDP recommendations.
In response to the IPC/BC votes, Michele Neylon of the Registrars Constituency and Ayden Férdeline of the Non-Commercial Stakeholders Group read statements claiming that trademark interests had been given substantial concessions during the EPDP talks.
Neylon in particular had some harsh words for the holdout constituencies, accusing them of “bad faith” and pointing out that the EPDP spent thousands of hours discussing its recommendations.
“Our members would want any number of obligations this report contains to be removed, but despite the objections we voiced our support for the final product as a sign of compromise and support for the entire multistakeholder model,” he said.
“Given the objections of certain parts of the community it’s unclear how we can ask this group to carry on with the next phase of its work at the same pace,” he said. “Given the unwillingness of others to participate and negotiate in good faith, how can we ask our reps to spend hours compromising on this work when it’s clear others will simply wait until the last minute and withdraw their consent for hard-fought compromise.”
The EPDP had a hard deadline due to the imminent expiration of the Temp Spec, but that’s not true of its “phase two” work, which will explore possible ways trademark enforcers could get access to redacted private Whois data.
Unfortunately for the IP lobby, there’s a very good chance that this work is going to proceed at a much slower pace than phase one, which wrapped up in basically six months.
During yesterday’s Council call, both Neylon and NCSG rep Tatiana Tropina said that the dedication required of volunteers in phase one — four to five hours of teleconferences a week and intensive mailing list discussions — will not be sustainable over phase two.
They simply won’t be able to round up enough people with enough time to spare, they said.
Coincidentally, neither the registrars nor the non-coms have any strong desire to see a unified access solution developed any time soon, so a more leisurely pace suits them politically too.
It will be up to the EPDP working group, and whoever turns out to be its new chair, to figure out the timetable for the phase two work.

Phishing still on the decline, despite Whois privacy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.
There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.
That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.
The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.
But the data may be slightly misleading.
APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.
The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.
The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.
But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.
Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.
After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.
Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.
Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.
According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.
That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.
The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.
ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.
This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.

Registrars given six months to deploy Whois killer

ICANN has started the clock ticking on the mandatory industry-wide deployment of RDAP.
gTLD registries and registrars have until August 26 this year to roll out RDAP services, which will one day replace the age-old Whois spec, ICANN said this week.
Registration Data Access Protocol fulfills the same function as Whois, but it’s got better support for internationalization and, importantly given imminent work on Whois privacy, tiered access to data.
ICANN’s RDAP profile was created in conjunction with contracted parties and public comments. The registries and registrars knew it was coming and told ICANN this week that they’re happy for the 180-day implementation deadline to come into effect.
The profile basically specs out what registrars and registries have to show in their responses to Whois (or RDAP, if you’re being pedantic) queries.
It’s based on the current Temporary Specification for Whois, and will presumably have to be updated around May this year, when it is expected that the Temp Spec will be replaced by the spec created by the Whois EPDP.