After price hike, now Tucows drops support for Uniregistry TLDs

Tucows is to drop OpenSRS support for nine Uniregistry gTLDs after the registry announced severe price increases.
The registrar told OpenSRS resellers that it will no longer support .audio, .juegos, .diet, .hiphop, .flowers, .guitars, .hosting, .property and .blackfriday from September 8, the date the increases kick in.
It’s the second major registrar, after GoDaddy, to drop support for Uniregistry TLDs in the wake of the pricing news.
“The decision to discontinue support for these select TLDs was made to protect you and your customers from unknowingly overpaying in a price range well beyond $100 per year,” OpenSRS told its resellers.
It will continue to support seven other Uniregistry gTLDs, including .click and .link, which are seeing more modest price increases and will remain at $50 and under.
While Tucows is a top 10 registrar in most affected TLDs, its domains under management across the nine appears to be under 3,000.
These domains will expire at their scheduled expiry date and OpenSRS will not allow their renewal after the September 8 cut-off. Customers will be able to renew at current prices for one to 10 years, however.
Tucows encouraged its roughly 40,000 resellers to offer to migrate their customers to other TLDs.
Uniregistry revealed its price increases in March, saying moving to a premium-pricing model was necessary to make the gTLDs profitable given the lack of volume.
Pricing for .juegos and .hosting is to go up from under $20 retail to $300. The other seven affected gTLDs will increase from the $10 to $25 range to $100 per year.
After GoDaddy pulled support for Uniregistry TLDs, the registry modified its plan to enable all existing registrations to renew at current prices.
That clearly was not enough for Tucows, which has sent a pretty clear message that it’s not prepared to be the public face of such significant price hikes.

Massive ransomware attack hits 150 countries, brought down by a domain reg

A massive outbreak of malware on Friday hit thousands of organizations in an estimated 150 countries and had a big impact on the UK National Health Service before being temporarily thwarted by a single domain name registration.
WannaCry, as the malware has been called, targets Windows boxes that have not installed a March security patch. It encrypts files on the hosts it infects and demands money for the decryption key.
The attack is Big News for several reasons.
First, it spread ransomware over the network using a remotely exploitable vulnerability that required no user error or social engineering to install itself.
Second, it hit an estimated quarter-million machines, including thousands at big organizations such as Telefonica, the NHS, Deutsche Bahn and FedEx.
Third, it posed a real risk to human life. A reported 70,000 NHS machines, including medical devices, were said to be infected. Reportedly, some non-critical patients had to be turned away from UK hospitals and operations were cancelled due to the inability of doctors to access medical records.
Fourth, WannaCry appears to have been based on code developed by the US National Security Agency and leaked last month.
All in all, it was an attack the scale of which we have not seen for many years.
But it seems to have been “accidentally” prevented from propagating further on Friday, at least temporarily, with the simple act of registering a domain name.
A young British security researcher who goes by the online handle MalwareTech said he was poring over the WannaCry code on Friday afternoon when he came across an unregistered domain name.
On the assumption that the malware author perhaps planned to use the domain as a command and control center, MalwareTech spent the ten bucks to register it.
MalwareTech discovered that after the domain was registered, the malware stopped encrypting the hard drives it infected.
He first thought it was a fail-safe or kill-switch, but he later came to the conclusion that the author had included the domain lookup as a way to thwart security researchers such as himself, who run malware code in protected sandbox environments.
MalwareTech wrote:

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as [if] it were registered

Once the domain was registered, WannaCry iterations on newly infected machines assume they were running in sandboxes and turned themselves off before causing additional damage.
MalwareTech was naturally enough proclaimed the hero of the day by many news outlets, but it appears that versions of the malware without the DNS query kill-switch already started circulating over the weekend.
Many are warning that the start of the work week today may see a new rash of infections.
The researcher’s account of the incident can be read in full here.

Uniregistry to grandfather existing domains before big price increases

Uniregistry has backtracked on its plan to hike renewal fees on thousands of domain name registrations.
CEO Frank Schilling described the U-turn, which followed a ferocious backlash from domain investors, as “the right thing to do”.
The company had announced price increases across 16 of its 27 gTLDs that in one case exceeded 3,000% but in many more cases represented increases in the hundreds of percent.
The increases were to apply to new and renewing registrations, and Schilling had said that they were necessary to keep the affected TLDs afloat.
But domainers were furious, taking to blogs and message boards to announce and decry the death of all new gTLDs.
Leading registrar Go Daddy soon said that it would no longer sell Uniregistry TLDs, at least temporarily.
But yesterday Uniregistry announced a change of heart, providing an unusually detailed account of the thought process leading to the price increases that’s worth quoting at length.

“The registration providers we consulted reported that differentiating prices based on the time of the registration was technically difficult and confusing for customers,” said Bret Fausett, head of the Registry Services Team. “Based on that feedback, and considering the small number of registrants affected, we made the difficult decision to raise prices for all registrants.”
“After the announcement, however, we, and our registration partners, have heard clearly from our end users that the ability to register ten-years at the existing price does not ameliorate the pain of subsequent price increases for registrants facing substantial price increases,” said Mr. Fausett. “So, for the names in our highest-priced tiers, the price changes will affect only new registrations. We are asking our registration partners to do whatever is necessary to enable this approach.”
“Creating a legacy tier of prices for inaugural registrants in our niche, premium top-level domains is technically more difficult,” said Frank Schilling, Managing Director of Uniregistry, “but it’s the right thing to do for those pioneering individuals and companies who have staked their claims in the new Internet real estate.”

In other words, if you register a name in the affected gTLDs before September 8, your renewal fee will be at the current lower level.
Whether this will be enough to mitigate Uniregistry’s reputational damage in the domainer community remains to be seen.
But the company also said it plans to overhaul its premium names pricing by the end of the second quarter, scrapping the multi-tier pricing approach in favor of a one-size-fits-all menu.
Schilling said that price reductions will affect “millions” of reserved names and mean “hundreds of millions” of dollars of hypothetical value have been wiped from the portfolio.

In rare public session, ICANN approves sexual harassment policy

ICANN’s board of directors this afternoon approved an anti-harassment policy designed to protect community members from unwanted sexual attention.
It’s the policy inspired by the now infamous Cheesesandwichgate incident at the Marrakech meeting a year ago.
But general counsel John Jeffrey noted that there have been multiple similar complaints to the Ombudsman over the last year or so, possibly as a result of increased awareness that such complaints are possible.
While the text of the resolution has not yet been published, I believe it’s approving a lightly modified version of the policy draft outlined here.
That draft sought to ban activities such as “sexually suggestive touching” and “lewd jokes” at ICANN meetings. A laundry list of characteristics (such as race, gender, disability) were also given special protection.
What’s possibly more interesting than the new policy itself is the manner in which the policy was approved.
It was the first time in goodness knows how many years — definitely over 10, and I’m tempted to say over 15, but nobody seems to know for sure — that the ICANN board has deliberated on a resolution in public.
By “in public” I mean the 30-minute session was live-streamed via Adobe Connect from an undisclosed location somewhere at ICANN 58, here in Copenhagen. An in-person live audience was not possible for logistical reasons, I’m told.
Apart from the first few years of ICANN’s existence, its public board meetings have usually been rubber-stamping sessions at the end of the week-long meeting, based on discussions that had gone on behind closed doors days earlier.
So today’s session was a significant attempt to increase transparency that is likely to be welcomed by many.
Unfortunately, its existence could have been communicated better.
For the first 15 minutes, there were no more than 19 people in the Adobe room, and I believe I may have been the only one who was not ICANN staff or board.
After I tweeted about it, another 10 or so people showed up to listen.

The ICANN board is deliberating in public on a resolution and nobody is listening. https://t.co/N59BLW4n20 #icann58 #icann

— Kevin Murphy (@DomainIncite) March 11, 2017

Given that increased board transparency is something many sections of the community have been clamoring for for years, one might have expected a bigger turnout.
While the meeting had been prominently announced, it was not listed on the official ICANN 58 schedule, so had failed to make it onto the to-do lists of any of the iCal slaves pottering around the venue.
The session itself came across to me as a genuine discussion — not stage-managed or rehearsed as some had feared.
Directors raised issues such as the possible increased workload on the Ombudsman, the fact that the current Ombudsman (or Ombudsperson, as some directors referred to him) is male, and the availability of female staff members to receive “sensitive” complaints.
Today’s open session is part of a “pilot” and is due to be followed up on Sunday with another, which will discuss ICANN’s fiscal 2018 operating plan and budget.
Again, turning up to watch in person will not be possible, but the 90-minute session will be streamed live at 0745 UTC here.
The first in the pilot program, which even I missed, was in Brussels in September.

Thick Whois policy for .com is now live

The domain name industry is kicking off one of its most fundamental shifts in its plumbing this week.
Over the next two years, Verisign and every registrar that sells .com domains will have to rejigger their systems to convert .com from a “thin” to “thick” Whois.
This means that by February 1, 2019, Verisign will for the first time control the master database of all Whois records for .com domains, rather than it being spread piecemeal across all registrars.
The switch comes as a result of a years-in-the-making ICANN policy that officially came into force yesterday. It also applies to .com stablemates .net and .jobs.
The first big change will come August 1 this year, the deadline by which Verisign has to give all of its registrars the ability to submit thick Whois records both live (for new regs) and in bulk (for existing ones).
May 1, 2018 is the deadline for all registrars to start submitting thick Whois for new regs to Verisign, but they can start doing so as early as August this year if they want to.
Registrars have until February 1, 2019 to supply Verisign with thick Whois for all their existing registrations.
There’s a process for registrars who believe they would be violating local privacy laws by transferring this data to US-based Verisign to request an exemption, which may prevent the transition going perfectly uniformly.
Some say that the implementation of this policy may allow Verisign to ask for the ability to ask a for an increase in .com registry fees — currently frozen at the command of the US government — due to its inevitably increased costs.
Personally, I think the added costs will likely be chickenfeed compared to the cash-printing machine that is .com, so I think it’s far from a slam-dunk that such fee increases would be approved.

GNSO faces off with governments over IGO cybersquatting

A defiant ICANN working group looking at cybersquatting rules for intergovernmental organizations is sticking to its guns in an ongoing face-off with the Governmental Advisory Committee.
In a report published for public comment this week, the GNSO working group recommended that IGOs should be given the right to use the UDRP and URS rights protection mechanisms, despite not being trademark owners.
But the recommendations conflict with the advice of the GAC, which wants ICANN to create entirely new mechanisms to deal with IGO rights.
I explored a lot of the back story of this argument in two posts a few months ago, which I will not rehash here.
The latest development is the publication of the proposed initial report of the GNSO IGO-INGO Access to Curative Rights Protection Mechanisms Initial Report (pdf) for comment.
The WG was tasked with deciding whether changes should be made to UDRP and URS to help protect the names and acronyms of IGOs and INGOs (international non-governmental organizations).
For INGOs, including the special cases of the International Olympic Committee and the Red Cross/Red Crescent, it decided no changes and no new mechanisms are required, concluding:

Many INGOs already have, and do, enforce their trademark rights. There is no perceivable barrier to other INGOs obtaining trademark rights in their names and/or acronyms and subsequently utilizing those rights as the basis for standing in the existing dispute resolution procedures (DRPs) created and offered by ICANN as a faster and lower cost alternative to litigation. For UDRP and URS purposes they have the same standing as any other private party.

The case with IGOs is different, because using UDRP and URS requires complainants to agree that the panel’s decisions can be challenge in court, and IGOs by their nature have a special legal status that allows them to claim jurisdictional immunity.
The WG recommends that these groups should be allowed access to UDRP and URS if they have protection under Article 6ter of the Paris Convention, a longstanding international intellectual property treaty.
This rule would actually extend UDRP and URS to hundreds more IGO names and acronyms than the GAC has requested protection for, which is just a few hundred. WIPO’s 6ter database by contrast currently lists 925 names and 399 abbreviations.
To deal with the jurisdictional immunity problem, the WG report recommends that IGOs should be allowed to file cybersquatting complaints via a third-party “assignee, agent or licensee”.
It further recommends that if an IGO manages to persuade a court it has special jurisdictional immunity, having been sued by a UDRP-losing registrant, that the UDRP decision be either disregarded or sent back to the arbitration for another decision.
The recommendations with regard IGOs are in conflict with the recommendations (pdf) of the so-called “small group” — a collection of governments, IGOs, INGOs and ICANN directors that worked quietly and controversially in parallel with the WG to come up with alternative solutions.
The small group wants ICANN to create separate but “functionally equivalent” copies of the UDRP and URS to deal with cybersquatting on IGO name and acronyms.
These copied processes would be free for IGOs to use and, to account for the immunity issue, would not be founded in trademark law.
The WG recommendations are now open for public comment and are expected to be the subject of some debate at the March ICANN meeting in Copenhagen.

Donuts extends DPML Plus and delays price hike

Donuts has delayed the price increases coming to its trademark-blocking service and extended availability of the “plus” version for three more months.
Domain Protected Marks List Plus, which lets companies block brands and variations such as typos and brand+keywords across Donuts stable of 200ish TLDs, will now be available until March 31.
The price hike for vanilla DPML, which does not include the variant-blocking, has also been delayed until the end of January, the registry said.
Both deadlines were previously December 31.
DPML Plus, which grants 10-year blocks on one trademark and three variants in every Donuts TLD, has a recommended retail price of $9,999.
Fully exploited, that amounted at the September launch to $1.26 per blocked domain per year, but Donuts’ portfolio has grown since then.
Retail prices for the plain DPML are reportedly going up from $2,500 per string to $4,400 for a five-year block at one registrar when the price rise kicks in. That’s a 76% increase.

GoDaddy will pay $1.79 billion for HEG in major Euro expansion

GoDaddy is to substantially increase the size of its European operation with the $1.79 billion acquisition of Host Europe Group.
The market-leading registrar confirmed yesterday earlier reports that it was on track to buy HEG, which counts several big-name British and German registrars among its brands.
The deal is worth €1.69 billion ($1.79 billion), which breaks down to €605 million to HEG shareholders and €1.08 billion in debt. It’s expected to close in the second quarter next year.
HEG’s domain brands include 123Reg and DomainMonster in the UK and DomainFactory in Germany.
The company says it has 1.7 million customers and manages over seven million domains.
But the acquisition is more concerned with HEG’s higher-margin small business hosting business, where the company has nine data centers in Europe and the US.
GoDaddy said in a press release:

Combining GoDaddy’s global technology platform with HEG’s footprint in Europe will enable the rapid deployment of a broader range of products to customers and allow for better scale of product development and go-to-market investments across both companies.

One part of the HEG business, the $92 million-a-year PlusServer, is likely to be sold off, however.
GoDaddy said that unit “serves larger, more mature companies that require a dedicated field sales force and account management”, which is not GoDaddy’s core strength.
The deal means that GoDaddy will become the owner of the annual NamesCon conference, which HEG picked up in August for an undisclosed amount.
The acquisition is unlikely to have closed before this coming January’s NamesCon, so there’s unlikely to be many obvious changes to the 2017 event.
GoDaddy said the acquisition is being financed by debt.
HEG’s current owner is private equity firm Cinven, which paid $545 million in 2013.

GoDaddy in talks to buy massive registrar Host Europe – report

GoDaddy is reportedly talking to Host Europe Group, one of Europe’s largest registrars, about an acquisition.
Reuters today reported that the deal, should it go ahead, could be worth as much as $1.8 billion.
GoDaddy has been favored over rival bids from United Internet (owner of United-Domains) and buyout firm Centerbridge, Reuters said.
HEG is the parent company for several registrar brands. Notably, it owns 123-reg and DomainMonster, two of the UK’s largest registrars.
123-reg had over 900,000 gTLD domains on its books at the last count. HEG overall says it manages over seven million domains.
The company was acquired by private equity group Cinven for £438 million ($545 million) in 2013.
It has 1.7 million customers and 1,300 employees spread across eight countries. It primarily operates in the UK and Germany.
HEG had 2015 revenue of €269.8 million ($286.3 million) and made a loss of €55.6 million ($59 million).
For GoDaddy, the acquisition is a chance to shift its revenue mix away from domains and more towards the more profitable hosting market, according to Reuters.

“Shadow content policing” fears at ICANN 57

Fears that the domain name industry is becoming a stooge for “shadow regulation” of web content were raised, and greeted very skeptically, over the weekend at ICANN 57.
Attendees yesterday heard concerns from non-commercial stakeholders, notably the Electronic Frontier Foundation, that deals such as Donuts’ content-policing agreement with the US movie industry amount to regulation “by the back door”.
But the EFF, conspicuously absent from substantial participation in the ICANN community for many years, found itself walking into the lion’s den. Its worries were largely pooh-poohed by most of the rest of the community.
During a couple of sessions yesterday, EFF senior attorney Mitch Stoltz argued that the domain industry is being used by third parties bent on limiting internet freedoms.
He was not alone. The ICANN board and later the community at large heard support for the EFF’s views from other Non-Commercial User Constituency members, one of whom compared what’s going on to aborted US legislation SOPA, the Stop Online Piracy Act.
“Regulation of content through the DNS system, through ICANN institutions and through contracted parties is of great concern and I think should be of great concern to all of us here,” Stoltz said.
He talked about a “bright line” between making policies related to domain names and policies related to content.
“I hope that the bright line between names and content is maintained because I think once we get past it, there may be no other bright line,” he said.
“If we allow in copyright enforcement, if we allow in enforcement of professional or business licensing as a criterion for owning a domain name, it’s going to be very hard to hold that line,” he said.
ICANN has long maintained, though with varying degrees of vigor over the years, that it does not regulate content.
Chair Steve Crocker said yesterday: “It’s always been the case, from the inception. It’s now baked in deeply into the mission statement. We don’t police content. That’s not our job.”
That kind of statement became more fervent last year, as concerns started to be raised about ICANN’s powers over the internet in light of the US government’s decision to give up its unique ICANN oversight powers.
Now, a month after the IANA transition was finalized, ICANN has new bylaws that for the first time state prominently that ICANN is not the content cops.
Page one of the massive new ICANN bylaws says:

ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet’s unique identifiers or the content that such services carry or provide

It’s pretty explicit, but there’s a catch.
A “grandfather” clause immediately follows, which states that registries and registrars are not allowed to start challenging the terms of their existing contracts on the basis that they dabble too much with content regulation.
That’s mainly because new gTLD Registry Agreements all include Public Interest Commitments, which in many cases do actually give ICANN contractual authority over the content of web sites.
Content-related PICs are most prominent in “Community” gTLDs.
In the PICs for Japanese city gTLD .osaka, for example, the registry promises that “pornographic, vulgar and highly objectionable content” will be “adequately monitored and removed from the namespace”.
While ICANN does not actively go out looking for .osaka porn, if porn did start showing up in .osaka and the registry does not suspend the domains, it would be in breach of its RA and could lose its contract.
That PIC was voluntarily adopted by the .osaka registry and does not apply to other gTLDs, but it is binding.
So in a roundabout kind of way, ICANN does regulate content, in certain narrow circumstances.
Some NCUC members think this is a “loophole”.
Another back door they think could be abused are the bilateral “trusted notifier” relationships between registries and third parties such as the movie, music and pharmaceutical industries.
Donuts and Radix this year have announced that the Motion Picture Association of America is allowed to notify it about domains that it believes are being used for large-scale, egregious movie piracy.
Donuts said it has suspended a dozen domains — sites that were TLD-hopping to evade suspension — since the policy came into force.
EFF’s Stoltz calls this kind of thing “shadow regulation”.
“Shadow regulation to us is the regulation of content… through private agreements or through unaccountable means that were not developed through the bottom-up process or through a democratic process,” he told the ICANN board yesterday.
While the EFF and NCUC thinks this is a cause for concern, they picked up little support from elsewhere in the community.
Speakers from registries, registrars, senior ICANN staff, intellectual property and business interests all seemed to think it was no big deal.
In a different session on the same topic later in the day, outgoing ICANN head of compliance Allen Grogan addressed these kinds of deals. He said:

From ICANN’s point of view, if there are agreements that are entered into between two private parties, one of whom happens to be a registry or a registrar, I don’t see that ICANN has any role to play in deciding what kinds of agreements those parties can enter into. That clearly is outside the scope of our mission and remit.
We can’t compel a registrar or a registry to even tell us what those agreements are. They’re free to enter into whatever contracts they want to enter into.
To the extent that they become embodied in the contracts as PICs, that may be a different question, or to the extent that the agreements violate those contracts or violate consensus policies, that may be a different question.
But if a registrar or registry decides to enter into an agreement to trust the MPAA or law enforcement or anyone else in deciding what actions to take, I think they’re free to do that and it would be far beyond the scope of ICANN’s power or authority to do anything about that.

In the same session, Donuts VP Jon Nevett cast doubt on the idea that there is an uncrossable “bright line” between domains and content by pointing out that the MPAA deal is not dissimilar to registries’ relationships with the bodies that monitor online child abuse material.
“We have someone that’s an expert in this industry that we have a relationship with saying there is child imagery abuse going on in a name, we’re not going to make that victim go get a court order,” he said.
Steve DelBianco of the NetChoice Coalition, a member of the Business Constituency, had similar doubts.
“Mitch [Stoltz] cited as an example that UK internet service providers were blocking child porn and since that might be cited as an example for trademark and copyright that we should, therefore, not block child porn at all,” he said. “I can’t conceive that’s really what EFF is thinking.”
Nevett gave a “real-life example” of a rape.[tld] domain that was registered in a Donuts gTLD.
“[The site] was a how-to guide. Talk about horrific,” he said. “We got a complaint. I’m not going to wait till someone goes and gets a court order. We’re a private company and we agreed to suspend that name immediately and that’s fine. There was no due process. And I’m cool with that because that was the right thing to do.”
“Just like a restaurant could determine that they don’t want people with shorts and flip-flops in the restaurant, we don’t want illegal behavior and if they want to move somewhere else, let them move somewhere else,” he said.
In alleged copyright infringement cases, registrants get the chance to respond before their names are suspended, he said.
Stoltz argued that the Donuts-MPAA deal had been immediately held up, when it was announced back in February, as a model that the entire industry should be following, which was dangerous.
“If everyone is subject to the same policies, then they are effectively laws and that’s effectively law-making by other means,” he said.
He and other NCUC members are also worried about the Domain Name Association’s Healthy Domains Initiative, which is working on voluntary best practices governing when registries and registrars should suspend domain names.
Lawyer Kathy Kleiman of the NCUC said the HDI was basically “SOPA behind closed doors”.
SOPA was the hugely controversial proposed US federal legislation that would have expanded law enforcement powers to suspend domains in cases of alleged copyright infringement.
Stoltz and others said that the HDI appeared to be operating under ICANN’s “umbrella”, giving it an air of having multistakeholder legitimacy, pointing out that the DNA has sessions scheduled on the official ICANN 57 agenda and “on ICANN’s dime”.
DNA members disagreed with that characterization.
It seems to me that the EFF’s arguments are very much of the “slippery slope” variety. While that may be considered a logical fallacy, it does not mean that its concerns are not valid.
But if there was a ever a “bright line” between domain policy and content regulation, it was traversed many years ago.
The EFF and supporters perhaps should just acknowledge that what they’re really concerned about is copyright owners abusing their powers, and target that problem instead.
The line has moved.