Latest news of the domain name industry

Recent Posts

Most registrars fail ICANN abuse audit

Kevin Murphy, August 26, 2021, Domain Registrars

The large majority of accredited registrars failed an abuse-related audit at the first pass, according to ICANN.

(UPDATE October 14, 2021: ICANN disagrees with this characterization.)

The audit of 126 registrars, representing over 90% of all registered gTLD domains, founds that 111 were “not fully compliant with the [Registrar Accreditation Agreement’s] requirements related to the receiving and handling of DNS abuse reports”.

Only 15 companies passed with flying colors, ICANN said.

A further 92 have already put in place changes to address the identified concerns, with 19 more still struggling to come into compliance.

The particular parts of the RAA being audited require registrars to publish an abuse email address that it monitored 24/7 and to take action on well-founded cases of abuse within 24 hours of notification.

The results of the audit, carried out by ICANN Compliance and KPMG, can be found here (pdf).

16 Comments Tagged: , , , ,

More privacy headaches? UK to withdraw from GDPR

Kevin Murphy, August 26, 2021, Domain Policy

The UK is to craft its own privacy legislation, after Brexit enabled it to extricate itself from the EU’s General Data Protection Regulation, potentially causing headaches for domain name companies.

While it’s still in the very early pre-consultation stages, the government announced today that it wants “to make the country’s data regime even more ambitious, pro-growth and innovation-friendly, while still being underpinned by secure and trustworthy privacy standards.”

The country looks to be heading to a new privacy regime that registries and registrars doing business there will have to comply with, particular with regard to Whois services, in other words.

But it might not be too bad — the government is talking up plans to make “data adequacy” deals with third countries to enable the easy, legal transfer of private data across borders, which is always useful in the context of domain names.

While the UK is no longer in the EU, most EU laws including GDPR were grandfathered in and are still in effect.

Comment Tagged: ,

Bizarre redactions in Pirate Bay founder’s ICANN registrar ban

Kevin Murphy, August 26, 2021, Domain Policy

ICANN has finally published a complaint from Pirate Bay founder Peter Sunde, who has been banned from owning an accredited registrar, but it’s full of bizarre redactions that serve only to make it look like the Org is hiding something.

You may recall that Sunde said in March that ICANN had rejected his application to have his registrar, Sarek, formally accredited.

He told DI that it happened because ICANN was worried he’d be a “pain in the ass” due to his previous association with the Pirate Bay file-sharing site and his criminal conviction for copyright infringement.

Not long after speaking to us, he filed a formal complaint with ICANN, which ICANN, five months later, published this week.

There’s not much in the complaint (pdf) that we have not already reported, but what’s notable is the amount of unnecessarily redacted text.

ICANN seems chiefly concerned with poorly obfuscating the identity of the staffer with whom Sunde was dealing on, and who ultimately rejected, his accreditation application.

The Org goes to the extent of redacting gender pronouns, so the reader can’t tell whether the person in question is male or female.

But the information that remains unredacted in the very same sentence is more than sufficient to identify the staffer concerned.

I’ve even been on national TV mentioning [NAME REDACTED] that I talked to today, regarding [PRONOUN REDACTED] failure to disclose the 3200 comments that was against the price cap removal of .ORG in [PRONOUN REDACTED] summary report for ICANN regarding the case.

The person who compiled the comment summary on the .org price caps issue, a public document (pdf), was Russ Weinstein, who’s also the guy in charge of registrar accreditation matters.

What possible benefit could be had from obfuscating his identity? And if doing so is so important, why do it in such an incompetent way?

The document also appears to redact the names of Facebook CEO Mark Zuckerberg and Swedish prog-rocker Björn Afzelius, both in the context of well-reported news stories mere seconds away in a search engine.

Reference to Sunde’s own criminal convictions, which are also well-reported and he has never been shy about addressing, also appear to be redacted.

For avoidance of doubt, I’m not saying that ICANN is hiding anything sinister, nor am I saying Sunde’s complaint has merit, but this redaction-happy attitude serves only to make the Org appear less transparent than it really should be.

If these redactions are attempts to hide personally identifiable information under ICANN’s privacy policy, they failed miserably on pretty much every count, even after five months.

This is privacy theater, created by people who don’t know the first thing about privacy.

ICANN has yet to respond Sunde’s complaint.

2 Comments Tagged: , , , ,

ICANN cuts the weekend from next public meeting

Kevin Murphy, August 24, 2021, Domain Policy

ICANN has changed the dates for ICANN 72, its 2021 annual general meeting, making it two days shorter.

The old plan was for the meeting to run October 23-28. Now it will be October 25-28.

Basically, this means nobody will have to work at the weekend. October 23 is a Saturday.

The presumably truncated schedule will be published October 4.

ICANN said it made the decision “to support better working hours for attendees and encourage greater participation”.

ICANN 72 came close to having an in-person component in Seattle, but the board of directors decided last month to stick to Zoom due to ongoing pandemic uncertainties.

Comment Tagged: , , ,

DotKids signs very weird new gTLD contract

Kevin Murphy, August 24, 2021, Domain Registries

New gTLD registry hopeful DotKids Foundation has become the latest to sign its ICANN Registry Agreement, and it’s a bit odd.

The signing means that DotKids only needs to have its registry back-end, managed by Donuts/Afilias, pass the formality of its pre-delegation testing before .kids finds its way into the DNS root.

It’s going to be a regulated TLD, with strict rules about what kind of content can be posted there. It’s designed for under-18s, so there’ll be no permitted violence, sex, drugs, gambling etc.

DotKids plans to enforce this with a complaint-response mechanism. There won’t be any pre-vetting of registrants or content.

There are a few notable things about .kids worth bringing up.

First, the contract was signed August 13 by DotKids director Edmon Chung, best known as CEO of DotAsia. A few days later, he was selected for the ICANN board of directors by the Nominating Committee.

Second, it’s the first and only new gTLD to have been acquired on the cheap — DotKids got over $130,000 of support from ICANN as the only outfit to successfully apply under the Applicant Support program.

Third, DotKids’ Public Interest Commitments are mental.

PICs are the voluntary, but binding, rules that new gTLD registries opt to abide by, but the DotKids PICs read more like the opening salvo in a future lawsuit than clauses in a registry contract.

Three PICs in particular caught my eye, such as this one that seems to suggest DotKids wants to restrict its channel to only a subset of accredited registrars, and then doesn’t:

Notwithstanding Section 1 above, the Registry Operator makes a commitment to support ICANN’s overarching goals of the new gTLD program to enhance competition and consumer choice, and enabling the benefits of innovation via the introduction of new gTLDs. The Registry Operator further acknowledges that at the time of this writing, it is uncertain whether or not the limiting of distribution of new gTLDs to only a subset of ICANN Accredited Registrars would undermine ICANN’s own public interest commitments to enhance competition and consumer choice. In the absence of the confirmation from ICANN and the ICANN community that such undertaking would not run counter to ICANN’s overarching goals of the new gTLD program, or in the case that ICANN and/or the ICANN community confirms that indeed such arrangement (as described in 1. above) runs counter to ICANN’s public interest commitments and overarching goals, the Registry Operator shall refrain from limiting to such subset as described in 1. above.

I’ve read this half a dozen times and I’m still not sure I know what DotKids is getting at. Does it want to have a restricted registrar base, or not?

This paragraph is immediately followed by the equally baffling commitment to establish the PICs Dispute Resolution Procedure as a formal Consensus Policy:

Notwithstanding Section 2 and 4 above, the Registry Operator makes a commitment to support, participate in and uphold, as a stakeholder, the multi-stakeholder, bottom-up policy development process at ICANN, including but not limited to the development of Consensus Policies. For the avoidance of doubt, the Registry Operator anticipates that the PICDRP be developed as a Consensus Policy, or through comparably open, transparent and accountable processes, and commits to participating in the development of the PICDRP as a Consensus Policy in accordance to Specification 1 of this Agreement for Consensus Policies and Temporary Policies. Furthermore, that any remedies ICANN imposes shall adhere to the remedies specified in the PICDRP as a Consensus Policy.

The problem with this is that PICDRP is not a Consensus Policy, it’s just something ICANN came up with in 2013 to address Governmental Advisory Committee concerns about “sensitive” TLDs.

It was subject to public comments, and new gTLD registries are contractually obliged to abide by it, but it didn’t go through the years-long process needed to create a Consensus Policy.

So what the heck is this PIC doing in a contract signed in 2021?

The next paragraph is even more of a head-scratcher, invoking a long-dead ICANN agreement and seemingly mounting a preemptive legal defense against future complaints.

Notwithstanding Section 2 above, the Registry Operator makes a commitment to support ICANN in its fulfillment of the Affirmation of Commitments, including to promote competition, consumer trust, and consumer choice in the DNS marketplace. The Registry Operator further makes an observation that the premise of this Specification 11 is predicated on addressing the GAC advice that “statements of commitment and objectives to be transformed into binding contractual commitments, subject to compliance oversight by ICANN”, which is focused on statements of commitment and objectives and not business plans. As such, and as reasonably understood that business plans for any prudent operation which preserves security, stability and resiliency of the DNS must evolve over time, the Registry Operator will operate the registry for the TLD in compliance with all commitments and statements of intent while specific business plans evolve. For the avoidance of doubt, where such business plan evolution involves changes that are consistent with the said commitments and objectives of Registry Operator’s application to ICANN for the TLD, such changes shall not be a breach by the Registry Operator in its obligations pursuant to 2. above.

If you’re struggling to recall what the Affirmation of Commitments is, that’s because it was scrapped four years ago following ICANN’s transition out from under US government oversight. It literally has no force or meaning any more.

So, again, why is it showing up in a 2021 Registry Agreement?

The answer seems to be that the PICs were written in March 2013, when references to the AoC and the PICDRP as a potential Consensus Policy made a whole lot more sense.

While a lot of this looks like the kind of labyrinthine legalese that could only have been written by an ICANN lawyer, nope — these PICs are all DotKids’ handiwork.

ICANN seems to have been quite happy to dump a bunch of irrelevant nonsense into DotKids’s legally binding contract, and sign off on it.

But given that ICANN doesn’t seem convinced it even has the power to enforce PICs in contracts signed after 2016, does it even matter?

Comment Tagged: , , , , , ,

Dropping domains might get more expensive at Donuts

Kevin Murphy, August 23, 2021, Domain Registries

Donuts is planning to change the way its registry handles dropping domains and may charge additional fees for access.

According to a service request filed with ICANN, Donuts wants to migrate its hundreds of gTLDs to the “Dropzone” system originally deployed by Afilias, which the company acquired at the end of 2020.

Instead of domains separately dropping according to their expiry time, Dropzone sees them pooled together into daily batches for a more orderly release.

Registrars are still awarded dropping domains on a first-come, first-served basis, according to when they submit their EPP create requests to the Dropzone environment, according to Donuts.

Donuts reckons this system will allow it to better manage traffic load on its registry. Presumably, registrars won’t need to send so many creates, as the drop time is synchronized for all deleting domains.

It also thinks the process will help level the playing field for registrars trying to register expired domains.

But the ICANN request (pdf) also suggests that, unlike Afilias, it might add additional fees for registrars to access Dropzone:

In addition to the standard or premium registration prices of a given domain name, The Dropzone service can support additional application fees to be configured on a per TLD basis. Applications fees where applicable will be charged in addition to the standard registration price of a domain name.

Such charges would presumably be passed on to registrants.

Afilias’ original request for Dropzone approval stated that the fee to catch a drop would be the same as a standard registration fee.

Registrars will have to reconfigure their systems to use Dropzone, which exists on a separate host.

Afilias’ 21 gTLDs have been using Dropzone since ICANN approved the service last year.

Comment Tagged: , , , , ,

.sucks registry probably “connected” to mass cybersquatter, panel rules

Kevin Murphy, August 19, 2021, Domain Registries

Vox Populi, the .sucks registry, is probably affiliated with and financially benefiting from a mass cybersquatter, a panel of domain experts has said.

In the UDRP case of Euromaster v Honey Salt, a three-person panel handed the complainant the domain euromaster.sucks, ruling that it was a case of cybersquatting.

It’s one of 21 .sucks UDRP complaints filed against Honey Salt, a Turks & Caicos company operating under unknown ownership believed to own hundreds or thousands of brand-match .sucks domains.

It’s lost 17 of the 19 so-far decided cases. It also won one case on a technicality and another early case on the merits after mounting a free-speech defense that subsequent panels have not bought.

What’s new about this one is that the WIPO panel — Lawrence Nodine, Douglas Isenberg and Stephanie Hartung — is the first to follow the money and openly infer a connection between Honey Salt and Vox Pop.

The panel said that it “infer[s] that the Respondent [Honey Salt] and Registry [Vox Pop] are connected”, and that Vox is probably trying to make money by charging trademark owners premium fees for their own brands.

Vox Pop has previously denied such a connection, when I first made the same inference last October.

Regular readers will recall that Honey Salt has registered hundreds of .sucks domains and pointed them to a wiki-style web site called Everything.sucks, ostensibly run by a third-party, US-based non-profit.

Rather than containing original “gripe” content, which could easily enable it to win a free-speech UDRP defense, Everything.sucks simply populates its site with poor-quality, context-free content scraped by bots from social media and third-party web sites such as TrustPilot and GlassDoor.

Originally, each page carried a banner linking to a secondary market page at Uniregistry or Sedo where the domains could be purchased, often at cost price.

That quickly disappeared when the first UDRP cases started rolling in, and earlier this year Everything.sucks said on each page that it refused to sell its domains to anyone, instead offering a free transfer.

It even published the pre-authorized transfer codes on each page, meaning literally anyone could seize control of the domain in question without asking permission from or negotiating with Honey Salt in advance.

The problem with that is that transfers are not free. Some domains are flagged as premium — including lots of brand-matches — and have transfer fees in the thousands of dollars. Even the cheapest still carry the base registry fee.

Many registrars steer well clear of this model, disallowing any .sucks transfers.

One registrar that reliably does allow .sucks transfers is Rebel, which is sister company to Vox Pop under the Momentous group of companies. It offers .sucks domains at the registry wholesale fee, which is $200 for an non-premium.

It’s been painfully obvious since the outset that the only parties that stand to make a profit on the Everything.sucks business model are the registry and its affiliated companies — it simply doesn’t make sense that Honey Salt would invest hundreds of thousands of dollars in trademark-infringing domains, simply to hand them over at cost.

But the Euromaster panel is the first to infer the connection, or at least the first to publicly infer the connection.

Euromaster had filed a supplemental document in its complaint pointing out that the “free” transfer of euromaster.sucks would in fact cost a “premium” fee of $2418.79. The registrar quoting that fee is not revealed.

The WIPO panel asked Honey Salt for an explanation and it sounds like it got a bunch of procedural waffle in response.

This led to the following discussion, to which I’ve added some emphasis:

The Panel also finds that Respondent [Honey Salt] has failed to show that it has no financial interest in the Disputed Domain Name. Complainant’s Supplemental submissions demonstrate that Complainant’s chosen registrar quoted a fee of USD 2418.79 to transfer the Disputed Domain Name. Complainant’s report is consistent with M and M Direct Limited v. Pat Honey Salt, Honey Salt Limited, WIPO Case No. D2020-2545, where a different panel conducted an independent investigation and reported that the domain name at issue in that case was not offered “free” as promised, but instead that registrars classified the domain names at issue as “premium” and quoted transfer fees of USD 3,198 and USD 4,270 respectively.

This directly contradicts any claim to be offering a free and noncommercial service, and given that any registration would result in a fee being paid to the Registry by a registrar, leads the Panel to infer that the Respondent [Honey Salt] and Registry [Vox Pop] are connected.

Given the prior decision in M and M Direct, and the evidence that Complainant’s Supplemental submissions, the Panel afforded Respondent an opportunity to submit additional argument and evidence to explain the inconsistency. Respondent made no effort to do so, but instead only opposed consideration of Complainant’s supplemental evidence and repeated its previous contentions. The Panel rejects the objections to Complainant’s Supplemental submission, and emphasizes that Respondent was given an opportunity fully to respond.

The Panel finds that Complainant’s evidence raises substantial questions about the credibility of Respondent’s assertion that it has no financial interest in the Disputed Domain Name and whether Respondent’s offer to transfer the Disputed Domain might, directly or indirectly, financially benefit Respondent. Accordingly, the Panel finds that Respondent has not carried its burden to show that its use is noncommercial

In other words, the panel suspects that Vox Pop is in on Honey Salt’s bulk-cybersquatting game.

The closest any other UDRP panel has come to making this link was in a recent case filed by multiple, unrelated trademark owners, where the panel, while denying the complaint on procedural grounds, suggested that aggrieved trademark owners instead invoke ICANN’s Trademark Post Delegation Dispute Resolution Procedure.

The Trademark PDDRP is a mechanism — so far unused and untested — that allows trademark owners to allege registry complicity in cybersquatting schemes. Think of it like UDRP for cybersquatting registries.

Frankly, I’m amazed it hasn’t been used yet.

Comment Tagged: , , , , , , , , , ,

As Kabul falls, Whois could present a danger to ordinary Afghans

Kevin Murphy, August 19, 2021, Domain Policy

With Afghanistan falling to the Taliban this week, there’s potential danger to .af registrants — both in terms of losing domain services and of Whois being used for possibly deadly reprisals.

At time of writing, it’s been four days since the fall of Kabul. The uneasy truce between NATO and Taliban forces has failed to prevent scenes of chaos at the city’s main airport and the PR machine of so-called “Taliban 2.0” is in full bluster.

The new Taliban is, its spokespeople suggest, more tolerant of western liberal values and more supportive of human rights than its brutal, pre-9/11 incarnation.

Few believe this spin, and there have been multiple reports of 1990s-style oppression, including revenge killings and the suppression of women’s rights, across the country.

With all that in mind, a blog post about .af domain names may seem trivial, but it’s not my intention to trivialize.

I’m as appalled as any right-minded observer by the situation on the ground in Afghanistan and the neglect that led to it. But I believe .af could prove a learning moment in the ongoing conversation about Whois privacy.

The .af ccTLD has been managed since not long after the US-led invasion by the country’s Ministry of Communications and IT as the Afghanistan Network Information Center.

The registry had previously been managed for free from London by NetNames, with an admin contact in Kabul, according to the report of the 2003 IANA redelegation, which happened at a time when Afghanistan was still under a transitional government heavily overseen by the foreign governments behind the invasion.

Domain policy for .af was created in 2002, and it includes provisions for an open, freely available Whois database that is still in effect today.

Domains registered via overseas registrars appear to be benefiting from the impact of the EU’s General Data Protection Regulation, which redacts personal information, but this obviously does not apply in Afghanistan.

This means the names, addresses, phone numbers and email addresses of .af registrants are available for querying via various Whois interfaces, including the registry’s own, which is managed by New Zealand-based back-end CoCCA.

Using a combination of web searches and Whois queries, it is possible to find personally identifiable information of registrants, including names and addresses, at local human rights groups, as well as local news media and technology providers supportive of human rights causes.

If the reports of Taliban fighters conducting house-to-house searches for enemies of the new state are accurate, the easy availability of this personal data could be a serious problem.

To a great extent, this could be a case study in what privacy advocates within the ICANN community are always warning about — public access to Whois data gives oppressive regimes a tool to target their oppression.

And as we have seen this week, oppressive regimes can appear almost literally overnight.

While it seems unlikely there’s anyone from the old Afghan ministry still in control of the registry, I think .af back-end provider CoCCA, as well as Whois aggregators such as DomainTools, should have a long think about whether it’s a good idea to continue to provide open access to .af Whois records at this time.

Fortunately, there doesn’t appear to be a great many .af domains under management. DomainTools reckons it’s under 7,000.

At the other end of the scale of seriousness, overseas .af registrants may also see issues with their names due to the Taliban takeover.

It seems incredible today, but in 2001 a Taliban decree restricted internet access to a single computer at a government ministry. Others in government could apply to use this computer by sending a fax to the relevant minister.

While it seems impossible that such a Draconian restriction could be reintroduced today, it still seems likely that the Taliban will crack down on internet usage to an extent, including introducing morality or residency restrictions to .af regs.

.af is currently open to registrants from anywhere in the world, with no complex restrictions and .com-competitive prices.

Many multinational corporations have registered .af names for their local presence.

The string “af” has in recent years become social media shorthand for “as fuck”, and a small number overseas registrants appear to be using it as a domain hack in that context — type “corrupt.af” into your browser and see what happens.

Others seem to be using .af, where short domains are still available, as shortcuts to their social media profiles.

I don’t believe ICANN will need to get directly involved in this situation. Its Whois query tool does not support .af, and IANA presumably won’t need to get involved in terms of redelegation any more than it would following a general election or a coup d’état.

1 Comment Tagged: , , , , , , , , ,

Second-level .au names coming next March with tight deadline

Kevin Murphy, August 19, 2021, Domain Registries

Australia will soon become the latest country with an historical three-level ccTLD structure to offer second-level domains directly under .au.

Local registry auDA said today that direct SLD regs will become available next March.

It’s not the first country to do this — Australia follows the UK and New Zealand in de-emphasizing .co.nz and .co.uk in favor of SLDs.

But it’s giving registrants a much shorter deadline to claim their matching domains.

Unlike the UK, where registrants had five years to grab their matches before they became generally available, Aussies will only get six months.

Existing registrants will get first refusal on their matching domains. In cases of contention — where the .com.au and .net.au are registered to different people, for example — the registrant with the oldest domain gets priority.

Australian presence rules also apply.

Comment Tagged: , , , ,

ICANN director picks for 2021 revealed

Kevin Murphy, August 19, 2021, Domain Policy

ICANN’s Nominating Committee has revealed its three picks for the organization’s board of directors, with one member been swapped out for a newcomer.

Lito Ibarra will be replaced by Edmon Chung, while Danko Jevtović and Tripti Sinha see their seats kept safe for their respective second three-year terms.

Ibarra works for El Salvador’s .sv top-level domain registry and represented the Latin America region on the board. By the time the handover occurs in October, he will have served two of his possible three-year terms.

He’s being replaced by Chung, a long-time industry and ICANN participant perhaps best known as the CEO of DotAsia, which runs .asia. As you might expect, he represents the Asia-Pacific region.

While the appointments clearly alter the regional mix somewhat, they equally clearly do nothing to tilt the gender balance on the male-heavy board, which ICANN has stated is a desirable goal for NomCom.

NomCom also revealed its picks for two members of the GNSO Council, one member of the ccNSO Council and three members of the At-Large Advisory Committee, which include some familiar names.

NomCom said it had 116 applications in total, over half of which came from Africa and Asia-Pac.

For the first time since 2006, ICANN did not disclose the gender mix of the applicants. It’s not clear why.

The full list of successful applicants can be found here.

3 Comments Tagged: ,