Group uses FOI to demand entire .nyc Whois database

Former .nyc hopeful Connecting.nyc has requested a dump of the entire .nyc Whois database using freedom of information legislation.
According to a blog post, the group has filed a request under the New York Freedom of Information Law for all 75,000 Whois records.
Connecting.nyc says it wants the data in order to plot every .nyc registrant on a map of the city to see “if the name purchasers were spread evenly over the city or concentrated in a particular neighborhood or borough. And if they were from a particular social or economic strata.”
It says it has spent 10 weeks asking for the data via email but has been rebuffed.
Under ICANN Registry Agreements, registries are under no obligation to offer bulk Whois access. Registrars are supposed to allow it under their accreditation agreements, but are allowed to charge huge sums.
The .nyc space does not allow private registrations. Its Whois data is all publicly accessible and could conceivably be mined via sequential queries.
The new gTLD is managed by Neustar but assigned to the City of New York, making it essentially government-owned.
It will be interesting to see whether Whois access falls under FOI law. Many other geographic gTLDs have government links and may fall under their own respective FOI legislation.
Connecting.nyc once intended to apply for .nyc itself, but is now a sort of self-appointed community watchdog for the gTLD. It’s an At-Large structure within ICANN.

Momentous denies link to “illegal” pharmacy gang

Momentous says CEO Rob Hall is NOT the man behind a registrar devoted almost exclusively to running “illegal” online pharmacies, after the US Congress was told he was a few hours ago.
In written testimony to Congress today, LegitScript president John Horton linked Hall to an “illegal online pharmacy network” called 4rx.
Horton said that the people running 4rx, which he said sells prescription drugs without a license, are also running the ICANN-accredited registrar Crazy8Domains
He went on to produce Canadian corporation records naming Hall as the sole director of the registrar.
I had a bit of a Google and found that Crazy8Domains says it’s based in a building in Ottawa that appears to have been once owned by Momentous.
But Rob Villeneuve, CEO of Momentous registrar Rebel, told us today that Crazy8Domains has not been part of Momentous for years. He said:

the Momentous group sold that Registrar over two years ago, and ICANN approved the sale. Mr. Hall and Momentous are no longer involved in Crazy8Domains in any way. We are unsure why the Industry Canada records have not been updated, and we have today notified Industry Canada of their error.

While Momentous may not be involved with Crazy8Domains, Horton presented some compelling evidence that it’s basically just a puppet registrar for an online pharmacy outfit.
It also goes by the name Kudo.com.
The contact name for the registrar listed by ICANN is Sabita Limbu, who is also listed in Whois as the registrant of domains such as indianpharmaonline.com, offshorerx1.com, and cheapestonlinedrugstore.com.
These sites offer hundreds of generic varieties of drug that purport to treat every condition under the sun, from erectile dysfunction to cancer.
Prescriptions do not appear to be required, and there’s a US toll-free number in case there was any doubt whose citizens are being marketed to.
Whether that’s illegal or not, I couldn’t possibly comment, but Horton told Congresspeople today that there are no countries where it is legal to sell prescription drugs without a license.
According to Horton, Crazy8Domains only has 18 domains live at present, and 15 of them are pharmacies:

In short, for all practical purposes, the ICANN-accredited registrar is the illegal online pharmacy, and the illegal online pharmacy is the ICANN-accredited registrar.

This means it would be virtually impossible for an outfit like LegitScript to get them taken down — any complaints made to ICANN would simply be referred to the registrar, which is in this case also the registrant.

.sucks and ICANN not invited to Congressional hearing on .sucks and ICANN

The witness list in next week’s US Congressional hearing into .sucks and ICANN accountability does not feature .sucks or ICANN.
The eight witnesses are largely drawn from outspoken critics of both ICANN and Vox Populi, either companies or trade associations and lobby groups. It’s stacked heavily in favor of intellectual property interests.
The hearing is titled “Stakeholder Perspectives on ICANN: The .sucks Domain and Essential Steps to Guarantee Trust and Accountability in the Internet’s Operation”.
With hindsight, the “Stakeholder Perspectives” bit gives away the fact that the judiciary subcommittee holding the hearing is more concerned with listening to ICANN’s critics than ICANN itself.
Mei-lan Stark, a senior intellectual property lawyer from Fox and 2014 president of the International Trademark Association, tops the list.
A critic of the new gTLD program, in 2011 Stark told Congress that the first round of new gTLDs would cost Fox “conservatively” $12 million in defensive registration fees.
It will be interesting to see if any Congresspeople confront Stark about that claim, which appeared like a gross overstatement even at the time.
One company that has been enthusiastically embracing new gTLDs — as an applicant, registry, defensive and non-defensive registrant — is Amazon, which has VP of global public policy Paul Misener on the panel.
Amazon has beef with ICANN for siding with the Governmental Advisory Committee over the battle for .amazon, which Amazon has been banned from obtaining, so it’s difficult to see the company as an overly friendly witness.
Next up is John Horton, president of LegitScript, the company that certifies legitimate online pharmacies and backs the .pharmacy new gTLD.
LegitScript is in favor of greater regulation of the domain name industry in order to make it easier to shut down potentially dangerous web sites (though opponents say it’s more often more interested in protecting Big Pharma’s profit margins). This month it called for a ban on Whois privacy for e-commerce sites.
Steve Metalitz, counsel for the Coalition for Online Accountability (a lobbyist for the movie and music industries) and six-term president of the ICANN Intellectual Property Constituency, is also on the list.
Jonathan Zuck, president of ACT The App Association (aka the Association for Competitive Technology, backed by Verisign and other tech firms) is on the list.
NetChoice director Steve DelBianco is also showing up again. He’s an ICANN hearing mainstay and I gather with this appearance he’ll be getting the final stamp on his Rayburn Building Starbucks loyalty card. That means a free latte, which is always nice.
Internet Commerce Association counsel Phil Corwin is a surprise invitee. ICA represents big domainers and is not a natural ally of the IP side of the house.
Bill Woodcock, executive director of Packet Clearing House, rounds off the list. PCH might not have instant name recognition but it provides Anycast DNS infrastructure services for scores of ccTLDs and gTLDs.
The committee hearing will take place at 10am local time next Wednesday.
A second hearing, entitled “Stakeholder Perspectives on the IANA Transition” will be held four hours later by a subcommittee of the House Energy & Commerce committee. The witnesses for that one have not yet been announced.
It’s going to be a busy day for ICANN bods on Capitol Hill.

Whois privacy reforms incoming

Whois privacy services will become regulated by ICANN under proposals published today, but there’s a big disagreement about whether all companies should be allowed to use them.
A working group has released the first draft of its recommendations covering privacy and proxy services, which mask the identity and contact details of domain registrants.
The report says that P/P services should be accredited by ICANN much like registrars are today.
Registrars should be obliged to disclose which such services they operate or are affilated with, presumably at the risk of their Registrar Accreditation Agreement if they do not comply, the report recommends.
A highlight of the paper is a set of proposed rules governing the release of private Whois data when it is requested by intellectual property interests.
Under the proposed rules, privacy services would not be allowed to reject such requests purely because the alleged infringement deals with the content of a web site rather than just the domain.
So the identity of a private registrant of a non-infringing domain would be vulnerable to disclosure if, for example, the domain hosted bootleg content.
Registrars would be able to charge IP owners a nominal “cost recovery” fee in order to process requests and would be able to ignore spammy automated requests that did not appear to have been manually vetted.
There’d be a new arbitration process that would kick in to resolve disputes between IP interests and P/P service providers.
The 98 pages of recommendations (pdf) were drafted by the Generic Names Supporting Organization’s Privacy & Proxy Services Accreditation Issues Working Group (PPSAI) and opened for public comment today.
There are a lot of gaps in the report. Work, it seems, still needs to be done.
For example, it acknowledges that the working group didn’t reach any conclusions about what should happen when law enforcement agencies ask for private data.
The group was dominated by registrars and IP interests. There was only one LEA representative and only one governmental representative, and they participated in a very small number of teleconferences.
There was also a sharp division on the issue of who should be able to use privacy services, with two dissenting opinions attached to the report.
One faction, led by MarkMonitor and including Facebook, Domain Tools and fake pharmacy watchdog LegitScript, said that any company that engages in e-commerce transactions should be ineligible for privacy, saying: “Transparent information helps prevent malicious activity”.
Another group, comprising a handful of non-commercial stakeholders, said that no kind of activity should prevent you from registering a domain privately, pointing to the example of persecuted political groups using web sites to raise funds.
There was a general consensus, however, than merely being a commercial entity should not alone exclude you from using a P/P service.
Currently, registrar signatories to the 2013 RAA are bound by a temporary P/P policy that is set to expire January 2017 or whenever the P/P accreditation process starts.
There are a lot of recommendations in the report, and I’ve only touched on a handful here. The public comment period closes July 7.

Three registrars suspended by ICANN

ICANN has enforced the 2013 Registrar Accreditation Agreement against three more registrars, suspending their ability to sell gTLD domain names.
Canadian registrar Namevault, along with Signdomains and Times Internet of India, cannot sell domains or accept inbound transfers from April 21 to July 20, according to ICANN compliance notices.
Namevault’s suspension came after it got its third compliance strike in a year, this time relating to its failure to provide records about domain stronglikebull.com, which was at Namevault from 2008 but is now at Go Daddy.
Times Internet has failed to implement a Whois service, despite being first warned about its failings last September, ICANN says.
Signdomains was originally issued a breach notice due to its failure to pay over $3,000 in accreditation fees. It also does not display pricing information on its web site, according to ICANN. Neither breach has been rectified.
The three registrars have not many more than 10,000 names under management between them, according to latest registry reports.
They’re the first three registrars to have their RAAs suspended in 2015. Three other registrars have been terminated since the beginning of the year.

Man escapes from prison by typosquatting

A convicted fraudster reportedly escaped from a UK prison by typosquatting.
Neil Moore was serving time on remand when he used a smuggled mobile phone to register a domain name that looked a lot like that of the UK court service, according to local media reports.
The domain, registered last March, was hmcts-gsi-gov.org.uk, a typo of the genuine hmcts.gsi.gov.uk.
Had Moore registered the name after last June, when Nominet enabled direct second-level .uk registrations, he would have been able to get a much more convincing typo.
He populated the Whois with the name of his case’s investigating officer and the address for the Royal Courts of Justice.
He then emailed the prison from his new domain with instructions for his bail.
Prison staff fell for it and he was released.
The scam went unnoticed for three days until his lawyers went to interview him. He handed himself back in to police hours later.
Moore was in prison for socially engineering over £1.8 million ($2.6 million) out of major firms by pretending to be bank staff.
He’s fessed up to several counts of fraud and one count of escape from lawful custody. He’ll be sentenced in April.

Verisign adds 750,000 .com names instantly with reporting change

Verisign has boosted its reportable .com domain count by almost 750,000 by starting to count expired and suspended names.
The change in methodology, which is a by-product of ICANN’s much more stringent Whois accuracy regime, happened on Friday afternoon.
Before the change, the company reported on its web site that there were 116,788,107 domains in the .com zone file, with another 167,788 names that were registered but not configured.
That’s a total of 116,955,895 domains.
But just a few hours later, the same web page said .com had a total of 117,704,800 names in its “Domain Name Base”.
That’s a leap of 748,905 pretty much instantly; the number of names in the zone file did not move.
.net jumped 111,110 names to 15,143,356.
The reason for the sudden spikes is that Verisign is now including two types of domain in its count that it did not previously. The web page states:

Beginning with the first quarter, 2015, the domain name base on this website and in subsequent filings found in the Investor Relations site includes domains that are in a client or server hold status.

I suspect that the bulk of the 750,000 newly reported names are on clientHold status, which I believe is used much more often than serverHold.
The clientHold EPP code is often applied by registrars to domains that have expired.
However, registrars signed up to the year-old 2013 Registrar Accreditation Agreement are obliged by ICANN to place domains on clientHold status if registrants fail to respond within 15 days to a Whois verification email.
The 2013 RAA reads (my emphasis):

Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.

Last June, registrars claimed that the new policy — which came after pressure from law enforcement — had resulted in over 800,000 domains being suspended.
It’s an ongoing point of contention between ICANN, its registrars, and cops.
Verisign changing its reporting methodology may well be a reaction to this increase in the number of clientHold domains.
While its top-line figure has taken a sharp one-off boost, it will still permit daily apples-to-apples comparisons on an ongoing basis.
UPDATE:
My assumption about the link to the 2013 RAA was correct.
Verisign CFO George Kilguss told analysts on February 5.

Over the last several years, the average amount of names in the on-hold status category has been approximately 400,000 names and the net change year-over-year has been very small.
While still immaterial, during 2014, we saw an increase in the amount of names registrars have placed on hold status, which appears to be a result of these registrars complying with the new mandated compliance mechanisms in ICANN’s 2013 Registrar Accreditation Agreement or RAA.
In 2014, we saw an increase in domain names placed on hold status from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.

Google leaks 282,000 private Whois records

Google has accidentally revealed registrant contact information for 282,867 domain names that were supposed to be protected by a privacy service.
The bug reportedly affected 94% of the 305,925 domains registered via Google Apps, an eNom reseller.
The glitch was discovered by Cisco and reported to Google February 19. It has since been fixed and customers were notified yesterday.
Google acknowledged in an email to customers that the problem was caused by a “software defect in the Google Apps domain renewal system”.
It seems that anyone who acquired a domain with privacy through Google Apps since mid-2013 and has since renewed the registration will have had their identities unmasked in Whois upon renewal.
Names, addresses, emails and phone numbers were revealed.
Due to services such as DomainTools, which cache Whois records, there’s no putting the genie back in the bottle. The information is out there for good now.
It’s a pretty major embarrassment for Google, which recently launched its own registrar.

Nominet to give nod to .uk privacy services

Nominet plans to start accrediting proxy/privacy services in .uk domain names, and to make it easier to opt-out of having your full contact details published in Whois.
The proposed policy changes are outlined in a consultation opened this morning.
“We’ve never recognized privacy services,” director of policy Eleanor Bradley told DI. “If you’ve registered a .uk with a privacy service, we consider the privacy service to be the registrant of that domain name.”
“We’ve been pretending almost that they didn’t exist,” she said.
Under the proposed new regime, registrars would submit a customer’s full contact details to Nominet, but Nominet would publish the privacy service’s information in the domain’s Whois output.
Nominet, getting its hands on the customer data for the first time, would therefore start treating the end customer as the true registrant of the domain.
The company says that introducing the service would require minimal work and that it does not intend to charge registrars an additional fee.
Currently, use of privacy services in .uk is pretty low — just 0.7% of its domains, up from 0.09% a year ago.
Bradley said such services are becoming increasingly popular due to some large UK registrars beginning to offer them.
One of the reasons for low penetration is that quite a lot of privacy is already baked in to the .uk Whois database.
If you’re an individual, as opposed to a “trading” business, you’re allowed to opt-out of having any personal details other than your name published in Whois.
A second proposed reform would make that opt-out available to a broader spectrum of registrants, Nominet says.
“We’ve found over the last few years that it’s quite a hard distinction to draw,” Bradley said. “We’ve had some criticisms for our overly strict application of that.”
In future, the opt-out would be available according to these criteria:

i. The registrant must be an individual; and,
ii. The domain name must not be used:
a) to transact with customers (merchant websites);
b) to collect personal data from subjects (ie data controllers as defined in the Data Protection Act);
c) to primarily advertise or promote goods, services, or facilities.

The changes would allow an individual blogger to monetize her site with advertising without being considered a “trading” entity, according to Nominet.
But a line would be drawn where an individual collected personal data on users, such as email addresses for a mailing list, Bradley said.
Nominet says in its consultation documents:

Our continued commitment to Nominet’s role as the central register of data will enable us to properly protect registrants’ rights, release contact data where necessary under the existing exemptions, and maintain public confidence in the register. It acknowledges that some registrants may desire privacy, whilst prioritising the core function of the registry in holding accurate records.

The proposals are open for comments until June 3, which means they could potentially become policy later this year.

Adware dominating popular new gTLD ranks

Afilias’ .kim has become the latest victim (beneficiary?) of adware, as robo-registrations boost the gTLD’s zone file and apparent popularity.
It’s the latest new gTLD, after .xyz and .country, to see its rankings soar after hundreds of gibberish, bulk-registered domains started being used to serve ads by potentially unwanted software.
.kim is today the 4th most-popular new gTLD, with 85 domains in the top 100,000 on the internet and 264 in the top one million.
A month ago, it had a rank of 223, with just 16 domains in the top one million.
The domain names involved — gems such as oatmealsmoke.kim, vegetableladybug.kim and tubhaircut.kim — have seen a boat-load of traffic and rocketing Alexa rank.
The reason for the boost seems to be a one-off bulk registration of about 1,000 meaningless .kim domain names in early February, which now appear to be being used to serve ads via adware.
In this chart (click to enlarge), we see .kim’s zone file growth since the start of 2015.

The spike on February 5, which represents over 1,000 names, is the date almost all of the .kim names with Alexa rank were first registered.
They all appear to be using Uniregistry as the registrar and its free privacy service to mask their Whois details.
These domains often do not resolve if you type them into your browser. They’re also using robots.txt to hide themselves from search engines.
But they’ve been leaving traces of their activity elsewhere on the web, strongly suggesting their involvement in adware campaigns.
It seems that the current (ab?)use of .kim domains is merely the latest in a series of possibly linked campaigns.
I noted in January that gibberish .country domains — at the time priced at just $1 at Uniregistry — were suddenly taking over from .xyz in the popularity charts.
The following three charts, captured from DI PRO’s TLD Health Check, show how the three TLDs’ Alexa popularity rose and fell during what I suspect were related adware campaigns..
First, .xyz, which was the first new gTLD to show evidence of having robo-registrations used in adware campaigns, saw its popularity spike at the end of 2014 and start of 2015:

Next, Minds + Machines’ .country, which saw its zone file spike by 1,500 names around January 6, starts to see its Alexa-ranked total rocket almost immediately.
.country peaks around February 9, just a few days after the .kim robo-registrations were made.

Finally, as .country’s use declines, .kim takes over. Its popularity has been growing day by day since around February 13.

I think what we’re looking at here is one shadowy outfit cycling through bulk-registered, throwaway domain names to serve ads via unwanted adware programs.
It seems possible that domains are retired when they become sufficiently blocked by security countermeasures, and other domains in other TLDs are then brought online to take over.
None of this necessarily reflects badly on any of the new gTLDs in question, or even new gTLDs as a whole, of course.
For starters, I’ve reason to believe that TLDs such as .eu and .biz have previously been targeted by the same people.
The “attacks”, for want of a better word, are only really noticeable because the new gTLDs being targeted are young and still quite small.
It takes much longer to build up genuine popularity for a newly launched web site than it does to merely redirect exist captive traffic to a newly registered domain.
What it may mean, however, is that .kim and .country are going to be in for statistically significant junk drops about a year from now, when the first-year registrations expire.
For .kim, 1,000 names is about 14% of its current zone file. For .country, it’s more like a quarter.
The daily-updated list of new gTLD domains with Alexa rank can be explored by DI PRO subscribers here. The charts in this post were all captured from the respective TLD’s page on TLD Health Check.