Recent Posts
- Domain world growth despite .com slide
- Verisign predicts more gloom as registrars shun .com growth
- Republicans quiz NTIA on Verisign .com renewal
- Smaller, more intense ICANN meetings with no free cocktails?
- Private auctions to be banned in next new gTLD round
- .au prices going up
- Nominet names director hopefuls
- Crowdstrike screw-up took down ICANN’s email
- We grassed up .TOP, says free abuse outfit
- ICANN to earmark $10 million for new gTLD subsidies
- TV network rebrands on single-letter domain
- First registry gets breach notice over new abuse rules
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
Registrars not happy with VeriSign abuse plans
VeriSign has been talking quietly to domain name registrars about its newly revealed anti-abuse policies for several months, but some are still not happy about its plans for .com malware scans.
The company yesterday revealed a two-pronged attack on domain name abuse, designed to counteract a perception that .com is not as secure a space as it should be.
One prong, dealing with law enforcement requests to seize domains, I covered yesterday. It’s already received criticism from the Electronic Frontier Foundation and American Civil Liberties Union.
The other is an attempt to introduce automatic malware scanning into the .com, .net and .name spaces, rather like ICM Registry has said it will do with all .xxx domains.
Unlike the daily ICM/McAfee service, VeriSign’s free scans will be quarterly, but the company intends to also offer a paid-for upgrade that would search domains for malware more frequently.
On the face of it, it doesn’t seem like a bad idea.
But some registrars are worried about the fading line between registrars, which today “own” the customer relationship, and the registries, which for the most part are hidden away in the cloud.
Go Daddy director of network abuse Ben Butler, asked about both of yesterday’s VeriSign proposals, said in a statement that they have “some merit”, but sounded several notes of caution:
This is going to make all registrars responsible for remediation efforts and negative customer-service clean up. The registrar at this point becomes the “middle man,” dealing with customers whose livelihood is being negatively impacted. As mentioned in their report, the majority of sites infected with malware were not created by the “bad guys.”
While there is an appeal process mentioned, it could take some time to get issues resolved, potentially leaving a customer’s website down for an extended period.
This could also create a dangerous situation, allowing registries to gain further control over registrars’ operations – as registrars have the relationship with the registrant, the registrar should be responsible for enforcing policies and facilitating remediation.
It has also emerged that VeriSign unilaterally introduced the malware scanning service as a mandatory feature of .cc and .tv domains – which are not regulated by ICANN – earlier this year.
The changes appear to have been introduced without fanfare, but are clearly reflected in today’s .tv registration policies, which are likely to form the basis of the .com policies.
Some registrars weren’t happy about that either.
Six European registrars wrote to VeriSign last month to complain that they were “extremely displeased” with the way the scanning service was introduced. They told VeriSign:
These changes mark the beginning of a substantive shift in the roles of registries regarding the monitoring and controlling of content and may lead to an increase of responsibility and liability of registries and registrars for content hosted elsewhere. As domain name registrars, we hold the position that the responsibilities for hosted content and the registration of a domain name are substantially different, and this view has been upheld in European court decisions numerous times. In this case, Verisign is assuming an up-front responsibility that surpasses even the responsibilities of a web hoster, and therefore opens the door to added responsibilities and legal liability for any form of abuse.
…
In the end, the registrar community will have to face the registrant backlash and criticism, waste countless hours of support time to explain this policy to the registrants and again every time they notice downtimes or loss of performance. These changes are entirely for the benefit of Verisign, but the costs are delegated to the registrants, the registrars and the hosting service providers.
The registrars were concerned that scanning could cause hosting performance hits, but VeriSign says the quarterly scan uses a virtual browser and is roughly equivalent to a single user visit.
They were also worried that the scans, which would presumably ignore robots.txt prohibitions on spidering, would be “intrusive” enough to potentially violate European Union data privacy laws.
VeriSign now plans to give all registrars an opt-out, which could enable them to avoid this problem.
It looks like VeriSign’s plans to amend the Registry-Registrar Agreement are heading for ICANN-overseen talks, so registrars may just be digging into a negotiating position, of course.
But it’s clear that there is some unease in the industry about the blurring of the lines between registries and registrars, which is only likely to increase as new gTLDs are introduced.
In the era of new gTLDs, and the liberalization of ICANN’s vertical integration prohibitions, we’re likely to see more registries having hands-on relationships with customers.
.xxx introduces the 48-hour UDRP
The forthcoming .xxx top-level domain will have some of the strictest abuse policies yet, including a super-fast alternative to the UDRP for cybersquatting cases.
With ICM Registry likely to sign its registry contract with ICANN soon, I thought I’d take another look at some of its planned policies.
I’d almost forgotten how tight they were.
Don’t expect much privacy
ICM plans to verify your identity before you register a .xxx domain.
While the details of how this will be carried out have not yet been revealed, I expect the company to turn to third-party sources to verify that the details entered into the Whois match a real person.
Registrants will also have to verify their email addresses and have their IP addresses recorded.
Whois privacy/proxy services offered by registrars will have to be pre-approved by ICM, “limited to services that have demonstrated responsible and responsive business practices”.
Registrants using such services will still have their full verified details stored by the registry, in contrast to TLDs such as .com, where the true identity of a registrant is only known to the proxy service.
None of these measures are foolproof, of course, but they would raise barriers to cybersquatting not found in other TLDs.
Really rapid suspension
The .xxx domain will of course abide by the UDRP when it comes to cybersquatting complaints, but it is planning another, far more Draconian suspension policy called Rapid Takedown.
Noting that “the majority of UDRP cases involve obvious variants of well-known trademarks”, ICM says it “does not believe that the clearest cases of abusive domain registration require the expense and time involved in traditional UDRP filings.”
The Rapid Takedown policy is modeled on the Digital Millennium Copyright Act. Trademark holders will be able to make a cybersquatting complaint and have it heard within 48 hours.
Complaints will comprise a “simple statement of a claim involving a well-known or otherwise inherently distinctive mark and a domain name for which no conceivable good faith basis exists”.
A “response team” of UDRP panelists will decide on that basis whether to suspend the domain, although it does not appear that ownership will be transferred as a result.
X strikes and you’re out
ICM plans to disqualify repeat cybersquatters from holding any .xxx domains, whether all their domains infringe trademarks or not.
The policy is not fully fleshed out, so it’s not yet clear how many infringing domains you’d have to own before you lose your .xxx privileges.
High-volume domain investors would therefore be advised to make sure they have clean portfolios, or risk losing their whole investment.
Gaming restrictions
ICM plans to allow IP rights holders to buy long-term, deep-discount registrations for non-resolving .xxx domains. As I’ve written before, Disney doesn’t necessarily want disney.xxx to point anywhere.
That would obviously appeal to volume speculators who don’t fancy the $60-a-year registry fee, so the company plans to create a policy stating that non-resolving domains will not be able to convert to normal domains.
There’s also going to be something called the Charter Eligibility Dispute Resolution Process, which which “will be available to challenge any resolving registration to an entity that is not qualified to register a resolving name in the .xxx TLD”.
This seems to suggest that somebody (think: a well-funded church) who does not identify as a member of the porn industry would be at risk of losing their .xxx domains.
The CEDRP, like most of the abuse policies the registry is planning, has not yet been fully fleshed out.
I’m told ICM is working on that at the moment. In the meantime, its policy plans are outlined in this PDF.
Recent Comments