GoDaddy’s .xxx contract renewed
GoDaddy’s .xxx gTLD will no longer be “sponsored”, following a vote of ICANN’s board of directors last week.
At its ICANN 81 AGM in Istanbul, the board approved the renewal of GoDaddy subsidiary ICM Registry’s Registry Agreement.
The new deal closely follows the text of the standard RA most other gTLDs use, scrapping restrictions that GoDaddy found onerous but which were vital in getting the deal approved in the first place back in 2011.
It means the end of IFFOR, the International Foundation For Online Responsibility, the largely toothless oversight body that had been tasked with creating policies and issuing grants to worth causes but arguably did neither.
It also means less friction for the .xxx registration process, as registrants will no longer have to affirm they are members of the “sponsored community”, which never existed in any real sense anyway.
Some elements of the original sponsorship agreement, such as strict prohibitions on child sexual abuse material and the suggestion thereof, have been moved to Public Interest Commitments that ICANN could in theory enforce.
In its resolution text, ICANN noted that the Governmental Advisory Committee, which almost got .xxx killed off a couple decades ago, had not felt strongly enough about the new deal to publicly comment on it one way or the other.
.xxx makes most of its money from defensive registrations. It had almost 45,000 domains under management at the end of June, but barely 7,000 of those appeared in its zone file of the same date. That does not included domains blocked via the AdultBlock and GlobalBlock services, which are not counted in any public document but which I estimate are measured in five figures.
Senator says domain industry “enables” Russian disinfo attacks
An influential US senator has accused major registries and registrars including GoDaddy and Namecheap of facilitating Russian disinformation campaigns.
Senator Mark Warner, the Democrat chair of the Senate Select Committee on Intelligence, told registrars that “legislative remedies” may be required unless they “take immediate steps to address the continued abuse of your services for foreign covert influence”.
The threat came in letters sent to registrar groups Namecheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo, and .com registry Verisign today.
Warner’s letters seem to have been inspired by Facebook owner Meta, perhaps the domain industry’s most prolific antagonist, and align closely with Meta’s views on issues such as cybersquatting and Whois access.
The criticisms also stem from a recent FBI seizure of 32 domains that were being use to proliferate fake news about the invasion of Ukraine and the upcoming US presidential election.
The Russian campaign, known as Doppelganger, used domains such as fox-news.in and washingtonpost.pm to trick visitor into thinking they were reading news sources they trust.
Warner tells the registrars (pdf) they have “ostensibly facilitated sustained covert influence activity by the Russian Federation and influence networks operating on its behalf”.
The main concern appears to be the lack of access to private information in Whois records. Warner’s list of industry sins includes:
withholding vital domain name registration information from good-faith researchers and digital forensic investigators, ignoring inaccurate registration information submitted by registrants, and failing to identify repeated instances of intentional and malicious domain name squatting used to impersonate legitimate organizations
Warner called for “immediate” action “to address the continued abuse of your services” as the US presidential election looms, and in its aftermath. Voters go to the polls November 5.
Former .co registry defeated in $350 million contract fix case
The Neustar spin-off that once operated the .co TLD reportedly has lost a case against the Colombian government in which it had sought $350 million in damages over the acrimonious renewal of its registry contract.
According to local reports, the International Center for the Settlement of Investment Disputes, part of the World Bank, last week ruled in favor of Colombia on both the merits and on jurisdictional grounds.
The case had been brought in late 2019 by Neustar, which at the time managed some 2.3 million .co domains, under government contract, via a Colombian subsidiary it acquired in 2014.
Neustar has since been acquired by GoDaddy, which continues to run .co, but the ICSID case was inherited by Vercara, the DNS security services arm of the company that GoDaddy didn’t buy.
As .CO Internet, Vercara was hired by Colombia to turn .co into a global alternative to .com with a much-hyped 2010 relaunch. It was very successful, but when it came time to renew the initial 10-year contract, Colombia instead put it out for rebid and started behaving very strangely.
You may recall from coverage here on DI and on The Register that the Colombian tender process seemed to have been specially constructed so that only Afilias, then Neustar’s fiercest rival and now part of Identity Digital, could win.
The government’s RFP had set technical thresholds, such as daily registry transactions, that Afilias could show it met but Neustar could not. It looked naive and arbitrary at best and dodgy at worst.
So Neustar took Colombia to arbitration with ICSID, saying (pdf) the government was in breach of the Trade Promotion Agreement between the US and Colombia.
Neustar ended up winning the contract anyway, albeit on terms that were massively more favorable to the government, and it sold its entire registry services business to GoDaddy days later.
Now, almost five years later, it seems Vercara has lost the case it inherited. While ICSID has not yet published its arbitration panel’s decision, local newspapers have got hold of a copy.
Colombia’s oldest newspaper, El Spectador, reports: “The court, in addition to stating that it does not have jurisdiction to hear Vercara’s claims, rejected all the claims on the merits.”
In unrelated news, Vercara’s recently announced acquisition by DigiCert closed yesterday.
GoDaddy likely to win relaxed .xxx deal
GoDaddy seems set to get a renewed and relaxed .xxx registry contract, after ICANN dismissed the concerns of critics of the deal.
In a much-delayed analysis of submissions to a recent public comment period, Org indicated that it is in favor of GoDaddy, via subsidiary ICM Registry, migrating to a Registry Agreement much more in line with sister gTLDs .porn, .adult and .sex.
That would mean an end to the “sponsored” status of .xxx, removing the largely pointless restrictions and streamlining the registration process, and the dissolution of IFFOR, the nominal sponsor, which was criticized by one commenter as a toothless “gravy train”.
Only nine comments were received, and views were mixed, but where commenters were critical of the proposed deal ICANN has stood firm.
Notably, Org dismissed the idea that a public comment period on a Registry Agreement renewal is an appropriate forum to question whether a signatory to that Registry Agreement has historically complied with its terms.
At least two commenters had raised issues, some of which I have reported, about whether ICM had stuck to promises related to funding IFFOR and whether IFFOR had stuck to promises to issue cash grants to worthy causes.
Commenters also said that ICM has already stopped verifying the identities of registrants in its made-up “sponsored community”, which would have enabled it to more easily tackle repeatedly abusive registrants.
But ICANN doesn’t think that kind of thing — which it files under “Misconceptions, assumptions, and allegations and claims” — is suitable for discussion in Public Comments.
“If there are concerns regarding ICM’s compliance with the .XXX RA, such concerns (if any) should be raised with ICANN Compliance for investigation and are considered outside of the scope of this Public Comment proceeding,” the analysis reads.
There’s also no need to replace ICM’s sponsorship commitments with Public Interest Commitments along the lines of those found in most post-2012 gTLDs, according to the Org analysis.
“ICANN has not identified a need to add further, new obligations for the operation of .XXX or to treat .XXX differently than other adult-themed gTLDs, particularly in light of the similar PICs that the .ADULT, .PORN, and .SEX gTLDs have utilized for approximately the last decade,” it reads.
The .xxx agreement was due to expire in early 2021, but its term has been repeatedly extended as negotiations continued behind the scenes. Likewise, the public comment analysis was originally due to be published in late May but was repeatedly delayed.
It’s now up to ICANN’s board of directors, which has already been briefed on the analysis contents, to approve the renegotiated deal.
Hackers break .mobi after Whois domain expires
It’s probably a bad idea to let a critical infrastructure domain expire, even if you don’t use it any more, as Identity Digital seems to be discovering this week.
White-hat hackers at WatchTowr today published research showing how they managed to undermine SSL security in the entire .mobi TLD, by registering an expired domain previously used as the registry’s Whois server.
Identity Digital, which now runs .mobi after a series of acquisitions, originally used whois.dotmobiregistry.net for its Whois server, but this later changed to whois.nic.mobi and the original domain expired last December.
WatchTowr spotted this, registered the name, and set up a Whois server there, which went on to receive 2.5 million queries from 135,000 systems in less than a week.
Sources of the queries included security tools such as VirusTotal and URLSCAN, which apparently hadn’t updated the hard-coded Whois URL list in their software, the researchers said.
GoDaddy and Domain.com were among the registrars whose Whois tools were sending queries to the outdated URL, WatchTowr found.
Incredibly, so was Name.com, which is owned by Identity Digital, the actual .mobi registry.
More worryingly, it seems some Certificate Authorities, responsible for issuing the digital certificates that make SSL work, were also using the old Whois address to verify domain ownership.
WatchTowr says it was possible to obtain a cert for microsoft.mobi by providing its own email address in a phony Whois record served up by its bogus Whois server.
“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers wrote.
They said they would have also been able to send malicious code payloads to vulnerable Whois clients.
While WatchTowr’s research doesn’t mention ICANN, it might be worth noting that the change from whois.dotmobiregistry.net to whois.nic.mobi is very probably a result of .mobi’s transition to a standardized gTLD registry contract, which requires all registries to use the whois.nic.[TLD] format for their Whois servers.
As a pre-2012 gTLD, .mobi did not have this requirement until it signed a new Registry Agreement in 2017. There are still some legacy gTLDs, such as .post, that have not migrated to the new standard URL format.
The WatchTowr research, with a plentiful side order of cockiness, can be read in full here.
Microsoft switches two gTLDs from GoDaddy to Nominet
Microsoft has moved two of its branded gTLDs from GoDaddy’s registry back-end to Nominet’s.
Records show that .skype and .office both recently made the switch.
Microsoft had already moved six TLDs — .azure, .bing, .hotmail, .microsoft, .windows and .xbox — from Verisign to Nominet about a year ago, and .skype and .office mean its whole collection is now on Nominet’s service.
While .office isn’t technically a dot-brand because it does not have a Spec13 exemption in its ICANN contract, it is in use — you can log in to your email and other services, at least for now, via www.office.
.skype, meanwhile, has a handful of domains that work as redirects to skype.com.
Four more dot-brands switch back-ends
Four dot-brand gTLDs have recently changed their back-end providers, according to the latest records, three moving away from Verisign.
US insurance company American Family Insurance has moved its .americanfamily and .amfam from Verisign to GoDaddy, as has AARP, a US interest group representing retired people, with .aarp.
Aquarelle.com Group, a French flower delivery company, has meanwhile switched from French ccTLD operator Afnic to London-based CentralNic (which is still Team Internet’s registry brand).
The AmFam moves are notable because while Verisign has for some time been getting out of the dot-brand back-end business, most of its clients have been migrating to Identity Digital.
I count seven gTLDs making the Verisign-GoDaddy switch, compared to 60 going Verisign-Identity Digital over the last couple years. Verisign is now down to a few dozen dot-brands.
The Aquarelle.com move is notable because it’s rare for a dot-brand to use a back-end in a different time zone that predominantly uses a different language, but Team Internet does have a footprint in France and other Francophone countries so it’s perhaps not wholly weird.
Three of the dot-brands are not heavily used — .aarp has three resolving domains that redirect to aarp.org, while .amfam has about 10 names in its zone that do not publicly resolve and .americanfamily has none.
You might infer from the name “Aquarelle.com” that the company is not a big believer in the dot-brand concept, but you’d be surprisingly wrong — .aquarelle has more than 50 domains that resolve to web sites without redirecting to traditional TLDs.
Pride fails to reverse gay domains decline
There are any number of ways gay people can express themselves during Pride, but buying gay-themed domain names doesn’t appear to be one of them.
Zone files show that the .gay gTLD lost over 700 domains in June, which is recognized in most Anglophone liberal democracies as Pride Month, to end the period with about 21,400 names.
Meanwhile, .lgbt lost about 80 domains over the same period, ending the month with about 3,700 domains in its zone.
The declines were not unique to June. Both gTLDs have been on the slide for a while, with .gay peaking at 29,761 domains last November and .lgbt peaking at about 3,930 in May 2023.
.gay is managed by GoDaddy, .lgbt by Identity Digital.
Bob Parsons publishes autobiography
GoDaddy founder and former CEO Bob Parsons has published his rags-to-riches autobiography, Fire in the Hole!
Subtitled The Untold Story of My Traumatic Life and Explosive Success, the book is co-written with jobbing celebrity biographer Laura Morton, who’s previously worked with GoDaddy-sponsored racing driver Danica Patrick.
It promises to detail “the exploits of his youth, his hellish days at the mercy of Catholic school nuns, his harrowing tour of combat duty in Vietnam as a US Marine, his pioneering contributions to the software and internet industries, and his latest ventures in power sports, golf, real estate, and marketing.”
“This is a story of how I started with absolutely nothing and made over $3 billion,” Parsons said in a press release.
Published yesterday by Forefront Books, it’s already ranked #1 in Golf Biographies on Amazon.
I’m going to wait for the paperback, so I can’t speak to its contents, but cover quotes reveal that Jada Pinkett-Smith, Rob Lowe and Nick Jonas all enjoyed it.
GoDaddy getting a free pass from porn jail?
ICANN has shirked its compliance duties and is handing GoDaddy a “Get Out of Jail Free” card with proposed changes to their .xxx registry agreement, according to critics.
A recently closed public comment period saw a mixed response from the community on whether GoDaddy should be allowed to throw out inconvenient and costly terms of its 10-year-old registry contract and operate .xxx more of less like any other open gTLD.
While the deal’s chief critic, consultant and former ICANN director Michael Palage, has made a detailed case explaining why he thinks the amendments should not go ahead, other commenters agree with GoDaddy that some of its stricter registration policies are no longer needed.
Tucows said that the current .xxx rules, which require registrants to verify their identities, are “cumbersome or non-transparent”, not only adding unnecessary friction to the registration path but also amounting to the “surveillance of sex workers”.
Palage managed to persuade the At-Large Advisory Committee to submit its own comments, in which ALAC claims that GoDaddy has already “walked away” from three important contractual commitments on registrant verification and abuse reporting “unilaterally and without consequence from ICANN Contractual Compliance”.
According to Palage, when GoDaddy acquired ICM Registry from MMX a few years ago it unilaterally decided to stop verifying the identities of its registrants and did away with the unique community membership IDs that enabled it to deactivate a registrant’s entire portfolio if it was found to be in breach of the rules by, for example, publishing child sexual abuse material.
ICM also stopped donating $10 for every registration to its oversight body, IFFOR, which in turn spent the money it did receive on director salaries rather than making cash grants to child protection causes, Palage says. I’ve previously gone into some depth on this.
“I am concerned that instead of ICANN compliance holding ICM Registry accountable to these representations, they’re essentially giving them a get out of jail card free and potentially removing the ability for third parties to hold ICM Registry accountable to those representations,” Palage said during a March presentation to the ALAC.
His draft comments for the ALAC were subsequently submitted under his own name; ALAC submitted a shorter, somewhat watered down version drafted by chair Jonathan Zuck.
But ALAC and Palage are in agreement that GoDaddy should have gone through the usual Registry Services Evaluation Process if it wanted to change the terms of its contract, and that the proposed amendments set a terrible precedent. ALAC wrote:
ALAC believes that commitments made in order to operate a TLD by a Registry Operator should be enforceable, subsequently implemented by the Registry Operator, and enforced by ICANN Contractual Compliance… The ALAC is concerned that the removal of commitments, through a contract renewal, could set a precarious precedent for non-compliance without repercussion for existing Registry Operators
The Business Constituency echoed ALAC’s concerns in its own comments, as did registry operator CORE Association.
Comments in favor of the .xxx amendments came from two veteran, dissenting voices from the At-Large community, Evan Leibovitch and Carlton Samuels. They said removing the extra requirements from the .xxx contract would reduce confusion and were worthless anyway:
Given the benefit of hindsight, the “Sponsored gTLD” program and designation have not on the whole provided any significant benefit to the Internet-using public. As such, we welcome the removal of this designation — and any associated extra contract requirements — from all applicable Registry Agreements going forward.
Tucows’ support for the amendments are based largely on what a pain in the neck it can be — for registrant and registrar — to register a .xxx domain. Its comments explain:
Currently, to register a .xxx domain, one must become a member of the Sponsored Community, which involves a separate application process to verify eligibility. This extra step is a barrier for those looking to quickly secure a domain. Additionally, the domain cannot resolve—meaning it cannot be used to host a website—without a valid Membership ID, which is only issued after this verification process… This activation involves additional interactions between the registry, the registrant, and the registrar. Additional steps in the registration process can be a significant deterrent as they introduce complexity and time delays.
I’m not really buying the “surveillance of sex workers” claim. Porn producers in many jurisdictions, including the US, already routinely verify the identities of their performers, and keep copies of their identity documents on file, as a legal requirement to ensure their employees are not underage.
ICANN is due to publish its summary of the public comment period by May 20.
How ICANN handles the renewal of and amendments to the .xxx contract will be interesting to watch. Will the Governmental Advisory Committee get a chance to weigh in before the deal is signed? Will the board pass a resolution, or will we see a repeat of the .org renewal debacle?
Recent Comments