Does Chehade agree with Donuts on .doctor?

Should governments have the right to force business-limiting restrictions on new gTLD operators, even though they don’t have the same rules in their own ccTLDs?
ICANN CEO Fadi Chehade evidently believes the answer to that question is “No”, but it’s what ICANN is controversially imposing on Donuts and two other .doctor applicants anyway.
Donuts recently filed a Request for Reconsideration appeal with ICANN over its decision to make the .doctor gTLD restricted to medical professionals only.
It was an unprecedented “Public Interest Commitment” demanded by ICANN staff in order to keep the Governmental Advisory Committee happy.
The GAC has been asking for almost two years for so-called “Category 1” gTLD strings — which could be seen to represent highly regulated sectors such as law or medicine — to see a commensurate amount of regulation from ICANN.
Governments wanted, for example, registrants to show professional credentials before being able to register a name.
In the vast majority of instances, ICANN creatively reinterpreted this advice to require registrants to merely assert that they possess such credentials.
These rules were put in registries’ contracts via PICs.
But for some reason in February the organization told Donuts that .doctor domains must be “ascribed exclusively to legitimate medical practitioners.”
According to Donuts, this came out of the blue, is completely unnecessary, an example of ICANN staff making up policy on the spot.
Donuts wants to be able to to sell .doctor names to doctors of any discipline, not just medical doctors. It also wants people to be able to use the names creatively, such as “computer.doctor” or “skateboard.doctor”.
What makes ICANN’s decision especially confusing is that CEO Fadi Chehade had the previous day passionately leaped to the defense of new gTLD registries in their fight against unnecessary GAC-imposed red tape.
The following video, in which Chehade uses .dentist as an example of a string that should not be subject to even more oversight, was taken February 11 at a Q&A with the Domain Name Assocation.
The New gTLD Program Committee meeting that authorized ICANN staff to add the new PIC took place February 12, the very next day. Chehade did not attend.

It’s quite remarkable how in line with registries Chehade seems to be.
It cuts to the heart of what many believe is wrong with the GAC — that governments demand of ICANN policies that they haven’t even bothered to implement in their own countries, just because it’s much easier to lean on ICANN than to pass regulations at home.
Here’s the entire text of his answer. He’s describing conversations he’d had with GAC members earlier in the week.

They’re saying stop all the Category 1 TLDs. Stop them. Freeze them!
And we said: Why do we need to freeze them? What’s the issue?
They said: It’s going to harm consumers.
How will it harm consumers? We started having a debate.
It turns out that they’re worried that if somebody got fadi.casino or fadi.dentist, to pick one of Statton’s [Statton Hammock, VP at Rightside, who was present], that this person is not a dentist and will pluck your ear instead of your teeth. How do you make sure they’re a dentist?
So I asked the European Commission: How do you make sure dentist.eu is a dentist?
They said: We don’t. They just get it.
I said: Okay, so why do these guys [new gTLD registries] have to do anything different?
And they said: The new gTLD program should be better or a model…
I said: Come on guys, do not apply rules that you’re not using today to these new folks simply because it’s easy, because you can come and raise flags here at ICANN. Let’s be fair. How do you do it at EU?
“Well, if somebody reports that fadi.dentist.eu is not a dentist, we remove them.”
Statton said: We do the same thing. It’s in our PICs. If fadi.dentist is not, and somebody reports them…
They said: But we can’t call compliance.
You can call compliance. Anyone can call compliance. Call us and we’ll follow up. With Statton, with the registrar.

What we have here is Chehade making a passionate case for the domain name industry’s right to sell medical-themed domain names without undue regulation — using many of the same arguments that Donuts is using in its Reconsideration appeal — then failing to show up for a board meeting the next day when that specific issue was addressed.
It’s impossible to know whether the NGPC would have reached a different decision had Chehade been at the February 12 meeting, because no formal vote was taken.
Rather, the committee merely passed along its “sense” that ICANN staff should carrying on what it was doing with regards implementing GAC advice on Category 1 strings.
While Chehade is but one voice on the NGPC, as CEO he is in charge of the ICANN staff, so one would imagine the decision to add the unprecedented new PIC to the .doctor contract falls into his area of responsibility.
That makes it all the more baffling that Donuts, and the other .doctor new gTLD applicants, are faced with this unique demand to restrict their registrant base to one subset of potential customers.

Identify.com terminated

ICANN has terminated the accreditation of defunct registrar Identify.com.
The company received its final compliance notice (pdf) last week and will lose its contractual ability to sell gTLD domains April 17.
Not that many will notice or care.
According to the notice, ICANN has been informed that the company is no longer in business.
Identify.com does not currently resolve to a web page, at least for me. According to registry reports, it had just six domain names under management in November.
Back in 2011, its DUM was measured in the low hundreds. Most transferred out or deleted in the meantime.
According to the notice, the registrar failed to provide information about its dealings with the owner of a specific domain name, patschool.com.
According to DomainTools, that domain has never been registered with Identify.com.
It’s ICANN’s third registrar termination in 2015.

Verisign adds 750,000 .com names instantly with reporting change

Verisign has boosted its reportable .com domain count by almost 750,000 by starting to count expired and suspended names.
The change in methodology, which is a by-product of ICANN’s much more stringent Whois accuracy regime, happened on Friday afternoon.
Before the change, the company reported on its web site that there were 116,788,107 domains in the .com zone file, with another 167,788 names that were registered but not configured.
That’s a total of 116,955,895 domains.
But just a few hours later, the same web page said .com had a total of 117,704,800 names in its “Domain Name Base”.
That’s a leap of 748,905 pretty much instantly; the number of names in the zone file did not move.
.net jumped 111,110 names to 15,143,356.
The reason for the sudden spikes is that Verisign is now including two types of domain in its count that it did not previously. The web page states:

Beginning with the first quarter, 2015, the domain name base on this website and in subsequent filings found in the Investor Relations site includes domains that are in a client or server hold status.

I suspect that the bulk of the 750,000 newly reported names are on clientHold status, which I believe is used much more often than serverHold.
The clientHold EPP code is often applied by registrars to domains that have expired.
However, registrars signed up to the year-old 2013 Registrar Accreditation Agreement are obliged by ICANN to place domains on clientHold status if registrants fail to respond within 15 days to a Whois verification email.
The 2013 RAA reads (my emphasis):

Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.

Last June, registrars claimed that the new policy — which came after pressure from law enforcement — had resulted in over 800,000 domains being suspended.
It’s an ongoing point of contention between ICANN, its registrars, and cops.
Verisign changing its reporting methodology may well be a reaction to this increase in the number of clientHold domains.
While its top-line figure has taken a sharp one-off boost, it will still permit daily apples-to-apples comparisons on an ongoing basis.
UPDATE:
My assumption about the link to the 2013 RAA was correct.
Verisign CFO George Kilguss told analysts on February 5.

Over the last several years, the average amount of names in the on-hold status category has been approximately 400,000 names and the net change year-over-year has been very small.
While still immaterial, during 2014, we saw an increase in the amount of names registrars have placed on hold status, which appears to be a result of these registrars complying with the new mandated compliance mechanisms in ICANN’s 2013 Registrar Accreditation Agreement or RAA.
In 2014, we saw an increase in domain names placed on hold status from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.

.tk registrar gets ICANN breach notice

OpenTLD, the registrar owned by .tk registry Freenon, has received an odd contract-breach notice from ICANN.
The company apparently forgot to send ICANN a Compliance Certificate for 2014, despite repeated pestering by ICANN staff.
It’s the first time I’ve seen ICANN issue a breach notice (pdf) for this reason.
A Compliance Certificate, judging by the 2013 Registrar Accreditation Agreement, seems to be a simple form letter that the CEO must fill in, sign and submit once a year.
Coming back into compliance would be, one imagines, five minutes’ work.
As well as being an ICANN-accredited registrar, OpenTLD is part of Freenom. That’s the registry that repurposes under-used ccTLDs with a “freemium” model that allows free registrations.
Its flagship, .tk, is the biggest ccTLD in world, with over 30 million active names.

ICANN slashes new gTLD revenues by 57%, forecasts renewals at 25% to 50%

ICANN has dramatically reduced the amount of revenue it expects to see from new gTLDs in its fiscal 2015.
According to a draft 2016 budget published this morning, the organization now reckons it will get just $300,000 from new gTLD registry transaction fees in the year ending June 30, 2015.
That’s down 75% from the $1.2 million predicted by its FY 2015 budget, which was approved in December.
Transaction fees are paid on new registrations, transfers and renewals, but only by gTLDs with over 50,000 billable transactions per year.
Today, only 14 of the 522 delegated new gTLDs have added more than 50,000 names. ICANN says that only 17 registries are currently paying transaction fees.
It’s not only the transaction fees where ICANN has scaled back its expectations, however.
The organization also expects its fixed new gTLD registry fees — the $6,250 each registry must pay per quarter regardless of volume — to come in way below targets.
The new budget anticipates $12.7 million from fixed registry fees in FY15, down 24% from the $16.7 million in its adopted FY15 budget.
This is presumably due to larger than expected numbers of would-be registries either withdrawing or dragging their feet in the path to delegation.
Registrar transaction fees are now anticipated at $1.1 million, compared to $2 million and $3.2 million predicted by the adopted and draft FY15 budgets respectively.
Taking all three revenue sources together, ICANN now expects new gTLDs to contribute just $14.1 million to its fiscal 2015 revenue, down 29% from the $19.8 million forecast in its adopted FY15 budget.
That’s down 57% from the $32.7 million in the original draft budget for the period.
The current budget assumes 15 million new gTLD registrations in the 12-month period, revised down from the 33 million domains predicted in its draft FY15 budget a year ago.
With just a few months left until the end of the fiscal year, there are currently fewer than 4.5 million domains in published new gTLD zone files.
ICANN plainly no longer expects new gTLDs to get anywhere close to 15 million domains.
Renewals expected to be weak, weak, weak
The organization is taking a conservative view about renewals for 2016.
The 2016 budget expects renewals at just 50% for regular gTLDs and 25% for registries — presumably ICANN has .xyz in mind — that gave away domains for free at launch.
That 50% is both ICANN’s “best” and “high” estimate. Its “low” estimate is 35% for non-free domains.
Obviously, 50% is a very low renewal number for any registry (70%+ is the norm). Even شبكة. (.shabaka) told us recently that 55% of its registrants are renewing before their domains expire.
Conversely, 25% may be a very optimistic number for free domains (when Afilias gave away free .info names a decade ago, almost all of them dropped rather than being renewed).
For fiscal 2016, which begins July 1, 2015, ICANN expects new gTLD revenue to be $24.1 million — about a quarter off its original plan for 2015.
That breaks down as $19.9 million from registry fixed fees, $2 million from registry transaction fees, and $2.3 million from registrar transaction fees.
ICANN said it is is assuming that it will start the year with 602 registries and end it with 945.
The proposed FY16 budget, now open for comment, can be found here.
For comparison purposes, the adopted FY15 budget is here (pdf) and the draft FY15 budget is here (pdf).

Here’s why trademark owners will think .sucks sucks

Vox Populi Registry is to launch its .sucks gTLD at the end of the month, and its plans are likely to piss off trademark owners no end.
As previously reported, the company has backpedaled on its idea of pricing its sunrise period names at $25,000 per name per year, but it’s introducing some new concepts that seem almost designed to get hackles up in the IP community.
From March 30 to May 29, any company with a trademark registered in the Trademark Clearinghouse will be able to buy their matching .sucks domains at sunrise for $2,499. That’s also the annual renewal fee.
It’s a tenth of the price previously touted, but still pretty steep even by sunrise standards.
Vox Pop isn’t doing anything particularly unusual with its sunrise, which is governed by policies closely regulated by ICANN.
But its big new idea is its “Sunrise Premium” list, a list of strings dominated by famous trademarks.
Vox Pop CEO John Berard told DI yesterday that the Sunrise Premium list has been compiled from strings registered or blocked in other TLDs’ sunrise periods.
While he declined to characterize it as a list of trademarks, he acknowledged that it will be trademark-heavy.
If your mark is on this list, you will never be able to get a .sucks domain at the regular general availability retail price of $249 a year. It will always be $2,499 a year.
Despite the name, Sunrise Premium names are only available during general availability, which begins June 1.
On the one hand, this mandatory premium pricing for the world’s most well-defended marks appears to have benefits for some trademark owners.
While Sunrise Premium names are not restricted to owners of matching marks, the $2,499 fee applies whether you’re the mark owner, a legitimate third-party registrant, or a cybersquatter.
So the high price looks like a deterrent to cybersquatting, suggesting that Vox Pop is fighting from the IP corner.
But then we discover that Sunrise Premium names will never be eligible for the .sucks “Block” service — similar to .xxx’s Sunrise B, a Block is a non-resolving registry reservation — which is expected to retail at a discounted $199 per year.
Berard said that the registry wants to encourage use.
“If you are on the Sunrise Premium list or want a premium name, those can’t be blocked,” Berard said. “It’s all part and parcel of us trying to put more power in the hands of individuals and to cultivate a commitment on behalf of the commercial world to participate in the dialogue.”
But the fact remains: if you have a track record of defensively registering your trademark, Vox Pop is essentially penalizing you with higher fees.
Feel those hackles rising yet?
Vox Pop’s stated goals are to give companies a way to manage customer feedback and individuals a way to exercise their rights to criticize.
“A company would be smart to register its name because of the value that consumer criticism has in improving customer loyalty, delivering good customer service, understanding new product and service possibilities,” Berard said.
“They’re spending a lot more on marketing and customer service and research. This domain can another plank in that platform,” he said. “On the other hand, we also want to make sure that these names are also accessible to individuals who have something to say.”
Companies on the Sunrise Premium list have an additional thing to worry about: the .sucks Consumer Advocate Subsidy, which will bring the price of a .sucks domain down to $9.95 per year.
The subsidy will only be available to registrants unaffiliated with the trademark-owning company, and they’ll have to direct their domains to a discussion forum platform called Everything.sucks.
Berard said Everything.sucks will be operated by a third party, but could not yet disclose the details.
The subsidy program will be available on regular and Sunrise Premium names, but not Sunrise names. It is not expected to launch until September.
It’s not yet clear how flexible and configurable the service will be.
It seems likely that if somebody wants to write a blog, say, criticizing a certain company, product, service or public figure, they will incur the usual $249 annual reg fee.
It’s not exactly “free” speech.
On the whole, the finalized policies and fees may look like they’re specifically designed to irk the IP lobby, but they do seem to be aligned with Vox Pop’s mission statement.
If you’re of the view that trademark owners should have the sole right to use the string matching their mark as a domain name, you’re likely to be unhappy with what Vox Pop is doing.
If, on the other hand, you’re an advocate of the right of every free person to stick it to The Man, you may view the policies more favorably.
Either way, it could be a money-spinner for Vox Pop.
I’m expecting .sucks to be only the third new gTLD to top 1,000 sunrise registrations (assuming .porn and .adult will be the first).
Assuming the registry’s slice of the $2,499 fee is over $2,000, the company is looking to clear in excess of $2 million in annually recurring sunrise revenue alone.

Rightside to release 20,000 two-character domains

A week from now, new gTLD registry Rightside is to release over 20,000 two-character domain names.
The releases will come across all of its delegated gTLDs, but exclude letter-letter combinations.
Only letter-number, number-letter and number-number combinations will be available, following ICANN’s partial lifting of the ban on two-character domains back in December.
Strings such as “a1”, “2b” and “69” will presumably become available.
Rightside said the domains will be sold on a first-come, first-served basis, with prices ranging from $200 to $50,000.
The registry has almost 30 delegated new gTLDs, including .auction, .software, .lawyer, .sale and .video.
If you’re interested, set your alarms for 1700 UTC on March 18. That’s when all 20,000 drop.
Two-letter domains are still reserved, pending the outcome of ICANN’s government-delayed release process.

Donuts bought .reise

Donuts has been confirmed by a German news site as the new owner of .reise, which was auctioned by its previous owner last week.
It was the first time a live gTLD had been sold at auction.
The deal, which is believed to have cost Donuts at least $400,000, means the company now owns .reise and .reisen.
Both mean “.travel”. According to my GCSE German skillz, last exercised 22 years ago, .reisen is a verb and .reise is a noun, but .reisen is also the plural of the noun .reise.
I believe this means that Donuts is the first company to own both the plural and singular forms of a new gTLD string.
Heise Online reports that former registry Dotreise was forced to sell up due to competition from Donuts.
Donuts’ .reisen has over 4,000 names in its zone file, compared to .reise’s 1,300. It’s a small market so far, but Donuts has the lion’s share.
The article notes that Donuts got a better position in ICANN’s prioritization draw in late 2012, meaning it got to market slightly earlier. Donuts also sells for a much lower price.
I doubt time to market was as much of a factor as price.
But it might be interesting to note that while Donuts’ advantage was just six days in terms of contract-signing, that lead had been extended to six weeks by the time .reise was delegated.
Donuts, which has more experience than any other company when it comes to the transition to delegation process, managed to hit general availability two weeks sooner than .reise, even though Donuts’ sunrise period was twice as long.

ICANN wins .hotels/.hoteis confusion appeal but has to pay up anyway

The proposed new gTLDs .hotels and .hoteis are too confusingly similar to coexist on the internet.
That’s the result of an Independent Review Process decision this week, which denied .hotels applicant Booking.com’s demand to have ICANN’s string confusion decision overturned.
But the IRP panel, while handing ICANN a decisive victory, characterized the string confusion and IRP processes as flawed and said ICANN should have to pay half of the panel’s $163,000 costs.
Booking.com filed the IRP a year ago, after the new gTLD program’s String Similarity Panel said in February 2013 that .hotels was too similar to rival Despegar Online’s proposed .hoteis.
.hoteis is the Portuguese translation of .hotels. Neither string was contested, so both would have been delegated to the DNS root had it not been for the confusion decision.
In my view, the String Similarity Panel’s decision was pretty sound.
With an upper-case i, .hoteIs is virtually indistinguishable from .hotels in browsers’ default sans-serif fonts, potentially increasing the ease of phishing attacks.
But Booking.com, eager to avoid a potentially costly auction, disagrees with me and, after spending a year exhausting its other avenues of appeal, filed an IRP in March 2013.
The IRP decision was handed down on Tuesday, denying Booking.com’s appeal.
The company had appealed based not on the merits of the SSP decision, but on whether the ICANN board of directors had acted outside of its bylaws in establishing an “arbitrary” and opaque SSP process.
That’s because the IRP process as established in the ICANN bylaws does not allow appellants to changed a decision on the merits. IRP panels are limited to:

comparing contested actions of the Board to the Articles of Incorporation and Bylaws, and with declaring whether the Board has acted consistently with the provisions of those Articles of Incorporation and Bylaws.

The IRP panel agreed that the SSP process could have been fairer and more transparent, by perhaps allowing applicants to submit evidence to the panel and appeal its decisions, saying:

There is no question but that that process lacks certain elements of transparency and certain practices that are widely associated with requirements of fairness.

But the IRP panel said Booking.com was unable to show that the ICANN board acted outside of its bylaws, highlighting the limits of the IRP as an appeals process:

In launching this IRP, Booking.com no doubt realized that it faced an uphill battle. The very limited nature of the IRP proceedings is such that any IRP applicant will face significant obstacles in establishing that the ICANN Board acted inconsistently with ICANN’s Articles of Incorporation or Bylaws. In fact, Booking.com acknowledges those obstacles, albeit inconsistently and at times indirectly.
…
Booking.com has failed to overcome the very obstacles it recognizes exist.

The IRP panel quoted members of ICANN’s New gTLD Program Committee extensively, highlighting comments which questioned the fairness of the SSP process.
In contrast to usual practice, where the losing party in an IRP bears the costs of the case, this panel said the $163,000 costs and $4,600 filing fee should be split equally between ICANN and Booking.com:

we can — and we do — acknowledge certain legitimate concerns regarding the string similarity review process raised by Booking.com, discussed above, which are evidently shared by a number of prominent and experienced ICANN NGPC members.
…
In view of the circumstances, each party shall bear one-half of the costs of the IRP provider

Booking.com and Despegar will now have to fight it out for their chosen strings at auction.
The full decision can be read in PDF format here. Other documents in the case can be found here.
The TL;DR version: ICANN wins because it has stacked the appeals deck in its favor and the IRP process is pretty much useless, so we’re going to make them pay up for being dicks.

More security issues prang ICANN site

ICANN has revealed details of a security problem on its web site that could have allowed new gTLD registries to view data belonging to their competitors.
The bug affected its Global Domains Division customer relationship management portal, which registries use to communicate with ICANN on issues related to delegation and launch.
ICANN took GDD down for three days, from when it was reported February 27 until last night, while it closed the hole.
The vulnerability would have enabled authenticated users to see information from other users’ accounts.
ICANN tells me the issue was caused because it had misconfigured some third-party software — I’m guessing the Salesforce.com platform upon which GDD runs.
A spokesperson said that the bug was reported by a user.
No third parties would have been able to exploit it, but ICANN has been coy about whether any it believes any registries used the bug to access their competitors’ accounts.
ICANN has ‘fessed up to about half a dozen crippling security problems in its systems since the launch of the new gTLD program.
Just in the last year, several systems have seen downtime due to vulnerabilities or attacks.
A similar kind of privilege escalation bug took down the Centralized Zone Data Service last April.
The RADAR service for registrars was offline for two weeks after being hacked last May.
A phishing attack against ICANN staff in December enabled hackers to view information not normally available to the public.