CNNIC hit by “largest ever” denial of service attack

Chinese ccTLD operator CNNIC suffered up to half a day of degraded performance and intermittent accessibility yesterday, after being hit by what it called its “largest ever” denial of service attack.
CNNIC is one of ICANN’s three Emergency Back-End Registry Operators, contracted to take over the running of any new gTLD registries that fail. It’s also the named back-end for seven new gTLD applications.
According to an announcement on its web site, as well as local reports and tips to DI, the first wave of DDoS hit it at about midnight yesterday. A second wave followed up at 4am local time and lasted up to six hours.
According to a tipster, all five of .cn’s name servers were inaccessible in China during the attack.
Local reports (translated) say that many Chinese web sites were also inaccessible to many users, but the full scale of the problem doesn’t seem to be clear yet.
China’s .cn is the fourth-largest ccTLD, with close to 10 million domains under management.

Failures mount up as ICANN releases penultimate week of IE results

Eight new gTLD applications flunked Initial Evaluation this week, according to ICANN’s just-released results.
One of them, the Taipei City Government’s bid for .taipei, has been flagged as “Ineligible for Further Review” — the only application to receive such a status to date — suggesting it is fully dead.
But the full IE report delivered by ICANN says .taipei is actually “Eligible for Extended Evaluation”. It’s not clear right now which of these statuses is the correct one.
Its IE report says “the required documentation of support or non-objection was either not provided or did not meet the criteria” for Taipei’s bid to pass the Geographic Names Review.
While the city government seems to be the applicant, city bids also require national government support, which could be problematic given that the People’s Republic of China regards Taiwan as a province and the United Nations does not officially recognize it as a nation.
Also failing to receive a passing score this week was one of three bidders for the hotly contested gTLD .eco.
Planet Dot Eco failed on both its financial and technical questions, one of the first two applicants to suffer this double whammy. The other was Metaregistrar, which has just found out its app for .frl has failed on both counts.
The clothing retailer Express, noted for its failed Legal Rights Objection against Donuts, also failed its technical evaluation.
Express had a Verisign back-end, while Planet Dot Eco is using ARI Registry Services. Metaregistrar did not specify a third-party back-end provider in its application.
.olayan became the third application from the Saudi conglomerate Olayan Investments to fail because it did not provide its financial statements as required by the Applicant Guidebook.
.place, an application by 1589757 Alberta Ltd (‘DotPlace’) also failed to provide financial statements, as did the dot-brands .shaw, .alcon and .rexroth.
These applications received passing scores this week:

.mail .tech .kpn .play .weatherchannel .crown .aeg .statoil .app .cloud .honeywell .cruises .vig .netaporter .juegos .aramco .lamborghini .soccer .ping .surf .lol .gallo .parts .flowers .gree .webs .netflix .science .school .inc .rio .bbt .mutual .auspost .best .men .symantec .med .doctor .deals .insure .citadel .care .barcelona .racing .feedback .amfam .design .save .nhk .productions .forum .finish .spot .hitachi .web .dish .vistaprint .art .maison .properties .nissay .book .tiffany .haus .skin .hockey .phone .allfinanz .finance .通用电气公司 .手表 .電訊盈科 .珠宝 .ارامكو .hisamitsu .intuit .orientexpress .gecompany .team .church .panasonic .onyourside .ski

With only 141 applications left in evaluation, there’s only one week officially left on the IE timetable, though I expect ICANN will spend some time mopping up the stragglers afterwards.
There are 23 applications eligible for extended evaluation.

Bank takes blame for gTLD name collision

The Commonwealth Bank of Australia, which has applied for the new gTLD .cba, has told ICANN that its own systems are to blame for most of the error traffic the string sees at the DNS root.
The company wants ICANN to downgrade its gTLD application to “low risk” from its current delay-laden “uncalculated” status, saying that it can remediate the problem itself.
Since the publication of Interisle Consulting’s name collisions report, CBA said it has discovered that its own systems “make extensive use of ‘.cba’ as a strictly internal domain.”
Leakage is the reason Interisle’s analysis of root error traffic saw so many occurrences of .cba, the bank claims:

As the cause of the name collision is primarily from CBA internal systems and associated certificate use, it is within the CBA realm of control to detect and remediate said systems and internal certificate use.

One has to wonder how CBA can be so confident based merely on an “internal investigation”, apparently without access to the same extensive and highly restricted data set Interisle used.
There are many uses of the string CBA and there can be no guarantees that CBA is the only organization spewing internal DNS queries out onto the internet.
CBA’s comment is however notable for being an example of a bank that is so unconcerned about the potential risks of name collision that it’s happy to let ICANN delegate its dot-brand without additional review.
This will surely help those who are skeptical about Interisle’s report and ICANN’s response to it.

.vip and .now clear objections

The latest batch of Legal Rights Objection results has seen two proposed new gTLDs — .vip and .now — emerge unscathed from the objections phase of the new gTLD program.
There are six applications for .vip and one of the applicants, I-Registry, had filed LROs against its competitors.
Starbucks (HK), a cable company rather than a coffee chain, had also filed LROs against each of its five rivals for .now.
With yesterday’s decisions, all 10 objections have now been rejected.
In the case of .vip, every applicant wants to run it as a generic term, but I-Registry had obtained a European trademark on its proposed brand.
But Starbucks’ .now was to be a dot-brand reflecting a pre-existing mark unrelated to domain names. WIPO panelists found that trademark did not trump the proposed generic use by other applicants, however.
Both strings will now head to contention resolution, where an auction seems the most likely way to decide the winners.

New gTLDs: 23 community objections withdrawn

Almost a quarter of Community Objections against new gTLDs have been terminated without a decision, according to International Chamber of Commerce documentation.
The withdrawals leave the way open for the applied-for gTLDs .insure, .realty, .realestate, .cruises, .careers and .bio to proceed unencumbered by any objections at all.
In total 23 Community Objections, of the original 104 reported by ICANN, have been dropped. Two of the original 23 Limited Public Interest Objections have also been terminated, according to the ICC.
The terminated Community Objections seem to fall into a few categories.
Objections against applications for .autoinsurance, .carinsurance, .health, .mail and .patagonia appear to have been stopped because the applications themselves were withdrawn.
The Independent Objector, Alain Pellet, has withdrawn one Limited Public Interest — .health — and three Community objections — .patagonia, .indians, .hospital.
These seem to have been yanked due to either application withdrawals, matching objections filed by third parties, or by Governmental Advisory Committee advice.
Applications facing one fewer objection — but not zero objections — include those for .insurance, .broker, .hoteis, .hoteles, .health, and .kid.
GAC advice remains a concern for many of the affected applicants, even those that no longer face the uncertainty and expense of the objection process.
Donuts seems to have fared best from the terminations. Its .careers and .cruise bids seem to be the only ones to have emerged uncontested and with no outstanding objections or GAC advice.
The terminations were revealed in an updated list of objections published by the ICC on Monday.
The updated data is now indexed and searchable on the all-new, super-duper DI PRO Application Tracker.

Registrar rapped for failing to transfer UDRP domain

The domain name registrar Gal Comm has been warned by ICANN that it risks losing its accreditation for failing to transfer a cybersquatted name to Home Depot.
The compliance notice (pdf) concerns the domain name homedpeot.com, which was lost in a UDRP filed in early March and decided on April 21.
According to ICANN, Gal Comm, which has about 30,000 gTLD domains under management, failed to transfer the domain within 10 days of finding out about the decision, as required under the policy.
Whois records compiled by DomainTools show that the domain was instead deleted at in early April, and subsequently re-registered with a different registrar, where it’s currently under dubious-looking privacy.
According to the ICANN compliance notice, Gal Comm says that it deleted the domain because it received a Whois inaccuracy complaint about it.
Assuming that’s correct (and the Whois back in March was blatantly false) we have an interesting tension between policies that seems to have caused a slip-up at the registrar.
But registrars are supposed to lock domains they manage after they become aware of UDRP actions, so allowing the domain to delete seems to be a breach of the policy.
ICANN has given Gal Comm until September 10 to produce its records relating to the domain — and pay past-due accreditation fees — or face possible de-accreditation.
It’s very rare for ICANN to send compliance notices to registrars related to UDRP implementation.

String confusion in disarray as Demand’s .cam loses against Verisign’s .com

Demand Media is demanding an ICANN review of its objections policy, after its applied-for new gTLD .cam was beaten in a String Confusion Objection by .com registry Verisign.
A International Centre for Dispute Resolution panelist has ruled (pdf) that .cam and .com are too confusingly similar to coexist, meaning Demand’s bid for .cam must be rejected by ICANN.
But the ruling by Urs Laeuchli conflicts with two other ICDR panel decisions on .cam, which both found that the string is NOT confusingly similar to .com and therefore can be delegated.
So while Demand’s .cam bid, under a strict reading of the rules, is now supposed to be rejected, applications for identical strings filed by AC Webhosting and dotAgency can go ahead.
ICANN has been thrown a curve ball it is not yet fully prepared to deal with.
As Akram Atallah, president of ICANN’s Generic Domains Division, told DI last week, it’s possible that the policy or the implementation of that policy may need to be revisited by ICANN and the community.
United TLD, the Demand Media subsidiary that applied for .cam, is now calling for precisely that, with vice president of business and legal affairs Statton Hammock writing today:

String confusion objections are meant to be applicant agnostic and have nothing to do with the registration or use of the new gTLD. What matters in string confusion objections is whether a string is visually, aurally or, according to ICANN’s Applicant Guidebook, otherwise “so nearly resembles another that it is likely to deceive or cause confusion.” Individuals may disagree on whether .CAM and .COM are similarly confusing, but there can be no mistake that United TLD’s .CAM string, AC Webhosting’s .CAM string, and dotAgency Limited’s .CAM string are all identical. Either all three applications should move forward or none should move forward.

The .cam cases are not alone in presenting ICANN with SCO problems.
Last week, Donuts’ bid for .pets was ruled confusingly similar to Google’s .pet, despite previous ICDR cases finding that plurals and singulars are not too confusing to coexist.
Where the .cam panelists disagreed
While there were three .cam cases, two of them were decided by the same panelist. It seems that both panelists were provided with very similar sets of evidence in all three cases.
It’s relevant to note that neither panelist — unlike some of their colleagues in other cases — thought it was appropriate to apply trademark law such as the DuPont factors in their decisions.
They did, however, consider the expected use cases of .cam.
All three applicants take .cam as short for “webcam” or “camera” and would target registrants interested in those fields (a lot of the use will likely be pornographic — AC Webconnecting is a porn firm after all).
But all three applicants also want to run “open” gTLDs, with no registration restrictions.
ICDR panelist Murray Smith was in charge of both the AC Webconnecting and dotAgency cases. He addressed expected usage explicitly in dotAgency, and explained why:

It is not just the visual, phonetic and conceptual similarity between the words that must be taken into account. In my view the greater emphasis should be focused on the use of the disputed extensions in the context of modern Internet usage. It is this context that compels the conclusion that an average Internet user would not be confused and would know that a .com website is probably a commercial website while a .cam websites would be something more focused in a particular field.

In AC Webconnecting, he wrote:

I agree that a consumer would quickly realize that a .cam website is likely associated with photography or camera use and is different than a .com website in use generally by a myriad of commercial entities.

So he’s putting the “greater emphasis” on usage — a factor that is not explicitly mentioned in the Applicant Guidebook’s description of the SCO and which may quite often differ between applicants.
Right there, in Smith’s interpretation of his task, we have a reason why SCOs will produce different results for identical strings.
I find Smith’s thinking baffling for a couple of reasons.
First, “a consumer would quickly realize that a .cam website is likely associated with photography” seems to ignore the existence of a bazillion .com web sites that are also associated with photography.
When did “commercial entities” and “photography or camera use” become mutually exclusive? Is photographyblog.com not confusingly similar to photographyblog.cam?
Second, he ignores the fact that basically anyone will be able to register a .cam web site for basically any purpose. None of the applicants want to restrict the gTLD to camera-related stuff.
ICDR panelist Laeuchli, in the Demand Media .cam case, raised this precise point, saying:

“.com” and “.cam” would use the same channels appealing to a broad audience. Even though according to Applicant, its envisioned TLD will “likely appeal” to a specific audience, it plans to operate “.cam” as an open gTLD. This would lead to extensive overlap.

Panelist Smith has some other notions about confusion that seem to defy common sense. He wrote in the AC Webconnecting case:

The .com TLD is the most widely recognized string in the Internet world. No reasonable Internet user would fail to recognize the .com TLD. The very reputation of the .com name serves to limit the potential for an average Internet user to be confused by the proposed .cam TLD. It is indeed unlikely that an online consumer would confuse a .com website with a .cam website.

Does this not strike anyone else as bad thinking?
It seems to me to be a little like saying that it’s perfectly okay to market a brand of carbonated beverage called Cuke, because Coke is so famous that nobody could possibly be confused. I don’t know where the law stands on that issue, but I’m pretty sure Coke wouldn’t be happy about it.
There’s also some weirdness in Laeuchli’s decision in the Demand case.
He puts some weight on the similarity scores produced by the controversial Sword algorithm in his decision, but apparently without doing even the basic research. He writes in his findings:

No matter what the standards and purpose the ICANN SWORD algorithm includes, it has comparative value.
…
Since pairs such as “God” and “dog” (85%) reach similarity scores of 84% and higher, how much more similar would “cxm” and “cxm” be (x being replaced with a vowel)!

The answer is that, according to Sword, they’re less similar. Sword scores “cam” v “com” at 63%.
Laeuchli knows it’s 63%, because he makes reference to that fact in his summary of Verisign’s evidence. He doesn’t need to speculate about the number based on what “god” v “dog” scores (and if he did the “dog” v “god” query himself, why on earth didn’t he just query “com” v “cam” too?)
His finding that .cam and .com will cause probable confusion seems to be based largely on expert witness testimony provided by both Verisign and Demand, in which he found Verisign’s more persuasive.
This evidence seems to have largely comprised the opinions of linguists, examining mouth shapes and acoustic frequencies, and market research looking into internet user behavior. As none of it has been published, it’s difficult to judge which side had the better arguments.
But it’s undeniably about the similarity of the strings, rather than the proposed usage, which makes Demand Media’s statement today — that SCOs “are meant to be applicant agnostic and have nothing to do with the registration or use of the new gTLD” — quite confusing.
Demand lost its case based on the string similarity, whereas the other two applicants won theirs based on the usage.
Perhaps Demand senses that its .cam application will not be immediately rejected if ICANN reopens the debate about string similarity. If think it’s probably correct.

ICANN passes 92 new gTLDs

Ninety-two new gTLD applications received passing Initial Evaluation scores this week, as ICANN approaches the end of the long-running process.
With two weeks left on the official timetable, only 236 applications remain in IE. Another 1,574 have passed. With no failures this week, the number heading to Extended Evaluation remains at 14.
These are this week’s passing strings, with links to the corresponding application on DI PRO.

.villas .soccer .delivery .med .casino .sina .pamperedchef .case .weibo .kids .college .tech .newholland .life .yoga .world .barclaycard .report .casino .orange .shop .music .walter .srl .poker .shop .qtel .author .help .sap .consulting .starhub .stcgroup .stada .gives .srt .vuelos .zuerich .thd .vacations .taxi .pid .garden .news .industries .love .poker .taxi .express .athleta .pitney .phd .etisalat .mom .merck .earth .beer .safeway .actor .foundation .dclk .hamburg .home .studio .cologne .aquarelle .archi .kia .quest .buy .panerai .chat .band .spa .flickr .playstation .mobile .cash .jprs .saarland .kfh .condos .chintai .blog .cpa .sfr .sale .sky .erni .mih .visa .tickets

Uniregistry wins .gift and AOL yanks .patch bid

Three more new gTLD applications were withdrawn today, only one of which was related to this week’s previously reported batch of private auctions.
First, Famous Four Media has pulled out of the .gift race with Uniregistry, presumably after some kind of deal. They were the only two applicants, meaning Uniregistry wins the contention set.
Potentially complicating matters, there are also two applicants for .gifts — if the plural/singular debate is reopened, which seems possible after today’s events, it might not be over yet.
Second, AOL withdrew its application for .patch, which was to be a single-registrant space for its Patch-branded network of local web sites.
This seems to be connected to cost-cutting at AOL.
Last week, the company fired Patch’s creative director in front of 1,000 colleagues and announced it was cutting the number of sites in the network.
Today, it started laying off almost half of Patch’s 1,100 employees, according to the Wall Street Journal.
Third, Top Level Domain Holdings withdrew from the .guide contention set, leaving Donuts the winner — a formality following this week’s Innovative Auctions auction, which it lost.

Google beats Donuts in objection — .pet and .pets ARE confusingly similar

Google has won a String Confusion Objection against rival new gTLD applicant Donuts, potentially forcing .pet and .pets into the same contention set.
The shock ruling by International Centre for Dispute Resolution panelist Richard Page goes against previous decisions finding singulars and plurals not confusingly similar.
In the 11-page decision, Page said he decided to not consider the reams of UDRP precedent or US trademark law submitted by the two companies, and seems to have come to his opinion based on a few simple facts:

Objector has come forward with the following evidence for visual, aural and meaning similarity. Visually, the words are identical but for the mere addition of the letter “s”. Aurally, the word “pets” is essentially phonetically equivalent to the word “pet”. The term “pet” is pronounced as it is spelled, “pet”. The term “pets” is likewise pronounced as “pets” in essentially a phonetically equivalent fashion. The terms each have only one syllable, and they have the same stress pattern, with primary accent on the initial “pe” portion of the words. In commercial meaning, the terms show no material difference. As English nouns, “pets” is the pluralization of “pet”.
The visual similarity and algorithmic score are high, the aural similarity is high, the meaning similarity is high. Objector has met its burden of proof. The cumulative impact of these factors is such that the Expert determines that the delegation of <.pet> gTLD and the <.pets> gTLD into the root zone will cause a probability of confusion.

Page did take into account the similarity score provided by the Sword algorithm — for .pet and .pets it’s actually a fairly weak 72% — in his thinking on visual similarity.
But he specifically rejected Donuts’ defense that co-existence of plurals at the second level was proof that plural/singular gTLDs could also co-exist at the top-level, saying:

The rapid historical development of the Internet and the proliferation of domain names over the past two decades has taken place without the application of the string confusion standard now established for gTLDs. Therefore, the Expert has not considered the current coexistence of pluralized second-level TLDs or similarities between country code TLDs and existing gTLDs in the application of the string confusion standard in this proceeding.

Can: open. Worms: everywhere.
The decision stands in stark contrast to the decision (pdf) of Bruce Belding in the .hotel v .hotels case, in which it was found that the two strings were “sufficiently visually and audibly different”.
Likewise, the panelist in .car v .cars (pdf) found that Google had not met the high evidential bar to proving the “probability” rather than mere “possibility” of confusion.
One has to assume that the evidence Google submitted in .car is fairly similar to the evidence it submitted in .pets.
Are String Confusion Objections just a crap shoot, the outcome depending on which panelist you get? It’s probably too early to say for sure, but it’s looking like a possibility.
The big test will come with the next .pets decision. Afilias, the other .pet applicant, has also filed an SCO against Donuts over its .pets bid.
What if the panel in the Afilias case goes the other way? Will Donuts be in a contention set with Google and Afilias or won’t it?
I asked Akram Atallah, president of ICANN’s Generic Domains Division, about this yesterday and he said that ICANN basically doesn’t know, and that it might have to refer back to the community for advice.
Read the Atallah interview here and the .pets decision (pdf) here.