Friday, March 30, 2018

The .BMW new gTLD

While updating the CARS new gTLD report for the month of March 2018, I noticed that the .BMW new gTLD had 53 ".bmw" domain names registered in February to 108 at the end of March.

From the examples that I tested, most are not redirections anymore but real websites such as: http://ratzel.bmw

Thursday, March 29, 2018

So you're a .GROUP of companies?

The word "group" is an English word and it has many significations but the first one that I think of is a group of companies (and not a music group). Wikipedia defines it like "a collection of parent and subsidiary corporations that function as a single economic entity through a common source of control". Good.


You are a .GROUP
I just tried a few French group names extracted from a list I found on Internet and I added ".group" behind each name to see if a domain name was in use. On the list below, I was surprised to see that many have registered their ".group" domain name.


On the results found:
  • some show the Registrar's parking page (instead of redirecting the domain name to their website);
  • some seem to have their name registered by a third party with an ugly parking page;
  • Groupe Dassault, Lagardère, Pernod Ricard and PSA are using a redirection to their main website;
  • Casino, Seb and LVMH seem squatted and parked on a "for sale "page;
  • Louis Dreyfus shows a page written in Chinese which says "This page appears because your site is closed. Please contact customer service" but when looking at the Whois database, it looks like the name was not registered by Louis Dreyfus...at all;
  • all other names were either not registered or show no content;
  • for one of them, the Whois shows: "The registration of this domain is restricted, as it is currently protected by a DPML Block."
  • None of this groups uses a ".group" domain name to point to a website.
Be careful, you're not alone
I also tried a few other English and American group names and I noticed that many ".group" domain names were registered but...by other groups which have the same name and most of the time, in other countries. On the examples that I tried, most were short group names of three to four letters.

What's the idea here?
Companies like to secure their assets and it has now become a common practice to to secure domain names in advance:
  1. The first idea is to say that modern groups should register their ".group" domain name because examples above can cost a lot in legal procedures when they have been squatted and probably much more when no prior right can be demonstrated (and that concerns short names).
  2. The second idea is to say that "things can change" and some companies become group of companies later in their history: registering today is a way to secure the name for tomorrow when things have changed.
  3. Another idea is not to say that ".group" domains should be registered by all companies: for example, Jovenet Consulting is a small company and there is no plan to become a group so there is no reason to register such a domain name but the ".company" one maybe.
Internationalisation and English
Many companies have a website, and most of the time, the idea is to give the company an "international rayonnance" thank to Internet. Much of the content found online is not written in Portuguese nor it is written French: it is written in English (an in Chinese a little bit too). The word "group" is an English word so registering a ".group" domain name today is to me a good strategy for already existing groups but also...for coming group of companies.
By the way, did you know that the ".group" domain name also exists in Chinese? It is the .集团 IDN new gTLD and is stands for "Corporate Group".

Added to the monthly new gTLD report
Once a month, we edit a new gTLD report entitled "Companies", this reports lists new domain name registration volumes from extensions that we believe companies should secure their domain name with. We added the .GROUP new gTLD to the Companies new gTLD report at Jovenet Consulting. There are 62,000 ".group" domain name registered already. The March 2018 update is coming.

Monday, March 26, 2018

For .STEPHANE

I just learnt today that Stéphane Van Gelder passed away.

My friend Murielle called me.

Many of us in France have worked with and for Stéphane. I personally worked many years with Stephane to launch new gTLDs at INDOM (which was then acquired by another company). He is the person who taught me everything that I did not know about domain names: he actually taught me that Versign was a thin registry and not a thick one: I did not know the difference...

When I joined INDOM, years ago, he also was the first French guy to have delivered .BRAND new gTLD studies when we did not even know when the first round of the ICANN new gTLD program would start. Actually, we were very good at what we did but he was the guy to think years in advance.

Stéphane was a person of precision. I remember the number of times he asked me to re-write things because I would not have seen a mistake in a word or have missed an accent: I remember going to his office at Indom 10 times a day and getting back to mine ultra pissed because I would have I missed a correction in a study.

...I don't really know what to write in such circumstances...

Today is a sad day.
    RIP Stéphane.

    More covers here and here.

    Good news for .BRAND new gTLD applicants

    Google Registrar is now in France and a few other countries. If this can be a good news for registrants (the one to buy domain names) then, what does it have to do with French .BRAND new gTLD applicants?

    Good question
    In fact, the good news relates to Nomulus, the backend registry solution also offered by Google. This information is important because Nomulus actually is the technical solution on which all Google new gTLDs are operated.

    OK, so what?
    .BRAND new gTLD applicants need a backend registry provider but also, a registrar solution to be able to create and setup their personalized domain names. Until very recently, French domain name registrants had no access to Google as a Registrar: a postal address located in the USA was requested prior to registering a domain name using a credit/debit card. This made it impossible to register a name using this registrar. Now, French residents...can register domain names at Google, which also means that .BRAND applicants could also use both solutions to operate their TLD and manage domain names: Nomulus and Google Domains.

    And then?
    Nomulus offers a direct access to Google Domains: in simple words, it means that there already is a footbridge allowing domains created in Nomulus to be managed using Google Domains: such solution using another backend registry wouldn't automatically allow a .BRAND applicant to manage his personalised domains using Google as his Registrar, this would need to be implemented.

    Other backend registries would probably answer that they're already connected to all other major registrars but...this is absolutely not required for a .BRAND new gTLD for which the most limited number of service providers is required to lower the price and go straight to point: register personalized domain names. It is what I would want as a .BRAND new gTLD applicant.

    Come on, it can't be so simple
    As you can imagine, things can't be so simple because using the Nomulus solution is not (yet?) a service offered by Google and also, it requires a strong technical knowledge to operate the tool so unless Google decides to create an offer, which is a question that we already asked "Ben" last year (Ben is the person in charge of the Nomulus backend registry solution at Google), I see a limited number of .BRAND applicants with the capacity to operate their own backend registry solution using #Nomulus. Note that neither Amazon nor Microsoft have developed a backend registry solution to operate Top-Level Domains and none of the two offer a registrar solution to their clients: both use an external backend registry provider to operate their .BRANDs.

    Conclusion
    Google is creative and has capacity to offer clients the right solutions and since there is a strong demand for more .BRAND new gTLDs, I am confident that someone has already considered thinking about creating a complete .BRAND offer connected to Google Registrar: we are two years away (and possibly less for .BRAND applications) from the next round so there is still time...and actually, last time we asked Google the question was a year ago.

    Also, Google is the only Registrar to offer his free Backend registry solution, hosted on its own Google Cloud solution: as myself being a fully satisfied French G Suite client (another Google solution recently adopted by the 130,000 employees of Airbus SAS), I only see good to be able to control personalised .BRAND domain names from a single point of entry, as well as all of my other domain names. Note that this would require to transfer domain names to Google Registrar.

    New gTLDs: homograph attacks on the rise?

    The problem with homograph attacks is that the more we talk about them, the mode it gives ideas to frauders.

    Note that it is also - and I believe this strongly - a super fantastic way for security providers to scare their clients reminding them to buy their services because if they don't, the world will collapse ;-)

    Last May, I wrote (in a very limited english that only non-english speakers can understand) a post about it to explain what an homograph attack is.

    This morning, I read a new updated post, written in words that even I understand: it is entitled "Homographs, Attack!": it explains homograph attacks in simple words with cool designs. This is a good read and this is something that operators of large domain name portfolios should read too.

    Wednesday, March 21, 2018

    Phishing, Banks and .BRAND new gTLDs

    I recently tried to complain against a phisher using Register.it as the phisher's Registrar and I also followed a procedure at the ICANN to see if anything would happen, but, as expected, nothing happened: the ICANN created a case and offered to fill-in another form and the Registrar did not even confirm he received my complaint. Note that I could also have complained at the Registry but  I did not because...you know...time consuming?

    Another approach for Banks
    Below are examples of recent phishing emails I received in the name of a French bank. These are issues banks have to deal with on a daily basis and in volume: not only because it hurts their image but also because it causes serious problems to some of their customers. For these two reasons, and also because it is useless thinking that procedures exist at (some) Registrars to fight phishing, here is another approach banks can have to protect more their customers from phishing.

    Phishing is this:
    1. The end user receives an email with a fake link to click onto: the email says that it is sent from service@banquepopulaire.fr but it is not, and at this level, you cannot learn who is the sender (because it is so easy to send an email using a fake one).
    2. The link to click onto is either some text (ie: "Confirmer votre PassCyberPlus" in my case) or a link which looks like it is a known link (domain name) from our bank (ie: "www.banquepopulaire.fr"). In both case, the link is a fake one, or an IP address (my case) offering to go to another website where the fraud is installed. Sometimes, it will ask for your login and password or it will try to automate the installation of a program to encrypt your hard drive (ransomware) or it will ask for more information.
    End users are more trained than before but...
    More end users receiving phishing emails do not click on their links anymore: they check before clicking. The real link appears down in the browser when passing (but not clicking) the mouse onto, so they can learn if the email is legitimate or not. Phishing has now become so common that end users have become familiar with checking a link before they click. Note that there will still need a few more generations before phishing becomes completely useless.

    Banks can fight fishing another way
    Trying to explain their client to be cautious with phishing is negative and trying to solve these problems with registrars, which often demonstrates to be completely useless and endless, is a total waste of time. ICANN will answer that it has no responsibility into this, and Registries...well...try to complain at a registry and tell us more about your experience ;-)

    Another way for banks to fight phishing - and better protect their clients - is to "work on words": when building a website, navigation has to be simple, if there's more than two clicks to reach out to the information, you lose your reader. It is the same for banks' names: with too many names for branches, inline services, banks confuse their customers and that also takes them to click on the wrong link. Working on words is called branding. Banks want their clients to:
    1. Recognize their name;
    2. Go to the right website and not another.
    With dozens of subsidiaries, trademarks, legal entities, names and other brands, it is impossible for a Bank to gather under a same name and under the same domain name but using a .BRAND new gTLD is a solution to this with an enormous advantage: thank to words, it reduces the risk of phishing and definitely kills any homograph attack in the egg. Here are the advantages to use a .BRAND domain name extensions, instead of a ".com" or any other country code Top-Level Domain (a domain name extension for a country).

    The number one advantage to remember for a Bank is that when it controls the registration of its domain names, it also means that a phisher will never be able to register one of them: anyone can register a domain name ending in ".com", in ".fr" or any other domain name extension available to the general public: but not a ".brand".

    Let's talk about my case figure, the "Banque Populaire" one
    When you hit "banque populaire" in Google, you get a full list of words: banque populaire, bred, bred banque populaire sa, groupe bpce, casden banque populaire, etc...there are dozens of names belonging to Banque Populaire and dozens of websites:
      1. How do you expect clients not to be confused when receiving an email about Banque Populaire? How does the bank ensure that her client knows if the bank's name and URL are legitimate?
      2. Can you imagine the pleasure a phisher can have when preparing an attack with such a confusing information sent to this bank's clients: it's wonderland for phishers because the bank's client WILL be confused.
    Why it matters
    In terms of Branding
    Paying attention to the name and the URL clients will be sent to matters and as I previously wrote it, if it is impossible to gather under a same name and domain name, gathering under a same ".brand" name changes everything:
    1. In terms of trust for the client: all services from the bank will be easily identified behind an exact same domain name extension. For example:
      1. www.casden.bpce (or ".banquepopulaire")
      2. www.bred.bpce
      3. www.banquepopulaire.bpce
      4. etc...
    2. In terms of name for the Bank: the domain name extension becomes the seal which connects all services, trademarks, names, categories of clients, subsidiaries, branches, office locations, etc...to the same Bank. When seeing this seal, the client knows that he is on a website belonging to the bank: "can't be something else". Instead of using various confusing domain names (which none can be certified by the bank), the ".brand" domain name extension simplifies it all for the client: when passing his mouse onto a hyperlink prior to clicking, the ".brand" extensions from the domain name is the seal that confirms that he can click.
    In terms of strategy (for the Bank)
    Things take time and don't expect a client to understand why a domain name using a ".brand" extension might be less risky for him to click onto, also expect things to be more confusing...in the beginning at least; things take time and explanation.

    Some banks have already migrated to their .BRAND new gTLD, there is even one in France: https://banqueentreprise.bnpparibas. Since 2012, 1,230 new domain name extensions have been created, and this also means:
    1. More confusion to consumers;
    2. More options for phishers to fool banks' clients;
    3. But also more training and adoption for users: the more new domain name extensions start to appear online, the more coming generations are used to them.
    There are today 490 ".brand" new gTLDs. They are trademarks to have acquired and signed an agreement with the ICANN to be granted the authorization to create and use their personalized domain names. It means that from an old and non-secure use of domain names, a few brands have already started to change to more secured strategies for the benefit of their clients: aren't Banks concerned...by security?

    Another alternative for Banks
    Banks are the only one to have access to ".bank" domain names but in the case of a French bank, it does not match: you don't talk to French customers using an english web ending. Note that some French banks applied for a ".banque" new gTLD but then, withdrew their application.

    Need help understanding all this? Contact Jovenet Consulting and ask for Jean.

    Recent phishing emails received




    Monday, March 19, 2018

    Coming soon: the .ICU Sunrise Period

    Domain names ending in ".icu" (instead of ".com") are coming to the market. The Sunrise Period was just announced and here is what the new gTLD application submitted to the ICANN says. According to the Applicant, the purpose of the TLD is explained below:
    1. Reflect and operate a distinctive that is aimed to identify the Applicant’s services (“ICU”)at the top level of the DNS’ hierarchy;
    2. Provide customers and other stakeholders of the One.com Group, including, subsidiaries, and their respective suppliers, sponsorships, and their respective directors, officers, employees, with a recognizable and trusted identifier on the Internet;
    3. Provide such stakeholders with a secure and safe Internet environment that is mainly under the control of the Applicant, the One.com Group and its subcontractors;
    4. Provide selected stakeholders in ‘ICU’ brands with the opportunity to create a secure and safe Internet environment that is to a large extent under control of the Applicant and⁄or such stakeholders.

    Looks like a .BRAND new gTLD
    Question 18/a from the application submitted to the ICANN generally reflects the purpose of the new gTLD and in this case, it clearly looks like the application was submitted for an internal purpose to the brand but the Sunrise Period is dated 24 April 2018 to 24 May 2018 with a Trademark Claims Period dated 29 May 2018 to 30 August 2018 with a Qualified Launch Program (QLP) dated 24 April 2018 to 17 May 2018 so unless I am wrong, .ICU domains should be made available for sale.

    The registry website is available here and this is the ICANN announcement.

    Friday, March 16, 2018

    New gTLDs: Adopted Board Resolutions

    In each ICANN meetings, working groups and the board gather to take decisions.

    This document is a long one to extract the information related to new gTLDs "only" but here is some of it. There is a lot about the CPE process (Community Priority Evaluation) but I even if the document is entitled "adopted board resolution", I saw nothing "adopted". Note that the ICANN uses the words "resolve" but it does not necessarily mean that a case ends when it has been resolved. A good way to read this document in an efficient way is to use the search field of the browser and enter the word "Resolved". It is what I did and here is the result.

    I found adopted board resolutions for some Top-Level Domains, they are dated 15 March 2018 so I guess that they are of interest:
    1. On the Community Priority Evaluation:
      1. Resolved (2018.03.15.09), the Board concludes that, as a result of the findings in the CPE Process Review Reports, no overhaul or change to the CPE process for this current round of the New gTLD Program is necessary.
      2. Resolved (2018.03.15.10), the Board declares that the CPE Process Review has been completed.
    2. On .PRESIANGULF new gTLD:
      1. Resolved (2018.03.15.13), the Board directs the President and CEO, or his designee(s), to take all steps necessary to reimburse the GCC in the amount of US$107,924.16 in furtherance of the IRP Panel's Costs Declaration upon demonstration by the GCC that these incurred costs have been paid.
      2. Resolved (2018.03.15.14), the Board directs the BAMC: to follow the steps required as if the GAC provided non-consensus advice to the Board pursuant to Module 3.1 (subparagraph II) of the Applicant Guidebook regarding .PERSIANGULF; to review and consider the relevant materials related to the .PERSIANGULF matter; and to provide a recommendation to the Board as to whether or not the application for .PERSIANGULF should proceed.
    3. On .HALAL and .ISLAM new gTLDs:
      1. Resolved (2018.03.15.15), the Board accepts that the Panel declared the following: AGIT is the prevailing party in the Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. v. ICANN IRP; and ICANN shall reimburse AGIT the sum of US$93,918.83.
      2. Resolved (2018.03.15.17), the Board directs the BAMC to re-review the GAC non-consensus advice (as defined in Section 3.1 subparagraph II of the Applicant Guidebook) as well as the subsequent communications from or with objecting and supporting parties, in light of the Final Declaration, and provide a recommendation to the Board as to whether or not the applications for .HALAL and .ISLAM should proceed.
    All adopted board resolutions are available here.

    Wednesday, March 14, 2018

    ICANN Correspondence and new gTLDs

    There is a page on the ICANN website which lists all correspondences between complainants the ICANN. It has become a reflex to check this page on a daily basis because this is where it becomes possible to follow-up with problematic new gTLD cases. In 2018 some Top-Level Domain applicants already shared a lot of mails on .GAY - .MUSIC - .WEB - .WOMEN (this TLD does not exist but "hey") - .HALAL - .ISLAM and .CPA. The first correspondence is dated 1998.


    Other interesting links
    The "Litigation" link is also a good one to have a look at, they are litigation documents between parties and the ICANN. For example, it is where you can find documentation on the .AFRICA case (
    DotConnectAfrica Trust v. ICANN (Appellate Court Proceeding)), the .WEB case (Ruby Glen, LLC v. ICANN), etc...

    The Registry agreements link is one that is interesting too: the chronological listing allows to see when something new happens to a new gTLD. For example, on 10 March 2018, ICANN and gTLD Limited, entered into a Registry Agreement under which gTLD Limited, operates the .INC top-level domain.

    For more new gTLD bookmarks, you can check this page at Jovenet Consulting.

    Tuesday, March 6, 2018

    New gTLDs offer more alternatives (and innovation)

    I went skiing and saw the ad below, it is an ad for a Land Rover offered at a car dealer whose name is Donnay with several garages around Barcelona Spain. The ski resort I went to is an important with many Land Rovers exposed in the mountain so I checked if there was a ".donnay" new gTLD but found none. Anyway.


    I love .LANROVER
    Prints are often where we add a domain name to offer potential clients to visit a website but on this one, I find the URL used a little "old fashioned" compared to what could have been done with a domain name ending in ".barcelona" or even better: ".landrover". I checked the ".landrover" new gTLD application and read:
    "The .landrover gTLD will provide an authoritative internet space for Land Rover, its affiliates and partners that are associated with the Land Rover brand. Second and third level domains can then be utilised for specific pages for Land Rover’s car models and dealerships, as well as for communication and marketing purposes, with internet users assured of brand authenticity".
    Unless I am wrong, or completely stupid, isn't it precisely what the ".landrover" new gTLD was created and paid for: "to provide an authoritative internet space for Land Rover, its affiliates and partners that are associated with the Land Rover brand"?

    Such great names could have been used: www.donnay.barcelona or www.donnay.landrover.


    We're still far away
    The .LANROVER new gTLD was delegated in October 2015, almost 3 years ago, but is it still not used appropriately. It is also possible that the people in charge of communication with affiliates and partners don't know about the existence of such tool.

    I personally find that such an opportunity to demonstrate innovation in branding is a missed one in such a crowded place like a ski resort. This also clearly demonstrates that we are still far away from having communication specialists to innovate using their .BRAND new gTLD. This also happens with many other .BRAND Top-Level Domains at the moment.

    For the note, three were 6,134 ".barcelona" domain names registered in February 2018 and 18 ending in ".landrover" in January 2018, down to 4 in February.

    Land Rover: wake up ;-)

    New gTLDs: overarching issues

    These are recent slides extracted from today's meeting. These topics will be discussed in the next ICANN meeting in Puerto Rico:

    Something written about the next new gTLD applicant guidebook's format (the famous AGB):
    Exciting, isn't it?
    :-)

    For action:
    1. Add to the slides for Council planning for PDP WG time at ICANN62 in Panama City.
    2. Take the list of topics in the Initial Report structure and send it to the WG in case we missed any topics.

    Notes:
    1. SOI Updates:  No updates.
    2. Work Track updates:
      1. Work Track 1:
        1. Going through all of the topics and trying to make sure we reflected feedback from the calls and the CC2 responses.
        2. Getting that text into the Initial Report.
        3. Call scheduled for 06 March is TBD.
      2. Work Track 3:
        1. Finished meetings and going through topics.
        2. Making sure we've captured all of the input.
        3. Putting the language into the Initial Report.
      3. Work Track 4:
        1. Looked at preparing text for the Initial Report.
        2. Discussed Registry Testing System.
        3. Preparing topics for Puerto Rico.
        4. Name Collisions also will be a topic.
        5. ICANN Board resolution on a longer term study.  See: Draft Project Plan for Name Collision Analysis: https://www.icann.org/public-comments/ncap-project-plan-2018-03-02-en
      4. Work Track 5:
        1. Going through the different categories of Geographic names in the Applicant Guidebook.  Identifying pros and cons.
        2. Looking at how we may want to consider doing the same thing in future or changing the AGB.  Addressing variations between the initial policy work and the final AGB content.
        3. Look at categories that were not in the AGB.
        4. Working Session dedicated to WT5 in San Juan on 14 March 0830.
    3. Review of suggested Initial Report structure/planning for ICANN61
      1. Slide 2: Initial Report
      2. Slide 3:
        1. Complete the Final Report by the end of 2018.
        2. For the Initial Report we are not doing consensus calls. We are putting options out for public comment.  Not the time to take a consensus call on one or more of the recommendations.
        3. Goal is to get out the Draft Initial Report out by the end of March and then have the WG review it in April.
        4. Thinking of changing the meeting schedule to meet every week to help with the review of the Initial Report, starting Monday, 26 March.
        5. In the planning for Panama we need to understand if the PDP WG will need a good chunk of the time at ICANN62.
      3. Slide 4: Work Track 1-4 and overarching issues.
      4. Slide 5:
        1. Overarching Issues and Work Track Topics.
        2. Options and open questions have not gone through a consensus call.
      5. Slide 6:
        1. Status Update Overview.
        2. Overarching Issues.
        3. Recommendations on 4 topics.
        4. Options/questions on 3 topics.
        5. Community Engagement: a lot of overlap with predictability or where we have tried to get feedback on this PDP.
      6. Slide 7:
        1. Status Update Drill-Down.
        2. Overarching Issues.
      7. Slide 8:
        1. Status Update Overview.
        2. Work Track 1.
    4. AOB: ICANN FY19 Budget:
      1. Only a short mention of the Subsequent Procedures PDP, but statement that there are no funds allocated for implementing any GNSO policy on subsequent procedures.
      2. FY19 goes from 01 July 2018 to 30 June 2019.
      3. If the Board waits until FY20 to allocate funds some think this could delay the launch of the next round.
      4. No time for this WG to file formal comments.
      5. PDP WG Co-Chairs may file individual comments.

    Structure of the Initial Report (chronological order):
    • Overarching issues
    • Foundational issues
    • Pre-launch activities
    • Application submission
    • Application processing
    • Application evaluation/criteria
    • Dispute proceedings
    • String contention resolution
    • Pre-delegation
    • Contracting
    • Post-delegation

    Monday, March 5, 2018

    Concern Over DNS Abuse: really?

    This is a recent letter sent to the ICANN from the The Independent Compliance Working Party and focusing on DNS abuse. It is signed by Adobe Systems Inc. - DomainTools eBay Inc. - Facebook, Inc. - Microsoft Corporation and Time Warner Inc.

    Useless?
    I particularly focused on this line saying: "The number of abused phishing domains in legacy gTLDs is mainly driven by the .com gTLD". After more than 30 years facing phishing, spam and malwares...I really wonder "who" can still do anything about this.

    I sometimes write to Registrars, Registries and the ICANN about domain name owners doing phishing and I admit that I never - NEVER - had anyone of them to act (ie: check the domain name and change its status to one that blocks the domain from harming consumers). Reading this letter, I see Trademarks seriously harmed by phishers and on the other side, I see organizations who won't act because a client is a client: phishers pay for their domain names. In France we have a saying: "pas vu pas pris".

    The letter:
    The undersigned global businesses and their customers depend upon the continuing security, stability and resiliency of the Internet, and thus have significant interests in domain name industry issues and outcomes. We are amongst the leaders in working to protect the interests of customers and those of the broader Internet from domain name system (DNS) abuse, in various ways. As long standing participants in ICANN- and industry-related conversations and policymaking, we are contacting you with our concerns about serious harm occurring to Internet users, and a request for action that we believe would serve the interests of the broader community.

    Under your direction, ICANN’s Compliance team has broadened the various forms of feedback it seeks from the broader community. This is much appreciated. Accordingly, we write with concerns that you and your department are in a position to help resolve.

    We commend ICANN for orienting its policymaking function towards a more data- and fact-based approach. This orientation of course depends on the availability of data and reports that provide an accurate view of the DNS and the impact of DNS abuse on stakeholders. While there is more data that needs to be collected and analyzed, it’s gratifying to see that ICANN Org is now in a better position to use and publish more widely available and reliable data to better evaluate DNS harm to users and more effectively exercise its responsibilities to help remedy ongoing harms.

    Specifically, ICANN and the community now have at their disposal published data--namely, the Statistical Analysis of DNS Abuse in gTLDs (SADAG) report and the ongoing Domain Abuse Activity Reporting (DAAR) System regarding rates of abuse in the DNS. These rates are regrettably showing stark increases and serious concentrations of abuse across legacy and new gTLDs, registries and registrars, and in the proliferation of spam, malware, phishing and other harms. For example, according to the Domain Abuse Activity Reporting (DAAR) System report:
    • The 25 most exploited TLDs account for 95% of the abuse complaints submitted to DAAR.
    • Five TLDs alone are responsible for more than half of abuse complaints.

    Additionally, according to the SADAG report:
    • The number of abused phishing domains in legacy gTLDs is mainly driven by the .com gTLD and at the end of 2016 represents 82.5% (15,795 of 19,157) of all abused legacy gTLD domains considered in this study.
    • …the five new gTLDs suffering from the highest concentrations of domain names used in phishing attacks listed on the APWG domain blacklist in the last quarter of 2016 collectively owned 58.7% of all blacklisted domains in all new gTLDs.
    • …we observe as many as 182 and 111 abused .work and .xyz domains, respectively. The results indicate that the majority of .work domains were registered by the same person. 150 domains were registered on the same day using the same registrant information, the same registrar, and the domain names were composed of similar strings. Note that only 150 abused domains, blacklisted in the third quarter of 2015, influenced the security reputation of all new gTLDs.
    • ...the overwhelming majority of malware domains, which were categorized as compromised, belong to one of four new gTLDs: .win, .loan, .top, and .link (77.1%, which represents 19,261 out of 24,987 domains).
    You’ll agree these are troublesome statistics, and are antithetical to a secure and stable DNS administered by ICANN. We are alarmed at the levels of DNS abuse among a few contracted parties, and would appreciate further information about how ICANN Compliance is using available data to proactively address the abusive activity amongst this subset of contracted parties in order to improve the situation before it further deteriorates. Also, can ICANN provide any details as to whether the higher rates of abuse (as documented above by parties that appear not to be the subject of enforcement notices) correlates to specific breaches of the RA and RAA by the relevant contracted parties? Are there specific hurdles that Compliance perceives that inhibit enforcement activity against such contracted parties? Has ICANN prioritized its attention to compliance matters relating to such parties and does it have sufficient resources to handle them before they reach a new stage of criticality?

    Specifically, is Compliance more assertively applying Specification 11(3)(b) of the Registry Agreement, compelling offending registry operators to disclose actions taken against security threats? How is ICANN’s Consumer Safeguards effort playing a stronger role in determining new areas for compliance action?

    Not only do we look forward to hearing the details of ICANN Org’s comprehensive actions in this area, we seek, as an immediate and urgent matter, compliance action on the worst offenders in current ICANN reports.

    We also would like to know additional ways in which the undersigned parties could support ICANN in this broad endeavor. If helpful to develop steps forward, we welcome an in-person meeting with you, other relevant ICANN Org executives, and your staff.

    Over the long term, we suggest development of a data-driven roadmap for compliance based on key information and statistics. We encourage Compliance to consult with the wider community to help shape this data-driven roadmap, and we look forward to offering our further input. Thank you for your attention to this letter.

    Read the full letter here. (PDF Download)

    Thursday, March 1, 2018

    UPDATED: New gTLDs in your kids' future

    Many people remember the .NAME new gTLD which qualified for a first name or a surname. I bought one at the time: “just in case” because the similar one ending in”.com” was not available and I thought that I‘d found a use for it (different from a redirection).

    I checked my name in several new gTLD extensions and noticed that many first names have already been registered.

    When thinking about my kids’ future: isn’t it time to secure a good domain name for them?

    Available but Premium
    I bought my three kids their first name in a specific domain name extension but I will be honest in saying that the extension chosen was not exactly the one I wanted. The reason for this was that a domain name could be expensive to renew, year after year. I don’t know when (and if) my kids will want to use them one day so…price is important. Also, a first name has value: a lot of value because many people have the same name. When looking for common first names, you will notice that there are many that are available as “Premium domains” and so on, at a higher price, for the reason I explained above.

    Cheap but in niche TLDs
    My name is “Jean” and this word has other meanings, it is also a short four letters word so it makes it even more complicated to find an available domain name in most extensions, even in new domain name extensions but niche ones. Shall I register jean.online for €9,000 because it is a generic TLD? Clearly not. I went to my Registrar and I found some first names available for registration for €3,19 but in niche extensions that my kids will never use.

    For example, the “.bargains”, “.cash”, “.mba”, “.reisen” extensions and many others are extremely cheap to register and renewing the domain name is not so expensive but what is the point in registering my kids their first name in one of these extensions if they never use them?

    Your kids and the future
    I don’t know whether my kids will need a domain name in the future and, even is some ultra generic keywords will still be available in not so niche new gTLDs that could match with a business they might be interested in developing; I do not know either if their chosen business will match the generic domain name I chose for them. Hunting for their first name as a domain name is a good start I believe.

    From my searches - and I wanted to register my kids their domain name in the same extension - I realized that I am not the only person to be looking for first names in new gTLDs. I also realized that, when searching, there are still extremely good domain names to register for your kid(s). The one I chose for mine are in the “.business” new gTLD.

    I often hear that people often use more applications than they do for websites; the future is in apps. Let’s say that this is a fact but when starting a business, you often need a name and this can be the application’s name: why not start with your family’s name or the first name of your kid as a domain name? The risk is low and purely financial (a few Euros) but the value could be extremely high in a few years...for your kids.

    .BRAND new gTLD Reports are updated once a month: CLICK HERE !