Threat Intelligence Blog

There are only a few days left to make a difference regarding the future of online corporate identity. December 15, 2008 is the revised deadline to submit comments to ICANN (the Internet Corporation for Assigned Names and Numbers) regarding the proposed application guidelines for the recently approved gTLD (generic top-level domains) policy. This affects all of us and the impact is potentially far-reaching and permanent.

ICANN, the governing body for the policy setting and management of Internet domains recently adopted a new policy to allow virtually unlimited generic gTLDs. For example, in place of “.com” “.org” or “.net, you could register domains that end in your own company name or brand. For example, Cyveillance could register “.cyveillance” as its gTLD. ICANN has promoted this new policy in the name of innovation, choice and change on the Internet. However, after close review and consultation with our own subject matter, fraud and legal experts, Cyveillance believes these new options pose no real benefits to our clients or their customers and, in reality, would expose them to significant online risks, serious loss of brand equity and will undermine online consumer confidence worldwide.

As ICANN moves forward toward implementation and outlining their processes and procedures, it is readily apparent to Cyveillance that there are serious and dangerous flaws in their approach. Close scrutiny of the proposed procedures reveal:

1) little to no protection for global trademark holders;
2) excessive administrative costs for applicants;
3) virtual total control by ICANN with no accountability;
4) exposure to increased fraud and legal liabilities for brand owner; and,
5) easy access and control for unscrupulous entities to core Internet infrastructure components and ultimately threatens Internet commerce around the globe.

The following are some major concerns Cyveillance has with the proposed implementation of the ICANN policy:

  • The gTLD application fee will be $185,000.00 for a single gTLD and it must be acknowledged that it is only “to obtain consideration” of an application and offers no guarantee that the application would be granted (the cost of registering a “dot com” domainDomain: A specified location where a set of activity or knowledge exists. For instance, an Internet domain is synonymous with a website address or URL where information can be made available. LookingGlass Cyber (n) - A fancy name for a URL or website. is approximately $20). Given that there are currently over 180 million .com domains the total potential revenue to ICANN could be in the trillions of dollars. If only the Global 2000 applied, the administration cost alone (using ICANN’s own estimates) would be $370 Billion. Note that this estimate would only cover their corporate name and not their individual brand names and no other variation of the brand in order to protect them from cybersquatting or typopiracy.
  • The proposed gTLD guidebook provides that any community-based applications will take priority in the proposed application process. Enterprises and companies would have little recourse in acquiring gTLDs containing their own company or brand names. For example, if the International Brotherhood of Magicians (http://www.magician.org) wanted to register “.IBM” according to the proposed procedures, they would potentially have priority over “.IBM”, not IBM Corporation. This outcome would not only cause market confusion but would lay the foundation for potential fraud targeting consumers worldwide.
  • If no community-based applications are presented other enterprises competing for a gTLD could be determined either between the competing parties or through an auction process (the one with the most money offered wins). There is no guarantee that the most appropriate trademark owner would retain a gTLD containing their brand name.
  • When objections arise, ICANN has devised a process whereby any dispute will be decided by a single arbitrator appointed by WIPO (World Intellectual Property Organization) with preference given to the community-based applicant. There is a very serious potential legal problem by giving ultimate decision making authority to a single arbitration panelist appointed by an outside body. A process called “DRSP” (Dispute Resolution Service Provider) – a new form of a UDRP (Uniform Domain-Name Dispute-Resolution Policy, formed by ICANN) – can be filed and ICANN will appoint a single arbitration panelist to make the final determination.
  • However, the arbitration panelist decision will be final and will require all applicants to waive all legal rights including the right to bring suit to overturn arbitrary or groundless decisions by a panelist. These arbitration decisions have the force of law and cannot be appealed. ICANN would have complete authority and brand owners would have little or nor ability to object. It also puts ICANN in the position of being an international governmental body – executive, legislative and judicial, all wrapped up in one.
  • Also, very importantly, ICANN is considering registry-registrar cross ownership. For instance a large corporation like IBM could select a company to manage their .IBM gTLD and they would act as manager of the domain (both registrar and registry). This could be easily exploited by fraudsters and criminal syndicates that could control the Registry/Registrar/ISP chain thereby making it nearly impossible to take a fraudulent site down or provide little recourse to the affected company.
  • There are no mechanisms in place to ensure that a company awarded the registry/registrar application will have the resources (knowledge, technology and capital) to ensure the reliability and availability of the gTLD. For example Registry standards require six 9’s. i.e. 99.9999% reliability, availability etc. This could easily degrade performance and accessibility of all sites falling under certain new gTLD. The result could affect both the performance and security of not only a web site but email, applications and all infrastructures related to the new gTLD.
  • The potential for fraud is unlimited – organized criminal entities would have an equal opportunity to apply for these domains throughout this process. It will be even more difficult for companies to protect their customers from fraud through the use of their brand or become the victims of extortion by those who would hold the gTLD (with their legal trademark) for ransom. It will create an unprecedented confusion in the consumer market where a consumer will be unable to distinguish which is the VALID Domain: IBM.com/Sales or Sales.IBM.
  • Many large companies spend millions of dollars to manage their other domains. As a defensive tactic, these companies have purchased hundreds and possibly thousands of domains, mostly to simply protect their trademarks and brands. This new ICANN policy will not eliminate the need for defensive registrations as some have claimed, but will actually increase the need, adding significant management time and expense to fully protect their brand and their customers.

Cyveillance is not a registry or registrar and we do not receive any direct benefit regardless of the success or failure of this new policy. At Cyveillance our highest priority is to protect our clients and their brands from online threats.

Corporations and their brands will always need protection from unauthorized use, and therefore we will continue to work on our clients’ behalf to patrol the open source Internet as it continues to evolve. We believe that this new ICANN policy, once implemented, would have the potential to be extremely damaging and ultimately irreversible.

We highly recommend that you read through these issues and learn more about them. You can go to http://www.icann.org/en/topics/new-gtld-program.htm to learn the full details of the program and strongly encourage you to share this with the appropriate affected groups in your company.

For greater impact, we also strongly encourage you to submit your comments directly to ICANN. You can find the instructions on how to submit comments here: http://www.icann.org/en/topics/new-gtlds/comments-en.htm

Additional Posts

Phish-Pharming: Using social engineering to hijack domains at the source

Recently, there have been several high-profile incidents involving a novel combination of ...

A Contrary Perspective – Forced Data Sharing Will Decrease Performance and Reduce Protection

By Eric Olson, Vice-President, Cyveillance, Inc. The following post is in response to a ...