CircleID posts

Syndicate content CircleID
Latest posts on CircleID
Updated: 17 weeks 4 days ago

Research Group Releases International Law on Cyber Warfare Manual

Wed, 2013-03-20 20:11

Tallinn Manual on the International Law Applicable to Cyber Warfare
Paperback / ISBN:9781107613775
Publication date: March 2013The newly released handbook applies the practice of international law with respect to electronic warfare. The Tallinn Manual on the International Law Applicable to Cyber Warfare — named for the Estonian capital where it was compiled — was created at the behest of the NATO Co-operative Cyber Defence Centre of Excellence, a NATO think tank. It takes current rules on battlefield behaviour, such as the 1868 St Petersburg Declaration and the 1949 Geneva Convention, to the internet, occasionally in unexpected ways.

"The product of a three-year project by twenty renowned international law scholars and practitioners, the Tallinn Manual identifies the international law applicable to cyber warfare and sets out ninety-five 'black-letter rules' governing such conflicts. It addresses topics including sovereignty, State responsibility, the jus ad bellum, international humanitarian law, and the law of neutrality. An extensive commentary accompanies each rule, which sets forth the rule's basis in treaty and customary law, explains how the group of experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to each rule's application."

Related Links:
First cyber war manual released The Age, Mar.20.2013
Tallinn Manual on the International Law Applicable to Cyber Warfare Cambridge University Press

Follow CircleID on Twitter

More under: Cyberattack, Law, Policy & Regulation

Categories: Net coverage

IPv6: SAVA, Ca va pas?

Tue, 2013-03-19 23:28

Sender Address Validation and Authentication (SAVA) is the silver bullet. It will send to Cyberia all dark forces that make us shiver when we make a purchase on the internet, pose a threat to our very identities and have made DDoS a feared acronym.

Some of you will remember the heated debates when Calling Line Identification (CLID) was first introduced in telephony. Libertarians of all stripes called passionately to ban such an evil tool threatening our most precious civil liberties like the impunity of calling home from the bar, pretending to be still at work or with a customer. Today everybody welcomes the decline of crank and obscene calls even if telemarketers can continue to be a nuisance. Will SAVA be for the internet what CLID was for telephony?

One of the beauties and at the same time a source of potential vulnerability of the internet design is that it forwards packets connectionless, hop by hop, based on the destination address. This has proven a cornerstone of the amazing resiliency and scalability of the internet. The flip side is that this makes the blue box offspring, address spoofing more prevalent. From making occasional free calls in the 'telephony era', internet address spoofing now substitutes legitimate source addresses to fraudulently obtain personal information from unsuspecting end-users or wreak havoc flooding network hosts, DNS systems and even networks with DDoS attacks. So much so that a number of ISP's now offer 'scrubbing services' to their customers. Zacks Investment sees Cyber Security firms as a major investment opportunity. This is surely a growing and lucrative market segment; I might follow their advise.

SAVA was first presented at an IEEE conference in 2007 and subsequently proposed as a RFC to the IETF in 2008 with Tsinghua University of Beijing as lead author. The paper addressed the need for source address verification on the access network, intra-AS within a network, and inter-AS between networks across BGP boundaries. This led to the creation of a quite active IETF working group called SAVI to tackle the subject. An informational draft issued this February provides a good overview of a variety of 'attack vectors' and threats. How fast some of these RFC will be completed and approved and, more importantly, implemented remains however an open question.

China has reported that it is experimenting with a SAVA implementation in its CNGI (China Next Generation Internet) IPv6 only based R&E network, in no less than the United Kingdom's prestigious Philosophical Transactions of the Royal Society. This has in turn triggered some activity in the blogosphere ranging from more factual to a bit more alarming. Concluding yet again that China is light years ahead of the United States in IPv6 deployment remains questionable however. While CNGI has without question been the benchmark for native IPv6 deployment for many years in a Research and Education Networking environment, China has been really lagging so far in the commercial deployment of IPv6. They obviously bide their time.

While some will argue that SAVA would undermine their civil liberties and individual freedom especially when they prefer anonymity in whatever they are doing on the internet and others will see it as another step to big brother watching us, the need for better security is undeniable and even more urgent as we accelerate towards a mobile broadband data environment. IDC predicts that, this year, smartphone sales will for the first time surpass feature phones. Mobile operators enjoy usage based services and billing; to correctly identify the source will always remain essential to revenue generation and corporate wellbeing. And what would the impact be of a DDoS attack choking a major LTE network?

Major ISP's and mobile operators might want to track SAVA more closely; ça va ou ça va pas?

Written by Yves Poppe, Director, Business Development IP Strategy at Tata Communications

Follow CircleID on Twitter

More under: DDoS, DNS Security, IPv6, Security

Categories: Net coverage

Google Announces DNSSEC Support for Public DNS Service

Tue, 2013-03-19 22:13

Google today announced that its "Public DNS" service is now performing DNSSEC validation. Yunhong Gu, Team Lead for Google Public DNS, in post today wrote:

"We launched Google Public DNS three years ago to help make the Internet faster and more secure.Today, we are taking a major step towards this security goal: we now fully support DNSSEC (Domain Name System Security Extensions) validation on our Google Public DNS resolvers. Previously, we accepted and forwarded DNSSEC-formatted messages but did not perform validation. With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains."

Follow CircleID on Twitter

More under: DNS, DNS Security, Security

Categories: Net coverage

gTLD Applicant Strategy: 2013 The Make or Break Year for Applicants

Tue, 2013-03-19 17:05

Do you agree this is a critical time for many of the original 1930 applications to ICANN to operate a gTLD Registry.

How has The "Fadi Effect" contributed to those Applicants' Key Dates, Decisions, Dilemmas and their Critical Path to success or a costly Delay.

The first step along the path (see below) for each applicant is the need to respond to its Clarifying Questions (CQs), particularly the Financials ones.

As of today a small number of global brand applicants have already been withdrawn, reducing the number of applications to 1905. Were their applications' unprepared? I believe that this trend will continue at a pace now, and especially given that applicants can a get a 80% refund on their $185000 application fee if they withdraw before the Initial Evaluation(IE) results are due.

The 23 March is one critical key date by which some (see below) applicants receive their IE results, which is looming up fast.

My feedback from many applicants through our previous involvement in the financial evaluation process, (developing financial models, advising and offering guidance and financial commentaries on the key financial questions (45- 50)) is that many applicants (and their consultants) are in overload. Are you in agreement with this comment and that the situation is likely to deteriorate.

Key Background Information and the "Fadi Effect":

But firstly let us briefly look at the background and how applicants arrived at this critical point. The recent arrival of the very impressive Fadi Chehade, as CEO of ICANN, has clearly made a huge impact. I'll call it the "Fadi Effect".

Back in June 2012 in London I was one of the lucky people in attendance, with the world wide press when ICANN announced that there were 1930 applications to ICANN to operate a TLD Registry. Each one an Internet start up, with no prior knowledge of operating a gTLD. The monopoly age of .com was dead, perhaps. This ushered in DNS 2 and a huge expansion, and a huge investment by each applicant. $185000 was required — just to apply. ICANN, a not for profit, was in receipt of $357,050,000, increasing overnight its balance sheet by four times. New players came into the DNS space, headed by Google, Amazon, Apple, Microsoft, and everyone else under the guise of competition and consumer choice. The Game Theory and Internet landgrab had began. Will total user confusion result when those lucky applicants (with early Draw and critical competitive advantage) are expected to go operationally live in Quarter4 2013?

ICANN staff, through its multistakeholder — bottom up — consensus driven policy development process had put together an Applicant Guidebook. It took six years to write, ending up on Version 12 with 352 pages. Each applicant for a string had to put together financial, technical and operational business models using worst case and most likely business case scenarios, with fifty questions to be answered, to be evaluated and points scored.

Despite those six years, twelve versions, the Applicant Guidebook has more holes in it than a typical swiss cheese. US lawyers are going to have a field day. ICANN beware. Whether the whole gTLD evaluation, processes, contractual agreements with ICANN, implementation, delegation to IANA's root zone should go ahead is a very mute point. The recent appointment of the very impressive Fadi Chehade as CEO and the "Fadi Effect" appears to have put the whole program back on track. He put his neck on the line committing ICANN to meet agreed target dates. So far so good.

Applicants' Key Strategic Dates

So what are these key dates that all applicants, their consultants need to have at their fingertips to better enabled them to make key decisions on short and long term strategies. What are the Priorities. Priority 1 has to be the resubmission of Clarifying Questions (CQs), particularly the Financial related ones to achieve the required pass score at Initial Evaluation. (See Q&As below)

Evaluation ProcessesClarifying Questions - FinancialStart: 14 January 2013 – Closes: 29 May 2013Clarifying Questions - TechnicalStart: 14 January 2013 – Closes: 29 May 2013Objection PeriodClosed: 13 March 2013Independent ObjectorClosed: 13 March 2013Contention SetsPublished: 3 March 2013Contention Set ResolutionsOn going from 3 March 2013Closed Generics Public CommentsClosed: 7 MarchInitial Evaluation Results (Batch 1)Published 23 March 2013GAC Advice at ICANN 46 BeijingStart: 7 April closes 11 AprilInitial Evaluation Results (Batch 2)Published 31 August 2013Public Interest Commitment (PIC)Closed: 5 MarchDelegation ProcessesPre Delegation Test PilotStart: 11 March 2013 – Closes: 5 April 2013Pre Delegation TestingStart: 22 April 2013 – ongoingPost Delegation ProcessesTrademark Clearing House (TMCH)Launches 26 March 2013Sunrise & Trademark Claims ServicesStart: 1 April 2013Contract Negotiations With ICANNStart: 15 April 2013Operational LiveEstimated Q4 2013

Applicants' Key Strategic Decisions

Following the LA Priority Draw in December 2012 and the announcement on the 3 March 2013 of the completed list of Contention Sets (now 234 strings affecting 738 applications) each applicant can now analyse its critical path towards its gTLD Registry operational readiness and a successful new gTLD Registry start up.

Applicants have so very many key questions that need answering quickly. Key decisions need to be made on what to do next.

One has to assume that each application had a strategy on applying. Many it seems — did not.

Clearly each applicant has different key issues, timelines, and action points and business critical, sensitive decisions to make.

Applicant's Key Strategic Dilemmas:

Applicants (and perhaps their business consultants) might identify with some of the following from the endless business scenarios along their critical path.

1. The applicant's business model is totally underfunded. This was not factored in (ICANN's models did not require a huge balloon payment for the auction costs of their contention set). Of course they had no idea when they applied, whether they would be in a contention set, let alone how many. Can additional funding be found? How much would be needed? What is the "economic worth" of operating and "leasing" that particular TLD string, currently in a contention set. Part 2 will be issued shortly on contention set valuations.

2. The applicant has already been hit by a Governmental Advisory Committee (GAC) early warning and further GAC advice is due at ICANN Beijing meeting. Should the worst be feared, in which case should the applicant withdraw now. How much refund would be offered or should the applicant fight back.

3. The applicant is in contention with Google and/or Amazon. What are the implications for their application with debate raging over closed-vertically integrated-generic-"industry word"-business models that the likes of Google and Amazon are using in their applications.

4.The applicant has been hit by the change to Q50b and now will not be able to answer the questions sufficiently well to enable them to get the maximum three points and so pass the Initial Evaluation. One and two points will not be enough.

The applicant can elect to go to Extended Evaluation but that will delay their application at least seven months. The problem can be solved. ICANN will not help or engage with any applicant. If the applicant does not have a solution, we do.

5. The applicant deadline on PICs( Public Interest Commitments) has been missed. Many would argue that ICANN have forced them into this position, by failing to give them sufficient time to respond. As a result should only one be submitted, albeit belatedly. They have hundreds. Does each one have to be different. Maybe a change request should be submitted which would change their whole business model. Does that mean that the whole application needs reevaluating, causing inevitable delays.

6. The TMCH (Trade Mark Clearing House) will be open for business on 26 March. What does a corporation do next. What is the cost going to be to a global brand that didn't apply. What is the corporation's defensive strategy. What is the cost to a global brand corporation that did apply.

7. Loads of CQs have just arrived in the applicants' TAS inbox. The questions is what to do next. Response times are short and critical. This is what we will focus on in Part 1 today (see below).

Key Applicant Questions and Answers

The PART 1 focus will be on: Clarifying Questions (CQs) - Financials and Initial Evaluation Results Day

Clarifying Questions (CQs) - Financials, 14 January 2013 – 29 May 2013

Currently 642 applicants have been issued with CQs- Financial as 6 march for Week 8, Prioritization Draw (PD) No 700-799. This is an alarming and surprisingly high number. Here are some typical Q&As.

Why are they being issued? When did they start? Who, When, Which applicants will receive them? What is the turnaround time? Will ICANN/evaluators provide feedback and comeback? Has ICANN changed questions post AG?

Q: What are they?
A: They are issued by six panels. Financial, Technical, Geographic Names, String Similarity, Registry Services, DNS Stability.

Q: Which applicants and How many will receive them?
A: ICANN' evaluators have indicated that 90% of all applicants will receive CQs. They have not indicated which applicants will receive them and will not do so.

Q: What percentage of applicants have currently failed the Financial Capability Evaluation Test?
A: 61% of applicants have currently failed to achieve a pass score on the CQ — Financial Q45-Q50 , Templates 1&2.

Q: Which of Q22-Q50 (Financial & Technical) questions were the worst answered?
A: Q48 costs, Q49 contingencies and Q50 Letter of Credit were amongst the worst answers. Q25- Technical

Q: Has ICANN issued Advisories? Which Questions? Do they help? Are they proforma answers?
A: Q25, 30, 48, 50 back in Nov 12. Note critically Q50B changed Dec 12. Not really! No.

Q: What is the current status on CQ- Financials?
A: Pre CQ- Financial Evaluation 1269; Pending CQ Response 517; Post CQ Evaluation 125. Total 1911 Source: ICANN Webinar 6 March

Q: When, To Whom are CQs- Financials being issued?
A: CQs - Issued from Financial & Technical Panels according to LA Draw No at 100 applications per week over 20 weeks.

Started Week 1 w/b 14 January (Request our Priority, Contention Set Report (PCS) re CQ issue date).

Q: How long have applicants got to respond on all their CQs, from all panels?
A: This was increased from maximum time of two to four weeks with deadline midnight UTC for Priority No 600 and below, 01.00 for Priority Number 600 and up. Deadlines are still incredibly tight, especially for multiple applicants.

Q: Can applicants contact the evaluation panels directly? Can they issue a CQ response early and request some feedback to resubmit again (within 4 week deadline)?
A: Applicant will not be allowed to have contact with any panel. No. No.

Q: Why were CQs- Financial & Technical being issued?
A: It is being increasingly evident that:

  • Brand applicants, previously going to adopt a defensive strategy and not apply, did indeed apply, applying extremely late, ill prepared, didn't and/or refused to answers all questions.
  • Conflict between AG and Supplementaries, particularly on Q50 (b).
  • Applicant given the one off opportunity to increase their points score on CQs to overall be given a pass score at Initial Evaluation.
  • Applicants, especially portfolio applicants, issuing standardised answers, when each application should standalone and be financed separately.
  • ICANN financial Templates 1& 2 flawed.

Q: What is applicant appropriate responses to CQs (Source: ICANN Webinar 6 March)?

A: They are:

  • Applicants must answer all CQs and provide requested support documentation, or risk the application failing IE.
  • Applicants address all issues mentioned in the CQs.
  • Applicants not to submit a change request when responding to CQs.
  • Applicant CQs responses must be submitted in TAS by the due date (UTC).

Q: Who will get their Initial Evaluation Results, 23 march 2013? How many points do they require?
A: For the lucky early Draw applicants the 23 March 2013 will be a critical date. Huge early mover/adopter advantage. This will the date when "some" applicants (see our PCS analysis) receive their Initial Evaluation results. They require 22 points from Q22 — Q44 to pass technical evaluation, 8 points from Q45-Q50 to pass the Financial Capability Evaluation Test.

Q: What are the applicant's suggested CQ Financial strategy?

A:

  • Assume that your application(s) will get many CQs (up to 6 CQ questions on the financials).
  • Get our PCS report to work out which week your application(s) will receive your CQ- Financials.
  • Be proactive. Work out schedules, including operational live dates.
  • Prioritise, using PCS,all your applications by Draw No, Most Desired by Contention Set, by Default / Worst Case Contention Sets.
  • Assume first 400 Draw No will get IE results 23 March. Assume 401-1934 get IE results 31 August.
  • Comply with ICANN's Q&As above.
  • Prepare a cost benefit analysis between staying with the application or withdrawing.
  • Complete a change request form with a revised financial model, based on latest assumptions, further costing information and get the application reevaluated.

Written by Phil Buckingham, CEO of Dot Advice Ltd.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Categories: Net coverage

Internal-Use SSL Certificates a Security Risk for Upcoming New gTLDs, ICANN Warns

Mon, 2013-03-18 18:59

Lucian Constantin reporting from the IDG News Service: "The practice of issuing SSL certificates for internal domain names with unqualified extensions could endanger the privacy and integrity of HTTPS communications for upcoming generic top-level domains (gTLDs), according to a security advisory from the Internet Corporation for Assigned Names and Numbers (ICANN). The advisory was finalized by ICANN's Security and Stability Advisory Committee (SSAC) last week and warns that existing SSL certificates which have been issued for non-public domain names like those used to identify servers inside private networks, could be used to hijack HTTPS traffic for real domain names as new gTLDs become operational. ICANN oversees the Internet's top-level domain name space."

Read full story: Computerworld

Follow CircleID on Twitter

More under: ICANN, Security, Top-Level Domains

Categories: Net coverage

Clearing up the "logjam": ICANN Must Drop its Request for a Unilateral Right to Amend the Agreements

Sat, 2013-03-16 18:15

A very rare thing happened in the GNSO Council meeting this week — the ICANN community spoke with one voice. Registries, registrars, non-commercial interests, new TLD applicants, IP owners and businesses unanimously and unambiguously agreed that giving ICANN a "unilateral right to amend" the registry and registrar agreements is not compatible with ICANN's bottom-up processes and poses a fundamental threat to the multi-stakeholder model. There is true consensus that this change should be rejected.

On February 5, 2013, ICANN surprised the community by re-introducing its demand for a unilateral right to amend the gTLD Registry Agreement. ICANN made the same change in the Registrar Accreditation Agreements. (This was posted for public comment on March 7, 2013. See: Proposed 2013 RAA Posted for Comment).

This move came without consultation, nearly five years after the new gTLD Program moved into the implementation phase, and three years after the community and ICANN, through a bottom-up process, rejected this approach and reached a compromise on similar language.

During the GNSO Council's monthly teleconference on March 14, 2013, while discussing the recent changes to the Registrar Accreditation Agreement, Council members raised the topic of ICANN's proposed unilateral right to amend the registry and registrar agreements. ICANN staff present on the call explained its position, saying, "the amendment clause is actually intended to be last resort for when there is agreement that something needs to be done, but there is a logjam within the processes that we have that don't allow us to move forward." Essentially, ICANN is asking, "what happens when everyone agrees that a particular change is needed, but the multi-stakeholder processes — or someone manipulating those processes — prevents the community from moving forward with what the community wants."

Taken in isolation and without any other context, this is a perfectly reasonable question. If there truly were no mechanisms in the registry or registrar agreements to make necessary changes when the community demands action, then ICANN staff's concerns would be justified. It would be a good question to ask if someone could use ICANN processes to block a change that everyone else supported. The fact is, however, that there already are a number of mechanisms ICANN can take to implement community supported changes.

First, of course, contracted-parties can agree to make a change they support. Second, there is a bottom-up Consensus Policy mechanism for critical changes that ensures that any implementation is appropriately balanced across multiple constituencies and stakeholder groups. Truly important and time-sensitive issues can be addressed via Temporary Policies that remain in place for up to a year and, during that year, can be adopted as Consensus Policies. Finally, the new gTLD agreement contains a new mechanism that gives ICANN authority to make amendments supported by a specific percentage of the registry operators effective across the entire registry group. This is the compromise that was developed through a bottom-up process in 2009-2010 when the community rejected the unilateral change provision.

ICANN agreed in 2010 that these three mechanisms gave it the necessary tools to amend the registry contract to implement changes demanded by the community. Apparently, it has had a change of heart and now wants the authority to unilaterally impose changes to the agreements. To date, ICANN's explanation is that the introduction of new gTLDs will change things in ways that cannot be anticipated. ICANN has not responded to community requests for a concrete example of when this right would actually be needed.

Of course, the ICANN world is not unique — the future is inherently unknown, but parties enter into long-term contracts with high stakes all the time without introducing the kind of uncertainty that a unilateral amendment right would create. To borrow from the gTLD Registries comment made on February 26, 2013: "we are in the midst of dramatic change in the administration of the top-level domain name system. All businesses — whether for profit or nonprofit — require a measure of predictability, stability and certainty of contracts. Public and multi-national company applicants are subject to regulatory regimes that cannot be reconciled with the expanded unilateral authority ICANN is seeking. In deciding whether or not to utilize new gTLDs for their critical infrastructure assets, a key goal of the new gTLD program, registries cannot be subject to the whim of one private entity, even those acting under the guise of public interest, regardless of how well-intentioned that private entity purports to be."

ICANN's proposal for this new mechanism, however, has been met with opposition not only from the new gTLD Applicants and existing registries, but also the registrars, non-commercial interests, businesses and IP owners. In fact, every single comment on ICANN's last minute changes to the new gTLD registry agreement called for its removal. EVERYONE is in agreement that this is a bad idea and should be withdrawn. The fact that the entire community has never been so aligned about a particular subject speaks volumes, but despite this clarity ICANN continues to insist on a unilateral right to amend the registry and registrar agreements,

Ironically, in this case ICANN itself is creating a logjam that is preventing forward movement. By walking away from the version of the legal agreement contained in the final Applicant Guidebook, ICANN is preventing the new gTLD Program from going forward. This same issue is also the logjam preventing the roll out of a new registrar accreditation agreement containing enormous changes that would benefit registrants, law enforcement, intellectual property owners and Internet users in general.

So in response to ICANN's question about clearing logjams, we think they are asking the wrong question. ICANN should stop worrying about the theoretical logjams of the future. It's time to take this request for extraordinary, unilateral power off the table in order to clear away today's very real logjam. Once this request is withdrawn, the new gTLD program can move forward and the Registrar Accreditation Agreement can be finalized.

Written by Jeff Neuman, NeuStar, Inc., Vice President, Business Affairs

Follow CircleID on Twitter

More under: ICANN, Policy & Regulation, Top-Level Domains

Categories: Net coverage

North Korea Suffers Internet Outage, U.S. Blamed

Fri, 2013-03-15 21:39

According to reports, North Korea has accused the United States for conducting a cyberattack that has disrupted Internet connectivity in the country. "While the details of the cause of the disruption are unknown, we can confirm that in the last two days, North Korea's sole Internet provider has, in fact, suffered from disruptions in connectivity to the global Internet," reports Doug Madory from Renesys.

"North Korea has an extremely small Internet for a country of 24 million people. Not counting the network involved in the recent Pirate Bay hoax, the four networks of North Korea are routed by a single Internet service provider, Star JV (AS131279), which has two international Internet service providers: China Unicom (AS4837) and Intelsat (AS22351). Star began service on 18 November 2010 and gained Intelsat as a provider on 8 April 2012."

UPDATE: Wed 20 Mar 2013 – South Korean authorities have reported that they have been victims of a cyber attack which impacted TV News organizations as well as banking institutions. According to Renesys, at least some of today's incidents escalated to the point of global visibility, as both South and North Koreans networks experienced actual disconnections. Also noted are similar timed outages affecting South Korea's largest natural gas company.

Other sources: (UPDATED Mar 20, 2013 11:04 AM PST)

Follow CircleID on Twitter

More under: Cyberattack

Categories: Net coverage

ICANN's Trademark Clearinghouse Launches March 26. But There Is Time Before the First Sunrise.

Thu, 2013-03-14 23:51

ICANN has announced that the Trademark Clearinghouse (TMCH) will "launch" on March 26.

Brand Owners: Brace yourself. Soon every trademark law firm and corporate registrar will be screaming at you:

The Trademark Clearinghouse Is Here!
You Need to Be Ready to Submit on March 26!
Do You Have Your Act Together Yet?

Here are some tips for brand owners to consider about ICANN's Trademark Clearinghouse:

1. Relax.

Relax. This is advice probably no one is telling you. The truth is, you have some time before the first Sunrise Period.

Yes, you should be thinking about your overall brand protection strategy regarding new TLD's now.

Yes, you should be checking and updating inaccuracies on your trademark records at the local Patent & Trademark Office now.

Yes, you should be compiling your documentation required for the TMCH now. This includes: Licensee and Assignee agreements, your proof of use marketing specimens and copies of trademark registrations for those countries that the TMCH will not be validating via an online database.

But you have some time before the first Sunrise Period.

How much time do you have before the first Sunrise?

The first Sunrise is not likely to occur until summer or fall. The technical specifications for Sunrise were just released this week for public comment. Without a final spec., Registries and Registrars have not yet started programming their systems to support Sunrise and Claims.

This gives you several months before any new TLD's launch. ICANN may try to push out the first Sunrise in June. But if so, it is likely to be a long extended Sunrise Period to allow for the on-boarding of Registrars and the slow summer holidays.

Our suggestion? Don't act in haste or fold to high-pressure sales tactics from whoever wants your TMCH business. The Annual Meeting of the International Trademark Association (INTA) is in early May. Attend INTA and discuss the TMCH with your colleagues. Visit the exhibitors offering TMCH services (We will be there). You will then have at least another month or two before the first TLD Sunrise launches.

There are no prizes for being first. The TMCH is offering an "incentive" for early filers, but the benefit is minimal. The offer is that if you apply early, then your anniversary date for renewals will be based on when the first TLD launches, as opposed to when you submitted your trademark to the TMCH. However, this may not be beneficial unless you plan to participate in that first Sunrise, which has not yet been announced. It could be an IDN. Why not give the TMCH some time to work out the kinks before submitting your trademarks?

2. Should you go direct or through a Trademark Agent?

The TMCH will allow trademark owners to submit trademarks directly or through an authorized Trademark Agent. The authorized Trademark Agent can be an ICANN Registrar or Law Firm, but it does not need to be. Just be sure to select a Trademark Agent with extensive experience dealing with ICANN Sunrise Periods and a thorough understanding of how the TMCH will conduct its validation processes.

Our suggestion is to wait until the INTA Annual Meeting and learn more about what your options are. To evaluate possible Trademark Agents, here are some areas to consider:

Flexible payment options

• The TMCH requires pre-payment for all submissions. The pre-payment can either be a credit card, with a maximum of 10 trademarks per order, or a $15,000 bank wire

• In comparison, a Trademark Agent will likely extend you credit to enable post-payment

One chance to make corrections

• Deloitte, the TMCH validator, will be strict about your TMCH application matching the official trademark application. You get only one chance to get your application correct before paying an extra fee.

• Pre-validation is a critical step you should take before submitting to the TMCH. If you are not equipped to do this yourself, find someone who will do it for you

Sunrise management

• ICANN expects to be eventually approving new TLD's at a rate of 20 per week. Who will keep track of the new Sunrise Periods you actually care about?

• After your trademark is deemed eligible for Sunrise by the TMCH, you will receive a token called the Signed-Mark-Data (SMD) file. This has to be passed to each and every registrar you might use for a Sunrise period.

Bulk management

• If you have a lot of trademarks to submit to the TMCH, then entering them manually will cost time, money and get tedious fast

• Trademark Agents using the TMCH programming interface (API) will be able to manage TMCH records in bulk

Portability beyond the TMCH

• At least one major TLD applicant, Donuts, has announced its own trademark blocking service for its TLD's. Called the Domain Marks Protected List (DPML), this block will protect your trademark in all of the Donuts TLD's. They've applied for over 300 TLD's with half of those uncontested. The DPML is not sold by the TMCH but will require that trademark owners first be validated for Sunrise eligibility by the TMCH.

Who will manage these non-TMCH Rights Protection Mechanisms for you?

Summary

I hope these tips help remove some of the anxiety some trademark owners might have about the March 26 launch of the Trademark Clearinghouse. The key point is that this is not a race. You have plenty of time to get your trademarks in the TMCH before the first Sunrise Period.

EnCirca has participated in nearly every Sunrise Period conducted by an ICANN TLD. We also offer real-time trademark validation services for TLD's via our TM.Biz subsidiary: We recently provided such services for the .PW and .XXX Sunrise Periods. And TM.Biz will be offering TMCH pre-validation services for Brand Owners, Trademark Agents and Registrars as well.

Written by Thomas Barrett, President - EnCirca, Inc

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Categories: Net coverage

Independent Objector (IO) Launches Objection on New Applied-for gTLDs

Thu, 2013-03-14 16:36

Independent Objector (IO) has lodged objections on 24 new Applied-for gTLD (name scripts) before the International Chamber of Commerce (ICC) on 12th March 2013. IO has exercised his important role and functionality in favor of Public interests on the grounds of Limited Public Interest and Community.

New gTLD name scripts .Med, .Health, .Hospital, .Amazon, .Indians are included in the list of objections filed. However non of the exclusively adult-content TLDs is included in the list of the Objection Filed by the IO. For many communities, such TLDs that promote pornographic content are a disgrace and an offensive to their religions and social norms.

IO role was introduced by ICANN, who has to act solely in the best interests of global Internet users to look after their concern. IO only could file an objection, when at least one opposing comment is received from public and in cases where no other objection has been filed. The IO may file a Limited Public Interest objection against an application even if a Community objection has been filed, and vice versa. The IO has to remain Independent and neither ICANN staff nor the ICANN Board of Directors has authority to direct or require the IO to file or not file any particular objection. If the IO determines that an objection should be filed, he or she will initiate and prosecute the objection in the public interest. The responsibility for the selection of IO was delegated to M/s Odgers Berndtson. On 14 May 2012 ICANN finally announced the appointment of Professor Alain Pellet as the person who has to serve as the Independent Objector. IO has initiated notices of early warning to highly objectionable applications, however, IO has withdrawn from most of its objections. IO has reserved his right to file any formal objection, until the last date of objections submission, i.e. 13th March 2013. Exercising the role the Independent Objector (IO) lodged 24 Objections on new Applied for gTLD Names where the public opposing comments are already available. Separate objection are filed before the International Chamber of Commerce (ICC).

The following list of objections will be examined by experts' panels appointed by the ICC and in light of the New gTLD Dispute Resolution Procedure from ICANN, the ICANN gTLD Applicant Guidebook, the ICC Rules for Expertise, the Appendix III to the ICC Rules for Expertise and the ICC Practice Note on the Administration of Cases.

Community Objections (filed by the Independent Objector):
Applied-for gTLD string(Applicant)Application ID.Health (Afilias Limited) 1-868-3442.Health (dot Health Limited) 1-1178-3236.Health (DotHealth, LLC) 1-1684-6394.Health (Goose Fest, LLC) 1-1489-82287.Healthcare (Silver Glen, LLC) 1-1492-32589.Hospital (Ruby Pike, LLC) 1-1505-15195.Med (Charleston Road Registry Inc.) 1-1139-2965.Med (DocCheck AG) 1-1320-21500.Med (HEXAP SAS) 1-1192-28569.Med (Medistry LLC) 1-907-38758.Medical (Steel Hill, LLC) 1-1561-23663

Limited Public Interest Objections (filed by the Independent Objector):
Applied-for gTLD string(Applicant)Application ID.Health(Afilias Limited)1-868-3442.Health(dot Health Limited)1-1178-3236.Health(DotHealth, LLC)1-1684-6394.Health(Goose Fest, LLC)1-1489-82287.Healthcare(Silver Glen, LLC)1-1492-32589.Hospital(Ruby Pike, LLC)1-1505-15195.Med(Charleston Road Registry Inc.)1-1139-2965.Med(DocCheck AG)1-1320-21500.Med(HEXAP SAS)1-1192-28569.Med(Medistry LLC)1-907-38758.Medical(Steel Hill, LLC) 1-1561-23663

Written by Imran Ahmed Shah, IT Consultant

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Top-Level Domains

Categories: Net coverage

New gTLD Brand Congress Emphasizes Consumers and Innovation

Wed, 2013-03-13 20:58

The New gTLD Brand Congress held earlier this week in New York provided terrific insight into how brands and New gTLD businesses are approaching the space. We saw evidence of forward movement and decision making. Overall, the main takeaways were:

• Established brands need to focus on enhancing customer experience in a new .brand world; and

• New gTLD businesses or registries will find security/stability to be critical for gaining public trust and connecting with representative communities.

Big Brand Decision Making Case Study – CITIBANK (.citi)

Mr. Louis Cohen, Citibank SVP of Internet and Digital Marketing, identified the critical questions that informed Citibank's decision making. The first question was "what extensions might be relevant?" Because Citibank has a wide scope of financial products/services, the Citibank team came up with hundreds of potential strings to consider, including .fin, .bank, .mortgage, .citibank, .creditcard etc. Next, Citibank considered how it might use a new string, and whether that use would enhance Citibank's customers' experience. Lastly, Citibank looked at whether its competitors would gain an advantage by pursuing certain strings and whether there were any "risks" to the Citibank brands. According to Mr. Cohen, Citibank "spent months" thinking through these questions.

Ultimately, the value proposition for Citibank, according to Mr. Cohen, was to work toward creating a better consumer experience. The result will be taking Citibank's very large/diverse digital footprint and consolidating it into one .citi footprint that will be simpler for consumers and easier to protect from a security standpoint. "Citbank sees opportunity in consolidating its digital footprint into something only we can control" and will allow it to unite its global internet presence "making it easier across the board", stated Mr. Cohen.

Mr. Cohen noted that Citibank would still be active in the .com/.net world and that it would have considerable work to do on the SEO front in order to make sure it adapts its content to be searchable in a New gTLD world and an increasingly "mobile first environment." Citibank is also considering the possibility of giving its customers their own .citi email address and contemplating how to treat 2nd level domains in a .citi TLD.

Donuts – A Data Driven Process

Mr. Richard Tindal, COO of Donuts, also spoke at the Congress and discussed the evolution of Donuts and its business plan. Donuts has garnered a lot of press because it applied for 307 New gTLD strings.

Mr. Tindal explained that the Donuts process of picking strings was "intensely data driven." They considered terms which scored high in tests gauging factors such as longevity, usage, rate of entry, potential for conflict with existing brands etc. Donuts has created a proprietary algorithm to consider all these factors.

Mr. Tindal stated that Donuts views its business as being similar to a "content agnostic" Internet Service Provider that would offer consumers "great domains" in interesting spaces and that Donuts planned to implement trademark/brand protections beyond those required by ICANN.

Overall, Mr. Tindal estimated that Donuts would likely end up owning over 200 of the 307 gTLD strings it applied for.

Innovation in the New gTLDs

The final panel of the Congress focused on innovation and the future of the New gTLD space. Mr. Roland LaPlante, SVP and CMO at Afilias, Mr. Hal Bailey, Strategic Partner Manager at Google and Mr. Tim Switzer, CFO and COO of DotGreen, all spoke on the issue.

The panel first discussed the existing challenges to the New gTLD system. Mr. LaPlante offered that the biggest challenges would be government interference and attempts "to control the [Internet's] naming system" as well as how ICANN and consumers respond when TLDs fail or are decommissioned. He wondered how this type of "shock" to the DNS system might affect Internet stability.

From Google's perspective, Mr. Bailey explained that "consumer confusion" was a huge issue because the general public "doesn't know and doesn't care" about New gTLDs, and that it will confuse people and require a transition for users over a "consumer confidence" barrier, which he believes can be made rapidly.

On the ICANN side, Mr. Switzer of DotGreen explained that many of the details regarding New gTLDs are "still in play," including important issues like the registry agreements. These would need to be resolved quickly in order for ICANN to meet its deadlines and will be important topics at the upcoming ICANN meeting in Beijing. He also noted that DotGreen has taken a hands-on approach to its involvement with the relevant "green" community by working with green organizations in local communities and creating "green" partnerships. This type of interaction will be an important part of making sure that DotGreen (and other gTLDs) connect with consumers.

The panel also discussed the future of the DNS system in a New gTLD world. Mr. LaPlante cited unpublished research commissioned by Afilias (to gauge potential consumer attitudes and behaviors) which seem to indicate a positive reception for New TLDs:

  • 78% of consumers are unaware of New TLDs
  • 39% of consumers would likely trust a .brand TLD
  • 28% of consumers less likely to trust a .brand TLD
  • 48% of consumers believe .brand security would be better than generic TLD
  • 37% of consumers believe not having a .brand shows lagging behind competitors

Lastly, the panel agreed with Mr Bailey's assessment that there would be "a very large upward swing in technology over the next few years" and that the New gTLD system could bring innovation and fresh ideas to businesses.

Written by David Mitnick, President DomainSkate LLC

Follow CircleID on Twitter

More under: Domain Names, Registry Services, ICANN, Top-Level Domains

Categories: Net coverage

A Look at Why Businesses Buy Cloud Services?

Wed, 2013-03-13 20:39

If you are a cloud provider, whether you are pure play or an internal IT department, it is very interesting to know who is buying cloud services, and why.

In a recent survey by PB7 sponsored by EuroCloud Netherlands and others, a group of Dutch companies was interviewed about their motivations and hesitations around cloud computing. The survey's results were quite a bit more interesting than the usual lot. In this article I have cherry picked a few observations from the larger survey. The full survey is reported on in http://www.slideshare.net/peterthuis/ecm12-ghgg (in Dutch).

The majority of companies are using cloud computing these days, and this includes government organizations by the way. That adoption rate is not growing so fast anymore. The growth is in the number of cloud applications that are being deployed (and presumably also in the number of users of those applications).

How does cloud computing fit business strategy? Companies change for a number of reasons and objectives, and cloud computing as a driver is no different. Some organizations innovate using cloud computing, but from the survey it appears most are just optimizing business process, or even just substituting current solutions.

Substitution happens when an existing solution is replaced by a cheaper one. Examples of these can be seen across the board. As you can expect from a wide survey, the most common applications are mail, messaging, document processing, sales, marketing, distribution, HR. One striking category though is field service where a lot of adoption is going on. Inhibitors for these types of applications include are the value of current investments ("the server in the closet has not been fully written off").

Optimization involves process change: doing things differently. This could involve people inside the organization as well as outside the organization. From anecdotal evidence, we know that collaboration tools are on the rise, in particular when they serve to communicate over organizational boundaries. Think procurement, project collaboration and marketplaces. These are the 'cloud native' apps so to say. The other category involves empowering the current workforce, especially if it is mobile already, a trend we see happening in airlines and retail. Cloud productivity solutions allow the inclusion of staff that was not equipped with computers before. This is clearly a big market for horizontal application suites such as Google Docs and Office 365. Vertical applications areas include HR and e-learning.

The less predictable the workload, the bigger the advantage becomes that cloud applications have over non-cloud applications. About a tenth of the researched applications have a 'rapid growth' workload pattern, i.e. new applications, new business. For these categories cloud is by far the preferred solution.

These trends align very well with two important cloud characteristics: elastic scalability (especially from a financial perspective), and broad network access (anytime/anywhere/anydevice). Broad network access allows the inclusion of users that are not within the corporate firewall.

Infrastructure as a service (IaaS) is definitely on the rise across the board: small/large enterprises as well as governments. It is expected to increased penetration to 30 percent in 2014, a twofold increase in two years. Still, this is a lot less than the penetration of SaaS.

As the number of cloud applications per organization rises, integration concerns increase. From the survey, it appears cloud consumers are seeing three different avenues to address these concerns. They call for open standards, they turn to cloud brokers to do the integration for them, and they hope to see ecosystems such as app stores providing this integration for them.

Other concerns are security and privacy in general, though it is unclear to what extent these fears are actually translated into action. It is peculiar in this respect that only 40% of cloud users has a clear exit plan.

There are quite a few implications for service providers in these findings. The biggest demand for cloud services is for rationalizing existing IT systems, and if they are internal, expanding their use cases to include mobile employees and business partners. As an extension of these, inclusion of more people and partners can allow business processes to be reengineered. Partnering with consultants to help effect these changes might make sense.

Potential clients are concerned about integration and security risks. Conceivably, adequately addressing these concerns can be a selling proposition. For the mechanics of that, have a look at another article I wrote (see Can we simplify cloud security?). A lot of these concerns (including integration) are expressible in terms of the CSA Cloud Control Matrix (Disclosure: I updated some of these controls recently as a CSA volunteer).

If you are a cloud provider and wonder how to improve your offering, you may be interested in having a look at www.cloudcomputingundercontrol.com where I have outlined a Governance, Risk Management and Compliance roadmap.

Written by Peter HJ van Eijk, Cloud Computing Coach, Author and Speaker

Follow CircleID on Twitter

More under: Cloud Computing

Categories: Net coverage

ITU Staff Gone Wild

Wed, 2013-03-13 18:56

In virtually all governmental legislative bodies, the staff is there to provide secretariat services for the government representatives. The staff role does not include telling the representatives what decisions they should be making. The stricture is supposed to be the same at the International Telecommunication Union (ITU) for its treaty making activities.

It is with some amazement that last week, the ITU secretariat staff showed up at a seminar in Bangkok they helped schedule — with a purported "ITU Presentation on WCIT-12 Outcome" to eighteen ITU Member States attempting to sell them on accession to the International Telecommunication Regulations (ITRs) flatly rejected by 55 nations (G55), with 49 additional ones remaining undecided. In other words, less than half the ITU Member States have signed — a stunning adverse result unprecedented in the history of the organization.

The slick 36 slide presentation begins by misrepresenting ITU history, provides a completely one-sided view of the ITRs, and at the end, includes an accession form as one of the slides — suggesting that Member States bind themselves to the ITR provisions! The last slide makes the incredulous assertion that "the treaty provides a framework for the accelerated growth of ICTs at the national and international level, in particular to bring Internet access to the two-thirds of the world's population which is still offline, and to drive investment in broadband."

The reality here is quite at odds with the SnakeOil sales pitch. The ITRs — which are a treaty instrument construct for the government-run electrical telegraph world of 1850 - are not exactly the right match for a hyper-dynamic, technology and investment driven world of 2013 driven by the global marketplace. There was a reason why 55 ITU Member Nations flatly rejected the ITRs and walked out of the meeting. The entire instrument plainly does not comport with today's world of telecommunications and information systems, and accepting the associated ITR-12 obligations is tantamount to consigning the nation to Internet impoverishment. Reiterating the socio-political acronym "ICT" like an incantation, when ironically the term remains undefined, achieves nothing.

The ITU staff attempts to sweep the rejection of the WCIT-12 Final Acts under the carpet with the absurd assertion that it "compares with 1988 when 112 countries signed ITRs on the last day of the Melbourne conference." It does not. I helped run the secretariat for the 1988 conference for Secretary-General Butler. All the Member States present in Melbourne signed the Final Acts. None of them walked out of the conference. At that time, the ITRs arguably had some marginal justification. Today they are an anachronism and negative value proposition.

In addition to being a treaty that patently was not needed, the ITR provisions that emerged at WCIT-12 crossed two "red lines" for the G55. They vastly expanded the relatively narrowly compartmentalized scope and effect of the existing ITR provisions to include all electronic communication services and apply to essentially anyone connected to a network. Furthermore, most of the ITR provisions are essentially operational, contractual, and regulatory options that vary greatly among different countries, and purport to rely on activities in an ITU-T that today is essentially non-functional because the work is almost completely accomplished in other global industry venues and arrangements. Twenty-nine nations have reduced their ITU contributions, and few countries today participate in ITU-T activity. It is ludicrous to think that all these fundamental infirmities of the ITRs will somehow become unimportant for the non-signatory nations.

The ITU staff has scheduled another of the WCIT-12 sales shows in South Africa in July 2013. The action seems demeaning to the African nations as the ITU staff is not pursuing these events in Europe or North America where they would receive substantial opposition to their presentation assertions.

In large measure, the entire WCIT-12 debacle was induced and facilitated by ITU elected officials and staff that encouraged and manipulated almost everything surrounding the conference. They obviously have not stopped. Engaging in this behavior is inappropriate. When the first permanent secretariat for an ITU precursor organization was created — the Berne Bureau that serviced the needs of the signatories to the Convention télégraphique internationale de Paris (1865) et Règlement de service international (Paris, 1865) — it was made clear that the staff were not to become involved in substantive legislative work done by the Nation States among themselves. That important stricture was obviously lost over the past decade.

Written by Anthony Rutkowski, Principal, Netmagic Associates LLC

Follow CircleID on Twitter

More under: Internet Governance

Categories: Net coverage

ICANN Releases Guideline for Coordinated Vulnerability Disclosure Reporting

Tue, 2013-03-12 19:31

ICANN has released a set of guidelines to explain its Coordinated Vulnerability Disclosure Reporting. The guidelines serve two purposes, says ICANN: "They define the role ICANN will perform in circumstances where vulnerabilities are reported and ICANN determines that the security, stability or resiliency of the DNS is exploited or threatened. The guidelines also explain how a party, described as a reporter, should disclose information on a vulnerability discovered in a system or network operated by ICANN."

Coordinated Vulnerability Disclosure refers to “a reporting methodology where a party (‘reporter’) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (‘affected party’) and allows the affected party time to investigate the claim, and identify and test a remedy or recourse before coordinating the release of a public disclosure of the vulnerability with the reporter.”

Illustration of a Coordinated Disclosure Process – The roles and relationships of parties typically involved in a coordinated disclosure. Source: ICANN (Click to Enlarge)

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, DNS, ICANN, Malware, Security

Categories: Net coverage

Security and Reliability: A Closer Look at Penetration Testing

Tue, 2013-03-12 18:46

As noted in my first article of this series (see part one, two and three), security and reliability encompass holistic network assessments, vulnerability assessments and penetration testing. In this post I'd like to go deeper into penetration testing; however, first, let's go back for a quick refresh before getting started.

There are three broad steps any organization can take with respect to security and reliability to get a handle on their current security posture, whether internal (corporate or "inside the firewall") or external (Internet or "outside the firewall"). These include a series of in-depth assessments that include network, vulnerability and penetration testing.

• Network Assessment – Network assessment is a broad term that might encompass a holistic view of an organization's Internet security posture both internally and externally. A network assessment can be tailored to specific security requirements for any organization, but ultimately the assessment will provide a baseline gap analysis and remediation steps to fill those gaps.

• Vulnerability Assessment – Once your baseline network assessment is completed, an organization may wish to perform periodic vulnerability assessments. Whether internal or external, vulnerability assessments can uncover critical gaps in security that may lead to credential leaks, intellectual property theft, or denial of service to employees or customers. A well-planned and well-executed vulnerability assessment should eliminate false positives, but it can never give an organization 100 percent confidence that a specific vulnerability cannot be exploited. Vulnerability assessments should be executed on at least a quarterly basis, but it's not uncommon for larger organizations to execute them monthly.

• Penetration Testing – The next and final step in assessing your organization's security and reliability is penetration testing. While I typically say that vulnerability assessments give you a "95 percent confidence level" that a vulnerability exists, penetration testing can give you 100 percent confidence that a specific vulnerability exists as well as show you how it can be exploited by attackers.

Now that we are all caught up, let's dive in to penetration testing.

What is a penetration test?

A penetration test typically follows a full vulnerability assessment, after you have identified systems with known or suspected vulnerabilities. The existence of vulnerabilities may be obvious, or may require exploitation to validate. By definition, penetration testing involves exploiting a vulnerability to prove its existence or to expose other previously unknown vulnerabilities, or even additional systems, not previously known or tested.

Once you've completed a vulnerability assessment, you must build an attack profile for penetration testing and then execute your attacks.

Step One: Attack Profile

In the attack profiling phase, you must conduct research on your vulnerabilities to determine the best tools to use to attempt exploitation. There are a plethora of commercial, free and open source penetration testing toolkits, including:

There are many more scripts and toolkits you might use for both vulnerability assessments and penetration testing, such as wireless discovery applications, packet capture applications, port scanners, etc. We'll cover some of the more common tools in future articles.

There are too many details to cover in this overview, but suffice it to say a penetration test engineer must understand the underlying operating systems, applications and protocols for the vulnerabilities they are trying to exploit.

Exploits may be common to a given application regardless of the platform (operating system and protocols), but they may also be a very specific combination of hardware platform, operating system, application, protocols, and even network elements to include routers, switches and firewalls.

The commercial toolkits listed above provide a good framework and automation for running exploits, but they all have many configuration parameters, variables and scripts related to very specific vulnerabilities that one must understand in order to execute and effective penetration test. To paraphrase a famous line from the movie Caddyshack, "be the exploit!"

Step Two: Attack Execution

Now, the real work begins. You may understand the vulnerability, you may have your tools and scripts ready to execute and exploit the vulnerability, but inevitably things won't go as planned. As with vulnerability assessments, you may have to adapt your profile because you find that a firewall or network ACL (access control list) is blocking communication in one direction or a given vulnerability cannot be exploited for unknown reasons, or operating system/application fingerprinting was inaccurate. There are many scenarios that may cause you to alter course and change tools or methods to attempt exploitation.

In Summary

Penetration testing (and security on the whole) can be as much art as science, but hopefully this article rounds out our series on security and reliability and gives you some insight on the importance of including this as part of your organization's processes. Ultimately, you will gain confidence in assessing risks and determining which vulnerabilities should be considered real, requiring mitigation. This is the very best way to be prepared for real-time risks and attacks.

Written by Brett Watson, Senior Manager, Professional Services at Neustar

Follow CircleID on Twitter

More under: Cyberattack, Malware, Security

Categories: Net coverage

EFOW Wants Total Protection for Geographical Indications Domains in .VIN, .WINE and All Other TLDs

Tue, 2013-03-12 16:42

This is a letter sent from the European Federation of Origin Wines (EFOW) to the courteous attention of Dr Steve Crocker, Chair of the ICANN Board , Mr Cherine Chalaby, Chair of the new gTLD Program Committee Board, Mr Fadi Chehadé, CEO of ICANN and Mr Akram Atallah, COO of ICANN.

This letter, sent by its President Riccardo Ricci Curbastro, was sent today to ICANN and is entitled "ICANN initiatives for the attribution of new generic top-level Internet domains — PDO and PGI wines' concerns”.

The letter:

"Dear Madam, dear Sirs,

EFOW, the European Federation of Origin Wines, a Brussels based-organisation representing PDO (Protected Designation of Origin) and PGI (Protected Geographical Indication) wines towards European and international institutions, would like to bring to your attention a crucial issue for the safeguard of our sector concerning the attribution of new generic top-level domains (gTLD) by your organisation. We are concerned that this new procedure could lead to the abuses of our members' Intellectual Property Rights (IPRs).

As far as we are informed, at the current stage of the ICANN procedure, three private firms have applied to manage a new Internet domain ".wine" and another candidate applied to manage the domain ".vin". Should registrars obtain these new gTDLs, they will be able to commercialise them and allow individuals and/or organisations to combine these gTDLs to a second-level domain name to create a personalised web address, as for instance "chianti.wine", "champagne.vin", "rioja.wine", "port.vin".

As you may know, Geographical Indications (GIs) are, according to the WTO TRIPs agreement, indications which identify a good as originating in the territory of a Member, or a region or locality in that territory, where a given quality, reputation or other characteristic of the good is essentially attributable to its geographical origin, for example, "Champagne", "Tequila", "Parma Ham" or "Roquefort". As such, these GI names, like trade marks, enjoy protection as IPRs at the international level and in all WTO Member States.

Considering the above, EFOW believes, as they stand, your organisation's rules on the new gTLD do not allow for the protection of GIs which are recognised IPRs. In fact, applicants will only have to abide by "specification 5" according to which operators shall prohibit the registration of country and territory names recognised by the United Nations or of their ISO codes in front of the extensions ".wine" and ".vin". Moreover, we are concerned that none of the four projects mentioned above, commit to the protection of GI wine names. Finally, we are also preoccupied by the fact that these projects envisage the possibility of registering "premium" domain names attributed by public auction to the highest bidders without any further specifications. ICANN's rules and these applications in their actual form thus raise serious concerns for our sector given that they could lead to abuses of GI names on domain names.

We would like to underline that EFOW is not opposed to the attribution of new gTDLs provided that ICANN and registrars provide for the protection of GIs. The current Trade mark Clearinghouse scheme is, however, not sufficient and does not respond to the needs of the GI wine sector. www.efow.eu
Moreover, EFOW believes that the concessions referred to the second-level domains should be subjected to detailed rules to guarantee an efficient protection to European PDO and PGI wines and more generally to all GIs. More specifically, ICANN should develop a procedure that ensures that GI names cannot be reserved by third parties and enables organisations responsible for the protection of GIs to oppose the reservation of a domain name that consists of or contains the name of a GI through a procedure, e.g. an alternative dispute resolution (ADR). Furthermore, it also considers that authorisations to use the generic top-level domains ".wine" and ".vin" should be guided by the respect of European and International legislation on GI wines, which provide them with a strong protection, as clearly stated by article 23 of the WTO TRIPs Agreement on trade-related aspects of Intellectual Property Rights.

EFOW has already raised its concerns with relevant EU countries and would like to know whether ICANN intends to modify its' procedures to allow GI right holders to have the same rights and guarantees as the ones given to trade marks owners.

We thank you in advance for taking into consideration our observations and would welcome an open discussion on this specific issue."

Will ICANN want to open the discussion and offer a better protection to PDO and PGI wines?

Written by Jean Guillon, New generic Top-Level Domain specialist

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

ICANN New gTLD Program SWOT Analysis: OPPORTUNITIES (Part 3)

Mon, 2013-03-11 23:49

The SWOT analysis is a structured planning method used to evaluate the Strengths, Weaknesses, Opportunities, and Threats involved in a project or in a business venture (source Wikipedia).

OPPORTUNITIES

1. For Registries (new gTLD applicants: brands and non brands):

a) New gTLD applicants to sell domain names = earn cash. When Registrars of the Registry's accredited network sells 1000 domain names at the price of at $5, the Registry earns $5000;
b) Owning a Top-Level Domain is a monopoly situation. The applicant "governs" an entire market (worldwide) = earn cash;
c) Brand TLDs have until round 2 to take advantage of their string and expand their presence over their competitor(s) who did not apply. Their competitor(s) can just sit and wait for Round 2;
d) Brand TLDs may want to change their application in the future to sell domain names and earn cash. Most of the time, a contract can be changed at ICANN after it's gone through the "public comments" phase…
e) Possibility of intra group cash flow transfer (cf. Google or Facebook situation in France.) (Jean-François Vanden Eynde);
f) Possibility to benefit from innovation and to apply them (Jean-François Vanden Eynde);
g) Possibility to attract customers and to maintain them within your brand reach (if I find everything within .apple why should I leave it if it could be my favorite page (Jean-François Vanden Eynde)?
h) Possibility to perform some joint venture and associate my brand to a specific event or sport (Jean-François Vanden Eynde);
i) Possibility to hide my online strategy as I will be able to activate and deactivate domain names at any time (Jean-François Vanden Eynde);
j) Build customer trust and avoid cyber squatting (Jean-François Vanden Eynde);
k) Benefit from being a pioneer in my field (Jean-François Vanden Eynde);
l) Applicant will not be subject to cyber squatting under their own TLD (Jean-François Vanden Eynde).

2. For Service providers (Back-end registries, law firms...):

a) Back-end registry providers to earn much more cash as most of their business model is based on the number of domain names sold by new gTLD applicants: the more domain names are sold, the more cash gets in. They will probably be the one to earn most of the money from this first round.
b)Specialized law firms. The New gTLD Program will provide opportunities for a variety of different professions, most notably the legal profession. Trade mark attorneys have a unique opportunity to harness their expertise and expand their scope of services by providing enforcement solutions to Trademarks owners who seek to resolve domain name disputes that will arise with each new gTLD launch (Daniel Greenberg).
A huge market is opening to Law firms:
- The Trademark Clearinghouse: their clients will need to participate in Sunrise Periods and "protect" themselves. For this, they will need to understand how to do this and register in the TMCH.
- URS (Uniform Rapid Suspension Procedure): with so many new domain names, expect many infringements too.
- The same applies to other very specific ICANN procedures: complaints to ICANN, Objections, PICS procedure, RRDRP procedure, PDDRP procedure…
- Webinars.
c) Same goes for digital marketing. It will help companies to offer online services in general not only law firms (Jean-François Vanden Eynde);
d) New gTLD consultants: the ICANN new gTLD program's organized mess is an opportunity for consultants to hunt clients for round 2 with updates on procedures, prices, service providers, etc…
e) Entrepreneurs: many applicants from round 1 strongly believe they will sell millions of domain names...but most won't probably go above 50 000. The business model based on 2 to 3% of a population may not find the success expected since most of the Registries think their Registrars are going to do the sales job. Many strings with potential have not been requested in Round 1, niche markets on small TLDs may be a better solution in Round 2 if applicants do the necessary field work upfront. A 50 000 domain names Registry to become a success in the future?
f) Possibility to extend services to a one stop shop for round 2 (Jean-François Vanden Eynde);
g) Possibility to see new comers building their own services. This will increase competition and help drop pricing in round 2 (Jean-François Vanden Eynde).

3. For ICANN:

a) ICANN has the opportunity to work with global regulatory bodies, including the United States Patent and Trademark Office, to define how ALL public roots will be regulated, not just ICANN. ICANN should work with global governments to establish top level domains as a legal business class so that trademark law can be applied to Top Level Domains. This would get ICANN out of the business of defining trademark protections for the Top Level Domain industry and back INTO the business of approving new registry operators. ICANN should not do both (Mary Iqbal).
b) Earn A LOT of cash;
c) Icann will hopefully learn from its mistake (Jean-François Vanden Eynde);
d) Icann way of working might change with the intervention of brand owners and ip lawyers who will defend their interests (Jean-François Vanden Eynde).

4. For Registrars:

a) More domain names to offer to their clients: every new gTLD launching is an opportunity to contact an existing client and sell him something;
b) Niche Registrars may develop: sports and wine Registries for example;
c) Distinction will also be made between b2b registrars and b2c registrar (Jean-François Vanden Eynde);
d) TMCH could also become a golden egg to registrar (Jean-François Vanden Eynde);
e) Possibility for some of them to go more into consultancy and strategy (Jean-François Vanden Eynde);
f) Registrar might specialized because they might not be blue to go for prepayment for all tlds. We might see some niche registrar (Jean-François Vanden Eynde).

5. For Registrants:

a) An opportunity for develop online identities with precision using more descriptive domain names;
b) By introducing new TLD strings, a wide range of audiences can be reached using the DNS (Domain Name System) to include communities having languages using non latin/roman alphabets. IDNs (Internationalized Domain Names) are one example of being able to provide this expanded reach to the DNS (RJ Glass - AmericaAtLarge.ORG;
c) For Brands and other organizations the possibility is offered to acquire a better (and nicer) domain name to then redirect the old .COM to it (ex: château-latour.vin).
d) Brands are given the opportunity to secure their strings in the Trademark Clearinghouse for future launchings so they can participate in all Sunrise phases and be alert if one intends to register their string as a domain name;
e) Registrant might get some free domains associated to one brands jef@bmw if I buy a new car with all services associated (Jean-François Vanden Eynde);
f) Benefit from innovation of registries (Jean-François Vanden Eynde).

6. For Domainers (they buy domain names to re-sell them):

a) Domainers are always the first one informed about new launchings and what is the best and efficient way to acquire a domain name. With so many new domain names to acquire and so much money to spend, there will be opportunities to acquire generic domain names. Sports new gTLDs should interest domainers: just city names could offer very good opportunities.
b) Domaining offers a serious return on investment for new gTLD applicants who need to earn cash fast. Domainers buy for speculative reasons: the intention is to buy at the cheapest price and sell at a highest.

7. For CyberSquatters (they buy domain names to try to re-sell them to owners with a prior right...or not):

a) Same as usual: they will continue to exist and proliferate as their is no better mechanism in place to block them;
b) A choice of domain name enlarged by the number of new gTLD applications.

To come: THREATS (Part 4)

Written by Jean Guillon, New generic Top-Level Domain specialist

Follow CircleID on Twitter

More under: Top-Level Domains

Categories: Net coverage

Thinking Carefully About New gTLD Objections: Legal Rights (4 of 4)

Sat, 2013-03-09 04:48

This last article on the four new gTLD objections will look at the Legal Rights Objection ("LRO"). While other articles in this series have touched on trademark concepts at certain points (see part one, two and three), issues from that area of the law predominate in LRO. Here we review the pertinent LRO-related trademark concepts, with which many readers likely will have some familiarity from working with domains and the UDRP. Still, the theme of the first three articles applies here: Potential objections are more involved and complicated than they may seem, and require careful thought if they are to be made.

Standing:

Analyzing any new gTLD objection always begins with standing — namely, whether the objector has the right to raise a claim in the first place. AGB 3.2.2. The LRO does not have standing requirements nearly as strict as those for community or as wide-open as those for limited public interest objections, but does require an objector to establish its status as a "rightsholder." While there is not explicit designation of the exact "rights" needed for standing, the Guidebook's later section on the objection standards clearly refers to trademark — i.e., a name, brand, term or characteristic that recognizably identifies its individual or institutional owner, including celebrities who have rights of "publicity." See, e.g., Frampton vs. Frampton Enters, Inc., Case No. D2002-0141 (WIPO, Apr. 17, 2002)(peterframpton.com). [Note: Also, while the Guidebook also addresses rights of an inter-governmental organization ("IGO"), which involves a relatively narrow subset of potential objectors, so it will not be directly addressed here.]

Logistics and Cost-Planning:

Trademark owners and those with prior experience in UDRP procedures will see a familiar face with respect to LRO: the World Intellectual Property Organization ("WIPO"). WIPO has a very informative FAQ page which will cover what would-be objectors need to know (along with model objection and response form), and the ICANN Webinar of Mar. 6, 2013 contains additional information. Suffice to say here simply that with LRO both the filing and expert costs are levied on a flat-fee basis (recall that ICC Expert fees are billed hourly) and parties have the option to choose the size of the panel (either one or three experts). Myself, I always try to garner a three member panel whenever that option is available. All documents are (as with the other three objections) submitted in English and with a limitation of 5000 words (or 20 pages, whichever is less, excluding attachments).

Objection Standards:

Once an objector establishes standing under the relatively straightforward standard above, it must then tackle the merits of the objection. What must the objector show to prevail? Practitioners who are familiar with trademark and domain name disputes will recognize that the LRO standard incorporates elements employed in these areas. A LRO panel must determine whether an applied-for string:

  • Takes "unfair" advantage of the distinctive character or reputation of the objector's trademark;
  • "Unjustifiably" impairs the distinctive character or reputation of that mark; or
  • "Otherwise" creates an "impermissible" likelihood of confusion with the mark.

AGB § 3.5.2. Some of these buzzwords suggest both trademark dilution ("distinctive character" and "reputation") as well as infringement ("likelihood of confusion"). However, rather than delve into all the nuances of the multipart tests used by courts when analyzing these concepts — see, e.g., AMF Inc. v. Sleekcraft Boats, 599 F.2d 341, 348 (9th Cir. 1979) — simply consider this: is it sufficiently likely that a reasonable person will become confused into thinking that a term associates a particular string with one company when it really belongs to another? If not, then look at whether the mark at issue is really well-known as a brand and very unique. If the answer is not an (extremely) emphatic "yes" to either one of these questions, then pursuing an LRO is probably just wasted effort and expense.

So where does one look for help on these issues? Since ICANN has provided a number of helpful guidelines for LRO, we of course will go through those first.

Trademark Factors:

Section 3.5.2 of the Guidebook lays out a number of expressly "non-exclusive" criteria for determining whether an applied-for string creates a likelihood of confusion or will injure the distinctive nature or reputation of a mark. None will strike trademark or UDRP professionals as particularly unusual, although simplicity in concept can belie greater complexity in practice.

1. Similarity in Sight, Sound and Meaning

A LRO panel will examine whether the applied-for gTLD is identical or confusingly similar in appearance, sound or meaning to the objector's mark. For this test, consider the obvious:

Regarding sight, do the mark and the string look visually similar? Since TLDs do not involve graphic representations, colors, fonts and the like, the inquiry essentially comes down to spelling.

As to sound, say the mark and string out loud to yourself. Do they sound essentially the same? See Deutsche Telekom AG v. foxQ, Case No. D2004-0102 (WIPO, Mar. 7 2004) (UDRP complaint denied despite some sound similarity between domains t-online.com and d-online.com).

On meaning: Take into account what term(s) make up the mark and the string. Do they typically have only one connotation or several? This can matter a great deal when examining terms that have generic, descriptive or common dictionary meaning. See, e.g., Advertise.com, Inc. v. AOL Advertising, Inc., 616 F.3d 974, 978-979 (9th Cir. 2010)(advertising.com)(copy of court decision available at: http://1.usa.gov/ZyaxQI); see also Hasbro, Inc. v. Clue Computing, Inc. 66 F. Supp. 2d 117, 133 (D. Mass. 1999) (clue.com).

Simple, right? Well, lawyers have come up over the years with complications even to these apparently straightforward inquiries. Among other things:

  • Don't look at two marks together; consumers typically view them separately in the marketplace. Union-Carbide v. Ever-Ready, 531 F.2d 366, 382 (7th Cir. 1975). They also do not recall marks as well as triers of fact who see them continually over days of legal proceedings.
  • Consider the trademark and string each as a whole; do not dissect either into components. While courts occasionally give "dominant" components slightly more weight, they do not do so with more generic or descriptive portions of claimed marks — see, e.g., Gateway 2000, Inc. v. Gateway.Com, Inc. 1997 U.S. Dist. LEXIS 2144 (E.D.N.C. 1997) (no likelihood of confusion between "GATEWAY2000" and gateway.com).
  • For dilution, a claim may cut a wider swath because the goods or services need not directly compete, but this typically requires greater proof of similarity. See Ringling Bros.-Barnum & Bailey Combined Shows Incorporated v. Utah Div. of Travel Dev.,170 F.3d 449 (4th Cir. 1999) (no dilution between non-competitors' "greatest SHOW on earth" and "greatest SNOW on earth" phrases).

2. Objector's Bona Fide Acquisition and Use of Trademark Rights

A LRO panel also will consider whether the objector legitimately acquired or has used the mark at issue. UDRP colleagues often examine the efficacy of the complainant's asserted rights, including for lack of protectability, lack of authorization or fraudulent procurement.

3. Public Sector Recognition

To what extent does the relevant sector of the public recognize the rightsholder's mark? As in trademark litigation, this may require survey evidence.

4. Applicant's Intent in Applying for the gTLD

This fourth element calls to mind the "bad faith" factor in UDRP and cybersquatting cases. It asks whether the applicant knew of the objector's mark at the time applying for the gTLD, or whether the applicant has a "pattern" acquiring or operating domains confusingly similar to the marks of others. Of course, this applies only to protectable marks, and not to dictionary or generic terms, where intent to confuse either cannot be inferred or is legally meaningless. See, e.g.,Hero, Inc. v. The Heroic Sandwich, Case No. D2008-0779 (WIPO, Aug. 13, 2008) (hero.com).

5. Applicant's Bona Fide Use

This factor allows a panel to evaluate the extent to which the applicant has used (or demonstrably prepared to use) the gTLD corresponding to the objector's mark. While UDRP cases often feature the registration (and little else) of a second-level domain, an applicant for a new gTLD can cite substantial investments in time, resources and money preparing the application and putting backend technology into place. Moreover, using a common word as a domain for its inherent value in attracting internet traffic, even if that term happens to correspond to another's trademark, does not violate the other's rights. Mobile Communication Service Inc. v. WebReg, RN, Case No. D2005-1304 (WIPO, Feb. 24, 2006) (mobilcom.com transfer denied).

6. Applicant's IP Rights

Next, a panel looks at "whether the applicant has marks or other intellectual property rights in the sign corresponding to the gTLD," and, if so, whether such acquisition and use of the sign has been bona fide, and whether the likely use of the gTLD by the applicant is consistent with such acquisition or use." This would pertain to "Dot Brand" TLDs, but not to the many new gTLD applications with generic terms, as these serve no source-identifying function. See Image Online Design v. ICANN, 2013 U.S. Dist. LEXIS 16896, 22-24 (C.D. Cal. 2013) (quoting Advertise.com and finding no protectable interest in plaintiff's alleged .WEB "trademark" — which was also the subject of a prior TLD application) (copy of court decision available at: http://bit.ly/15CWCwV).

7. Applicant Commonly Known by Applied-For TLD

Taking another page from the UDRP playbook, this factor examines whether and to what extent a TLD applicant has been "commonly known by sign corresponding to the TLD and if so, whether any purported or likely use of the gTLD by the applicant is consistent therewith." This will entail case-by-case analysis since, for example, under the UDRP respondents have become "commonly" known by their domain names simply by having formed a company and done business under that name.

8. Likelihood of Confusion

Likelihood of confusion appears both in traditional trademark and domain name disputes, although not in as much detail in the latter setting. Many of the factors above go into a typical judicial likelihood of confusion analysis. Without repeating myself, I simply suggest keeping practical considerations in mind. Among the most important: evidence of actual confusion serves as one of the strongest indicators of a likelihood of confusion, whether from customer service inquiries or other "real-world" data points, or from consumer surveys conducted specifically for the dispute.

9. Other Considerations

I have noted a number of proverbial "bumps" in the objector's "road" above when discussing the Guidebook's specific LRO criteria. However, other overarching considerations also may be back in the mind of a panelist seasoned in trademark and domain name-related matters, and since the LRO factors are explicitly referred to as being "non-exclusive" there would seemingly be no reason not to take them into account.

Fair Use and Free Speech: First, how do free speech-related defenses such as "fair use" or "nominative use" fit into the LRO context? For readers who are not familiar with the concepts, trademark "fair use" typically involves a mark that is capable of describing the goods or services offered under that mark. Although one may own trademark rights in a descriptive term in certain contexts, "such rights will not prevent others from using the word ... in good faith in its descriptive sense, and not as a trademark." Car-Freshner Corp. v. S.C. Johnson & Son, 70 F.3d 267, 269 (2d Cir. 1995). "If any confusion results to the detriment of the markholder, that was a risk entailed in the selection of a mark with descriptive attributes." Id. at 270. Holders of trademark rights in these types of terms would likely face an uphill battle challenging their use in a New gTLD in a generic or descriptive sense.

On the other hand, "nominative" use comes up in situations involving "fair comment" about or criticism of something else. See New Kids on the Block v. New Amer. Pubs., 971 F.2d 302, 308 (9th Cir. 1992). It seems doubtful that an applicant would shell out $185,000 for a new gTLD simply for the narrow purpose of commenting on or referring to something else, making a nominative use defense unlikely to arise.

The Generic Nature of Many TLDs: Similar to the rationale described above involving "fair use" and freedom of speech, would-be objectors should know that, prior to the new gTLD program, courts have held top-level domains as being too generic to even be capable of serving as a trademark in the first place. Cases (in the U.S., at least) uniformly hold that adding a ".com" TLD to an otherwise common word will not confer trademark rights in the combined term. "Because TLDs generally serve no source-indicating function, their addition to an otherwise unregistrable mark typically cannot render it registrable." In Re: Oppendahl & Larson,, 373 F.3d 1171, 1174 (Fed. Cir. 2004) (patents.com). See also Image Online, supra, 2013 U.S. Dist. LEXIS 16896 at 22-24 ("the mark ".WEB" used in relation to Internet registry services is generic and cannot enjoy trademark protection"). Accordingly,expect to see LRO filings being mostly limited to just very unique, highly distinctive "dot-brand" gTLDs and not for generic "dictionary" words.

No Per Se Dilution For Domain Names: Even holders of marks that are considered famous," "well-known" or having a "reputation" may encounter difficulty relying solely upon a dilution claim rather than likelihood of confusion in mounting an LRO challenge. By way of example, courts in the U.S. have steadfastly refused to impose a "per se" (i.e. "blanket") rule for dilution in domain names. "Ownership of a famous mark does not result in automatic entitlement to ownership of the mark as a domain name." Nissan Motor v. Nissan Computer, 2007 U.S. Dist. LEXIS 90487, 45, citing Hasbro, supra, 66 F. Supp. 2d at 133. Trademark-savvy LRO panelists will no doubt take heed of the potential for abuse in dilution claims and instead require the higher likelihood of confusion threshold to be met. See, e.g., Clue.com, supra, at 135, quoting 3 J. Thomas McCarthy, McCarthy on Trademarks and Unfair Competition § 24:114 (4th ed. 1996) ("The dilution doctrine in its 'blurring' mode cannot and should not be carried to the extreme of forbidding the use of every trademark on any and all products and services, however remote from the owner's usage").

Conclusion

While LRO would appear to have a somewhat greater likelihood of success than the other three objection types in situations involving particular distinctive and very well-known marks, the same does not hold true for the entire new gTLD landscape, which is populated by a number of applications for generic and descriptive strings,. In the latter scenario, the hill is every bit as tough to climb. Rightsholders would be wise to look carefully for real trademark protection rather than just descriptive uses of their brands in New gTLDs before embarking on the LRO path.

This wraps up my series on new gTLD objections, and I hope that everyone has found them helpful and informative. As always, please feel free to reach out to me at any time with any questions.

I'll see you all in Beijing!

Written by Don Moody, Domain Name & IP attorney in Los Angeles, co-founder of New gTLD Disputes

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Law, Policy & Regulation, Top-Level Domains

Categories: Net coverage

Mishandling the Registrar Contract Negotiations

Fri, 2013-03-08 21:28

By publishing a draft Registrar Accreditation Agreement (RAA) for public comment before it has been agreed on by both parties, has ICANN dealt the bottom-up multi-stakeholder model a blow?

ICANN Staff and the registrars have been negotiating a new version of the RAA for the past 18 months following requests by Law Enforcement Agencies (LEA) such as Interpol for greater consumer protection.

With both ICANN and registrars working hard, by early this year agreement had been reached on 11.5 of the 12 LEA "asks"

A deal looked close.

Then at the last minute, ICANN threw extras at the proposed RAA, including an extraordinary provision for the ICANN Board to be able to force unilateral changes into the RAA at any time.

Imagine signing a contract with someone where that person can change the contract at any time, without your input, and you are bound by those changes. Crazy, right? Even crazier in the ICANN world, built as it is on the premise of bottom-up consensus, not top-down "we'll change your contract when we damn well feel like it" tactics.

Here's one we prepared earlier

Still, disagreement in negotiations is no big deal. Surely all both sides have to do is simply continue talking and try to iron them out, right?

Wrong when one side tries to push its way forward by publishing a draft agreement and portraying it as the result of these negotiations, even though that's clearly not the case and the other side has asked this not to be done.

This is what's happened today, with ICANN putting the current draft RAA out for public comment. "Given the agreement in principle over so many areas, there were two paths forward: continue negotiations to address points that have been raised multiple times by each side, or put the agreement out to the community now for public input on the finalization of the agreement," says ICANN in a statement issued with the draft RAA. "After the long period of negotiations, as well as the import of the 2013 RAA to the New gTLD Program, ICANN feels that it is very important to take the RAA proposal to the community."

At least no-one can accuse ICANN of not saying it like it is!

The registrars have put out their own statement decrying the way ICANN has handled this. "All of the items that have been agreed to over the past 18 months would, by themselves, produce an RAA that is vastly improved over the current 2009 version. Nearly all of the Law Enforcement requests that were endorsed by the GAC have been included, as well as the major items that were requested by the GNSO. That RAA would bring registrant verification. That RAA would bring enhanced compliance tools. Registrars must emphasize that the key differences between that RAA and the one currently proposed by ICANN are not issues raised by Law Enforcement, GAC or the GNSO but by ICANN staff (underlined in the original statement)."

Cart, horse, in that order

It appears staff have been driven to put the cart before the horse by Fadi Chehadé's desire to wrap the RAA issue up.

Chehadé named the RAA as one of his key deliverables when he formally took office late last year. Since then, he has surprised the community by introducing new requirements in the contract new gTLD registries will have to sign. Among them, the obligation to only use registrars that have signed the 2013 RAA. In other words, under Chehadé's instructions, ICANN is attempting to tie down new gTLD operators to a registrar contract that is still being negotiated.

No wonder Chehadé wants these negotiations done sooner rather than later. Registrars feel this "surprise announcement that all new gTLD registries must only use registrars that have signed the 2013 RAA" is nothing more than "a transparent effort by ICANN to arbitrarily link the new gTLD program to the outcome of RAA negotiations." If enacted, they fear the requirement would create separate classes of registrars. "This is unprecedented in the DNS industry," they say. "There can and must be only one meaning of 'ICANN-Accredited'".

Worse than this, registrars feel the attempt by ICANN to give its Board power to unilaterally amend the RAA could affect the multi-stakeholder model as a whole.

"ICANN insisted on including a proposed Revocation (or "blow up") Clause that would have given them the ability to unilaterally terminate all registrar accreditations," registrars explain in their statement. "After major pushback, ICANN staff relented and in its place proposed giving the ICANN Board the ability to unilaterally amend the RAA. This is identical to what ICANN inserted into the proposed new gTLD registry agreement — a clause met with strong opposition not only from the Registry Stakeholder Group but from the broader ICANN community."

So this is the real blow-up clause. "The effect of such a clause in the primary agreements between ICANN and its commercial stakeholders would be devastating to the bottom-up, multi-stakeholder model," the registrars argue. "First, it will effectively mean the end of the GNSO's PDP, as the Board will become the central arena for all controversial issues, not the community. Second, it creates an imbalance of authority in the ICANN model, with no limits on the scope or frequency of unilateral amendments, and no protections for registrars and more important registrants."

Red alert

I founded and ran a registrar for more than a decade. Today, as a consultant to the domain industry, I represent a registrar (NetNames) in the Registrar Stakeholder Group. Clearly, I am biased towards the registrar point of view in this debate, and this is probably the way some will read this article.

But others know I am first and foremost a passionate defender of the multi-stakeholder model.

Through 2 years of chairing the GNSO (up until last October) I always sought to defend that ideal when it was put under pressure.

And since stepping down as Chair and getting my voice back, when the model is attacked I have spoken out to defend it. When Chehadé launched headfirst into the Trademark Clearinghouse discussions, I warned of the dangers of this approach and was impressed when he later recognised he may have been a little too hasty.

With what is happening now on the RAA, isn't it time to sound the alarm bells once again? Chehadé seems to be adopting a "Janus approach" to solving ICANN issues. Publicly, he is engaging, energetic and I have gone on the record saying how much good I think the new CEO is doing ICANN's image worldwide.

But in his more direct dealings with ICANN's constituencies, Chehadé seems to think that the end justifies trampling the model.

Sure ICANN has its problems and sure everyone can only welcome a determined leadership approach to solving them, but for the unique governance experiment that is ICANN, this bidirectional approach risks making the cure look worse than the disease.

Written by Stéphane Van Gelder, Chairman, STEPHANE VAN GELDER CONSULTING

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance

Categories: Net coverage

Google Bows to Pressure on Closed Generics

Fri, 2013-03-08 20:15

The debate surrounding "closed generics", which has been covered several times in the past, has attracted a lot of attention in recent weeks.

At the centre of the debate were a number of new TLD applications from large companies including Google, Amazon and others.

Google had stated that they planned to establish a number of domain extensions and operate them as "walled gardens". At the ICANN public meeting in Toronto Google attempted to defend their plans and their position until today was unchanged.

However in their submission to the comment period on "closed generics" this evening it's obvious that they have been forced to reconsider that position in relation to some of their applications, though their overall view remains unchanged:

After careful analysis, Google has identified four of our current single registrant applications that we will revise: .app, .blog, .cloud and .search. These terms have been identified by governments (via Early Warning) and others within the community as being potentially valuable and useful to industry as a whole. We also believe that for each of these terms we can create a strong set of user experiences and expectations without restricting the string to use with Google products.

With this in mind, we intend to work with ICANN, the Government Advisory Committee (GAC), and other members of the relevant communities to amend our applications with new registration policies (and, in some cases, new registry services) to achieve these aims. Details of these plans will be forthcoming in the near future.

How that will translate into a policy and whether or not they will actually be granted the ability to run the domain name registries for these domain extensions remains to be seen, but the quite dramatic change in their position is welcome.

You can read their full submission here.

Written by Michele Neylon, MD of Blacknight Solutions

Follow CircleID on Twitter

More under: Top-Level Domains

Categories: Net coverage

Time to Take Stock: Twelve Internet and Jurisdiction Trends in Retrospect

Thu, 2013-03-07 21:13

With the growing tension between the cross-border Internet and the patchwork of national jurisdictions, it becomes crucial to keep track of key global trends that drive the debate on appropriate frameworks.

One year ago, the Internet & Jurisdiction Project initiated a global multi-stakeholder dialogue process on these issues. To provide a factual basis for such discussions, it established an Observatory, supported by a network of selected international experts, to detect and categorize relevant cases via an innovative crowd-based filtering process in order to identify high-level patterns.

The following twelve trends are based on an evaluation of the first edition of the Internet & Jurisdiction Observatory case collection that features the 220 most important cases of 2012.

* * *

I. THEMATIC TRENDS

Pacesetter: National copyright enforcement

The cross-border Internet naturally challenges the geographic nature of Intellectual Property Rights. As illustrated by national ISP blockings of torrent libraries, graduated response schemes and proposals for multilateral cooperation treaties, copyright has become a major pacesetter for the enforcement of national jurisdiction over the Internet. Several proposed measures raised significant human rights and privacy concerns, as exemplified by the SOPA/PIPA bills and the Anti-Counterfeiting Trade Agreement (ACTA), which was rejected in the EU's jurisdiction in July 2012.

Cloud-based services: Global platforms versus local privacy laws

Different conceptions of online privacy clash as states and sub-national authorities increasingly try to enforce their laws on cross-border platforms. Local standards can extend globally if the operator of a platform is established within the territory of a given jurisdiction. Thus, the US Federal Trade Commission and the "Sponsored Stories" Facebook settlement in California de facto determine opt-out and consent privacy rules for all international users. At the same time, a growing number of states demands local compliance: In the EU, privacy commissioners examine Google's 2012 Terms of Service changes and Facebook deleted all facial recognition data of EU users in reaction to an audit by the Irish privacy watchdog and investigations by a regional Data Protection Authority in Germany.

Hate Speech: Viral outbursts and digital wildfires

In the absence of appropriate cross-border standards for takedown norms and procedures, viral online outbursts and "digital wildfires" of hate speech across multiple jurisdictions have become a major concern. The Innocence of Muslims video on YouTube, and "doctored images” that caused unrest in Indian regions showed that solutions like entire platform blocks via national ISPs can be disproportionate and do not take the granularity of online content into account.

In Search of Standards: Defamation and libel tourism

Prominent online defamation cases are on the rise, while criteria for liability, publishing locations and adjudicatory jurisdiction remain vague. In Australia, Twitter was directly sued as the publisher of a defamatory tweet that was sent by one of its users. In the UK, a citizen of New Zealand won a Twitter defamation case against an Indian citizen residing in England and a former British politician took action against 10.000 Twitter users who tweeted or retweeted a false rumor. Moreover, a bill in the Philippines and demands by Swedish authorities indicated the growing trend of criminalizing online defamation.

II. TRANSBOUNDARY IMPACTS OF SOVEREIGNTY

Still Neutral? The DNS as Content Control Panel

There are attempts to leverage the Domain Name System (DNS) layer to enforce national jurisdiction over foreign online content when the DNS operator is located within a state's territory. A US court ordered VeriSign, the manager of .com, to take down the Canadian bodog.com site. The US Immigration and Customs Enforcement (ICE) seized without a court order the .com and .org domains of the Spanish link library Rojadirecta because the domains had been bought through a US registrar, although the site had been declared to operate legally by courts in the Spanish jurisdiction. ICE subsequently released these domains without explanation. This potentially causes transboundary impacts of national sovereign decisions.

Limitless Sovereignty? Jurisdiction over foreign citizens

Extraterritorial extensions of jurisdiction over foreign citizens are rising in the absence of clear competence criteria. In California, a series of similar copyright cases was divided between two judges. They disagreed on having personal jurisdiction over an Australian resident. The actions were filed by a Korean rights holder, which argued that the defendant's use of US-based social media platforms constituted a sufficient connection to the American jurisdiction. Are there limits to the exercise of sovereignty over a shared common infrastructure?

III. FRAMEWORKS AND PROCEDURAL INTERFACES

National Laws vs. Platform Rules: The role of Terms of Service

Terms of Service provisions regarding freedom of expression, defamation or privacy increasingly morph into the law of "digital territories". Tensions arise, as Internet users are both subject to the laws of their jurisdiction and to the rules of the platforms they use. In Brazil, Facebook deleted the account of a topless female rights protestor for infringements of its Terms of Service. Meanwhile in the US, Twitter refused to disclose the identity of Occupy tweeters to authorities since its Terms of Service specify that the company does not own tweets.

Lack of Interoperability: Procedural interfaces and MLATs

Enforcing territorial sovereignty can carve up the Internet. Due process for takedowns, seizures or LEA access to private data emerges as a major concern for all stakeholders, but viable interoperability frameworks to manage the Internet commons do not yet exist. In search of solutions to handle state-platforms interactions, India called for a dispute resolution forum attached to the UN after local riots were triggered by online content. Pakistan claims to be obliged to continue the DNS block of the entire YouTube site for one objectionable video, due to the lack of appropriate procedures in the absence of an MLAT regime with the US.

IV. TECHNOLOGIES AND TOOLS

Data Territoriality: The Location of servers matters

Despite the global availability of most cloud-based platforms, the location of their data centers matters. Thus, US authorities seized the file locker Megaupload via its US-based servers, although the Hong Kong-based platform was operated by a German citizen residing in New Zealand. Equally enforcing national jurisdiction over servers, Ukrainian authorities shut down a platform operated from Mexico. Wikipedia explained that it does not operate servers in the UK because of certain jurisdictional risks due to strict local defamation laws.

Localizing the Internet: Geo-IP filtering and cc-TLD migration

Facing difficulties to simultaneously respect 192+ national laws, cross-border platforms create "localized experiences" to be in compliance with territorial laws. Twitter developed a tool to block unlawful content in certain jurisdictions through geo-IP filtering and used it for the first time to block a Nazi account in Germany. Google's Blogspot uses the DNS and launched an automatic cc-TLD redirection scheme to prevent cross-border impacts of local compliance on platform users from other jurisdictions.

Cybertravel: The legality of proxies and VPNs

The ability to freely cross jurisdictional borders on the Internet becomes challenged, as states strive to enforce local laws online. The spread of ISP domain blocks and geo-IP filtering increases the use of VPNs and proxies to circumvent national access limitations. Whereas a New Zealand ISP offers "US Internet" by default, cybertravel technologies become increasingly contested or criminalized as China, Russia and Iran target VPNs. Likewise, The Pirate Bay proxies in the UK and the Netherlands are being shut down.

Notice and Staydown: The rise of automated filters

Courts increasingly demand the use of automated filters on cross-border platforms to ensure that content complies with local jurisdictions, especially in cases where the same or similar infringing content is uploaded again. An Argentinean judge ordered Google to "permanently" remove defamatory pictures of a model. Concerning copyright, views diverge as a German court ordered YouTube to develop a notice-and-staydown mechanism for protected songs, while a French court ruled that upload-filters are unnecessary.

Download the "2012 in Retrospect" Case Collection

Written by Paul Fehlinger, Manager of the Internet & Jurisdiction Project

Follow CircleID on Twitter

More under: Internet Governance, Law

Categories: Net coverage