GNSO Registration Abuse Policies Workshop Tuesday, 3 march 2009 ICANN - Mexico City >>MARGIE MILAM: Hello, everyone. We are going to get started. We've got about an hour and a half to cover registration abuse issues, and hopefully we can get a lot of input from you guys and perhaps finish the program a little earlier. I know many of you probably want to get out. I'm Margie Milam, and I'm in the policy department at ICANN. And we're here to talk about, today, registration abuse and policies that could be developed to address abuse. And the purpose of this workshop is to get input from the community as to what kind of abuse is out there, what constitutes registration abuse and whether policies can be developed to address registration abuse. And so we'll get started with the agenda. The agenda, we'll talk a little bit about the background of this issue, and then we'll go into a description of what constitutes registration abuse, and we'll have a lively debate over what various parties think registration abuse is. And then we'll go into best practices and current experiences, and you will hear from a number of panelists regarding how they deal with abuse at their organization. And then we will finally close with a discussion about the way forward and what the role for ICANN is. And just some logistics. The microphones are very difficult to use, so if you speak, speak directly into it so that the transcription can be properly recorded. And please feel free to ask questions. This is meant to be interactive discussion. It's not meant to be a just one-way presentation. And with that, I will introduce Marika from the policy department at ICANN. Okay. We are going to pass a sheet, just to get a list of attendees. It's probably best not to introduce everyone here because it will take some time. And we do want to encourage to you join the working group if you think this is a topic that you think you would be interested in participating. And you will hear more about that today. >>MARIKA KONINGS: Okay. So I just want to provide you with a very brief introduction and a bit of background on this issue, especially for of those you that may be new to it and just a bit of the history in the GNSO light. So basically we have got a request to develop an issues report on registration abuse, specifically asking to identify what the current provisions are in registry and registrant agreements with relation to abuse. And as well, looking at has this issue been discussed before in ICANN context, and as well looking at what aspects might be in scope of GNSO policy development. So basically we put together a report, trying to look at the different registry agreements and registrant agreements. And we basically found that there's actually no uniform approach by registries and registrars to address abuse. Many of them do have abuse provisions in their agreements, but there doesn't seem to be an accepted definition of what constitutes abuse and no distinction is made between registration abuse and domain name use abuse. There are actually a number of registries that don't have any provisions, but this doesn't necessarily mean that they don't do anything about abuse. It's something that we didn't have the time to address in this issues report. But we did find that it is needed to do further research on this issue because to understand how these abuse provisions are actually implemented, if they actually work, do registries and registrars deem they are effective in helping them address abuse. But we did also find that the request for the issues report didn't raise a specific policy issue. It just asked us to look at what provisions currently exist. And in our view, to do effective policy development, you need to identify a clear issue to make sure that policy development is suitable for that. So I said before, we couldn't distinguish from the issues report whether more uniformity in provisions is actually necessary to facilitate the technical reliability or operational stability of the Internet is within ICANN's mission. And there are some definition questions as well, like what is registration abuse versus domain name use abuse. So following a review by the council of this report, they decided to create a drafting team to develop a charter for a working group that would review these issues in further detail. And this working group gathered for a couple of meetings, and several members are sitting here around the table and will talk to you further on this issue. But I think the feeling was very clear in the working group that the information we found in the issues report, it was too early to actually start a policy development process. There was more work needed to actually look at what is the issues we're trying to address, what are the problems we have seen, are these issues within ICANN's remit, and if so, what will be the proper way to go forward. Is policy development the right way forward? Contractual changes? Best practices? So basically the group proposed a charter for a working group to come together and look at these issues. In combination with that, the group received as well an invitation from the SSAC, and we'll be talking more about that later on, to collaborate on an issue that the SSAC is currently working on on the reporting of abuse. And they would like to have some collaboration, particularly from GNSO constituencies and especially the working group, to look at this issue and see what can be done in this area. So basically the task of the working group is looking at scope and definition of registration abuse. And again, we'll come back to that in the next session. How can we distinguish this from registration abuse from domain name use abuse, which would only look at the content- related issue. I said before, additional research is definitely needed and really identifying the concrete policy issues, and making a recommendation to the GNSO council, which if any issues would be suitable for policy development. The recommendation was to have SSAC participation and collaboration, and this workshop is one of the first deliverables of the working group as really a starting point for starting the discussions with the community and get broad input on this issue. And again, as Margie said, we would all invite to you join the working group and be part of this discussion. So again, if you want to join, speak to Margie or me and we will put you on the mailing list. >>MARGIE MILAM: I am going to talk a little bit about the contractual provisions that are in the registry and registrar agreements, and give you a little bit of background as to whether policy or best practices can be developed under the current contractual framework. Essentially, consensus policies, for those of you that aren't familiar with the contracts, are policies that are binding on registries and registrars, and they are generally based on a very specific set of defined issues. And it's actually in one of the provisions, Section 4.2 of the Registrar Accreditation Agreement, and there's similar provisions in the registry agreements. And these consensus policies are typically developed in accordance with the policy development process. It's interesting to note, though, that the GNSO is free to provide advice on other issues related to gTLDs, but this advice may or may not be enforceable under the current contracts. And so one of the challenges we have as a working group is to understand what kinds of policies or guidelines or best practices might come out of this group. And if so, whether there's a placeholder in the contracts to allow enforcement. For example, on the Registrar Accreditation Agreement, there's another provision whereby every registrant is required to agree that its registration is subject to suspension, cancellation or transfer under any ICANN-accredited specification or policy, or any registry or registrar procedure. And it specifies in the Registrar Accreditation Agreement that that can be done to correct mistakes or for resolution of disputes concerning the registered name. So this is just one example of some of the contract provisions that we'll probably be looking at in this working group to look at the registry agreements and the registrar agreements, to see whether policy can be developed, and, if so, whether it would be binding on the parties. From the issues report, it was note that there's no universally accepted definition of what constitutes abuse, and there doesn't seem to be a difference between the registry and registrar policies between a registration abuse and domain name abuse. So one of the debates we're going to have in this working group, and we are going to talk a little bit more today, is how you distinguish between a registration abuse, and purely a domain name use -- a nondomain name use abuse such as a use or content. And that's one of the concerns that we have to deal with, is whether it's within the scope of ICANN mission to deal with some types of disputes, because it may be too broad, like content, for example. In Section 4.2.3 of the Registrar Accreditation Agreement, there's a placeholder that says that consensus policies can be established on resolution of disputes concerning the registration of registered names. And then it actually says, "as opposed to the use of such domain names, including where the policies take into account use of the domain names." So this language is a little unclear as to how it applies. And one of the things that we'll be talking about is how you distinguish registration of a domain name and use that's related to that as opposed to pure use of a domain name. To delve in a little more detail, we can look at past policy to see how this has been implemented. And the UDRP, for example, is a policy for the resolution of disputes concerning the registration of registered names that takes into account the use of domain names. And it's not viewed as a policy that is for the resolution of disputes concerning the use of registered names. So in other words, the UDRP is a policy that is related to the registration of domain name, but also takes into account use. Other examples might be where a policy might possibly be developed. It relates to information such as false WHOIS or violating trademark rights, or registration of name or -- such as domain tasting. But where we would be talking about something that's purely content based, such as perhaps copyright or defamation, that may be outside the scope of ICANN policy-making. The objective of the working group is to really define what domain name registration abuse is, and to clarify how that's different from abuse that arises solely out of the use of a domain name while it's registered. And this isn't an easy task, and this is what we will be talking about today, is how you make that distinction, because we don't want to have a policy that goes beyond the scope of what's allowable under our rules. And so we need to identify which aspects of domain name registration abuse are within ICANN's mission to address and to see whether they fall into the set of topics on which policies can be established. And so later on today, we'll be talking about the types of abuses that might constitute registration abuse to see whether that's something that the community would like to explore further. And so now we're going to turn to a discussion with Mike Rodenbaugh and Greg Aaron about what constitutes registration abuse. >>MIKE RODENBAUGH: Thanks, Margie. So can you go back to your slide that starts with eg, UDRP. I'm sorry, I am Mike Rodenbaugh. I am a GNSO councillor from the business constituency. I am a trademark attorney, and a business attorney. So you know this says that some view this as -- what does it say exactly? Some view it as not a policy for the resolution of disputes concerning the use of registered names. Well, I don't know who those -- well, I do know who some of those people are. They are just wrong. They are not reading the policy, and they are not looking at the thousands of cases that have been decided under the UDRP. And I will walk you through this. Bottom line, the language in the RAA that you cited on the previous slide, it's like so many other provisions of the RAA. Almost nonsensical, and certainly in need of amendment. It's just, to me, fundamental that you cannot have abuse of a domain name until it's been used. There's no way you can tell with certainty at the point of regulation that a domain name registration is going to be abused. It's simply impossible. >> (off microphone). >>MIKE RODENBAUGH: Go ahead, Rick. I have got more argument here first. >>MARGIE MILAM: Give your name, please. >> My name is Rick Wesson, and there's actually some excellent recent use cases of domain names where they're registered with the express use for malicious and nefarious activities. Very recently. >>MIKE RODENBAUGH: Conflickr, you are talking about? >> There's also Tour Pig. There's actually a whole number of domain names -- >>MIKE RODENBAUGH: That's a valid point. Recent cases, we have actually seen malware riders, as I understand it, code into their malware that they are going to register this list of names in the future. So okay, it's pretty clear that those are going to be abused. But until a month ago, I'm not aware that there have ever been situations like that. But you guys are certainly more expert than I. Kristina, go ahead, but I do have more. >>KRISTINA ROSETTE: Well, I mean -- and I think this is indicative of kind of the work the group has ahead of itself. I actually disagree. I think there are some instances where you can tell from the registration alone. For example, I represent the national geographic society. When somebody registers National Geograpphic, with two P's, dot com, they don't need to use it. There's no legitimate use of that name that can be made. And I think your point -- I think your point is very well taken about the UDRP. I think it's absolutely important to note that, I think, those two are almost inextricably intertwined. >>MIKE RODENBAUGH: I will go through those provisions, but I will point you to the case that eNOM won recently. Philbrick's Sports where a court held totally against what you just said recently. I, obviously, Kristina, agree with you; right? When people register Yahooosports with three O's, I take the same position that you take. But you used another example yesterday of eBayy.com with two Y's, and it's perfectly possible, I suppose, for there to be some sort of organization out there with the initials eBayy with two Y's. They could potentially have a fair use. I think there's been other decisions that have held that you can register names that are identical to a trademark, and so long -- in fact, there are plenty of decisions along these lines, and so long as the content on the site is a fair use -- for gripe sites, for example -- a trademark owner has no claim. So let me just, before we take some more, I do want to read through the exact language of the UDRP which has been incorporated into the RAA, which has been incorporated into every registrant agreement of every gTLD since at least 1999. And so since those have all been renewed by now, it's in every -- it applies to every gTLD registrant, period. So Section 2, (inaudible) Representations. By applying to a register a domain name or by asking us to renew it, you represent and warrant to us that, blah, blah, blah, among other things, Section 2D, you will not knowingly use the domain name in violation of any applicable laws or regulations. Period. Then you go to Section 4A which says, "What are the applicable disputes under this policy?" And so basically you are required to submit to mandatory administrative proceeding arbitration if somebody complains that your domain name has been registered and is being used in bad faith. Wait, there's more. Actually, at least two more sections where use is mentioned. It says evidence of bad faith use, one of the four enumerated circumstances, and there are others, it is not exclusive, but one of them specifically is by using the domain name, you have intentionally attempted to attract for commercial gain Internet users to your Web site by creating a likelihood of confusion, blah, blah, blah. And there is 4C3. One more. That's all I'm going to say. There is actually a defense, as well, based on use, which is 4C3. It's a defense, if you are making a legitimate noncommercial or fair use of the domain name without intent for commercial gain to misleadingly divert consumers or tarnish the trademark. I will leave it at that, and let's here some more discussion. >> Hi. Jeff here from eNOM. So one of the points I wanted to bring up was, Kristina, you said your National Geograpphic example, and you said you can't see of any use, but what if I was a huge fan of National Geographic and I registered it and I deleted the name servers and I wanted to protect the domain? Would that be an abuse of registration? >>KRISTINA ROSETTE: I would say yes. >>GREG AARON: Thank you, Jeff. Steve. >>STEVE CROCKER: More specifically, it would seem to me that it would be up to the domain holder of National Geographic to say not for it to be an automatic response from the registrar or from ICANN or some such, but then the case would be very strong, I would think. >>GREG AARON: I am going to jump in for just a minute. I am Greg Aaron, I am with Afilias. I am the director of account management, which means I run done info operations. And my other title is director of domain security. So as someone who operates a TLD, I have some experience with registration issues, and then as someone who deals with crime and so forth on the Internet, I have some experience on the other side of the line. So I have these few questions. What does abuse mean? And then what is that line, and is it clearly understood, what's the line between registration issue and a post-registration or use issue? Now, I think we're fortunate that we do have some examples that we can all agree on. And those are policy issues that ICANN has visited in the past. And a couple of examples would be as follows. WHOIS is clearly understood to be within ICANN's scope. We have contractual obligations for people to submit valid WHOIS information, for example. We have also had PDPs on WHOIS data reminder policy, WHOIS marketing restriction policy. We have had two PDPs on grace period issues. One of those was the recent AGP limits policy, which basically was to explore the issue of domain tasting, which was determined to be an unintended use of the add- grace period as it was originally intended. We have an inter-registrar transfer policy. One of the questions is going to be what are other examples out there? And that's something this working group is going to need to work on. I'm going to emphasize that this is not yet a policy development process. I think the word "policy" in our group's title refers to some existing policies. As we saw in the earlier slides, we have policies that exist in current contracts, for example. So we're going to have to examine these theoretical issues of what these definitions are. And hand in hand, we're going to have to look at look at some specific examples and have those put on the table so we can understand some of the implications. >>MARGIE MILAM: Anyone else want to comment? Dave? >>DAVE PISCITELLO: This is Dave Piscitello, ICANN staff. I'm curious that criminal activity hasn't come up yet. Are we just ignoring the elephant in the room or -- (Laughter). >>MIKE RODENBAUGH: First of all, I quoted the representation that every registrant makes to that fact. So it has come up briefly. But, yeah, we're getting there with respect to best practices. >> GREG AARON: Now it's on the table, Dave. >> MIKE RODENBAUGH: We want to hear from folks in the room, particularly those not on the working group. Feel free to chime in. What is your opinion about where do we draw this line, this very weird fuzzy line in the RAA, I suppose? And how do you reconcile that with the consensus UDRP? Rick? >>RICK WESSON: I think the discussion around what is malicious is a very interesting conversation. But it's very difficult to do, especially with the international scope that that brings. But I think there are some bright lines that you could identify as malicious activity that may not be criminalized in various jurisdictions but severely impact Internet infrastructure and Internet vulnerability .and I would suggest that we start there. >> TIM RUIZ: Tim Ruiz with Go Daddy. I would like to express a concern about or encourage the group to consider is, you know, as you're looking at, you know, what parts of this research ,you know, results in things that perhaps you think, you know, policy could address, others that maybe are best addressed by best practices, just keep in mind what we don't want to do is create a policy that ends up being a limiting factor or an excuse that a registrar can use and say, "Well, you know, I'm doing what the policy says." So there's no effort to cooperate or go beyond that. That would be one concern I have, and just encourage you to consider that. >>MARGIE MILAM: Comments? >>I had one question. Is the goal for the working group to figure out what the definition of the word "abuse" is? Is that the ultimate goal here? >> MARIKA KONINGS: No, the object is to look at this question but also recommend to the GNSO council what issues ,if any, would be suitable for policy development. This could be a recommendation saying, look, these are a couple issues we've identified that we think are suitable for policy development. These are a couple issues that we've identified that need further work or further research. These are some issues we think need to be done in cooperation with others. So the group is not expected to come up with solutions or concrete policy recommendations but more recommendations which issues should the GNSO council consider for further policy development. >>MIKE RODENBAUGH: But important note on that. It's that further policy development does not necessarily need to result in mandatory requirements. It could very well end up in recommended best practices. >>MARGIE MILAM: Fabricio, you have a comment? >> FABRICIO VAYRA: Speaking of bright lines and talking about the UDRP, one thing that always comes up -- and I don't know if this is a solution or question or a statement. But we run across this issue all the time where we file UDRPs against mass squatters. By mass squatters, I can give you an example. Recently we filed something about BWI, domains who runs various aliases, who has been party, losing party, related to multiple UDRPs. We prevailed in that UDRP, and within the next day they went out and registered more infringing domain names. One bright line rule that you might want to start think about is people who are recidivist actors in this area, maybe they should be cut off or at least forced to come up with a new name. Do something to make it a little more difficult. Because these guys, basically, continue going. And it's something very easy to identify. You could do a search right now on BWI domains and get dozens of lost UDRPs. So maybe to cut those names off. >>MIKE RODENBAUGH: It's a great suggestion. In fact, it's been adopted in U.K. for Nominet. And you could, basically, have a much easier path, much cheaper path to a decision, much faster path to a decision under their processes. Because of that. >> In trying to parse through the -- >>MARGIE MILAM: Can you give your name, please? >> Oh, Philip for the Internet Commerce Association. As we try to figure out what the mission here is, trying to parse the language and thinking about this, clearly it says it's not the role of this working group to look at abuses that arise solely from the use of the name. The key word there is "solely." And the way I read that is that the fact that you registered a name -- of course, no name -- domain name can exist without being registered -- is not sufficient, if you're using it for a bad act that we have to be focusing -- I think the way I read that is that we need to focus on abusive practices in the registration process itself as separate from any subsequent use. The other thought I've had based on the conversation so far in the criminal area, obviously, criminals are people who don't care about breaking laws. They intentionally break laws and folks who register domains and use domains for distribution of malware, phishing and other financial frauds. Distribution of child porn and other highly objectionable content clearly don't care about the laws. And I think ICANN's role -- ICANN can't be the cop of the Internet. They're not equipped to be law enforcement agency. Their proper role is probably to make sure that the responsible parties, the contract parties cooperate fully and facilitate cooperational law enforcement so at this stage of the discussion we're trying to figure out what the mission here is. Those are some thoughts I wanted to share. >>MARGIE MILAM: Thank you. Now we're going to turn to best practices. We're going to have a number of speakers talk about their current practices. Start with -- we'll start with James Bladel from Go Daddy. >>JAMES BLADEL: I'm James Bladel, and I'm with Go Daddy. Speak right into it. I'll have to turn my slides this way. I'm sorry, sir, I didn't catch your name earlier with your question. >> FABRICIO VAYRA: Fabricio Vayra, Time Warner. >>JAMES BLADEL: I think you raised an excellent example with respect to a repeat offender. And one of the things that we'll touch on in here with best practices is that, while a policy might shut down that kind of activity in a TLD or with a registrar, the kind of data sharing and data exchange that we're proposing in a best practices might spread through the ecosystem a little bit faster and give that person fewer places to hide. So just a thought here, but we'll touch on that later in that policy. Can we go back one slide, please. So I wanted to touch on four very generic topics that could be said to constitute registrar best practices with regard to abuse. First one is kind of self-evident. Have an abuse team. The second one would be to make sure that you're aggressively and comprehensively collecting relevant data and retaining that. We'll get into some of the specifics there in a moment. Since a lot of bad actors out there are using toolkits or automated processes to gain entry to an abusive position, we need to make sure that we frustrate those automated attempts. Finally, and most importantly, form relationships with other players in the industry upstream and downstream, both within and outside of ICANN. So establishing an abuse team -- and for those of you on Monday that attended the SSAC meeting, there was a very timely paper released by the SSAC on this detailing how it can be a challenge to sometimes navigate a registrar site to find an abuse point of contact. I think making sure that that's available to anyone who might make -- I'm going to say legitimate use of an abuse contact is important. And it should be staffed 24/7. I know that that's going to sound crazy coming from a large registrar. But there are answering services and paging services that are pretty reasonable, and I think that that's not a tall order. Recruit and train expertise within your abuse team, folks who understand the threat environment and who understand what the different mitigation techniques are. And then develop formal and consistent procedure to identify, investigate, and suspend domains in the registrar's zone. Data collection. This is a very critical element. You want to ensure that you're capturing all relevant records for any domain affecting transactions. And this is something like, you know, can be basic like a customer or contact name. But also, you know, the time, the date, the source IP. All of these things could help to build a case or establish a pattern. And then, of course, maintain all of these in an incident database so you can provide some sort of analytical analysis. And new accounts and registrations could be screened against red flag indicators as bad actors. And this kind of goes to the point that you were raising just a few minutes ago. To put speed bumps in the path of folks who are using automated systems to conduct abuse or attacks, we recommend that you monitor and investigate frequent nameserver updates that for domains that don't have prior permission. This is the fast flux example. Ensure that you're monitoring or investigating bulk or rapid registration patterns. You know, just a real generic example. If someone changes the password on an account or does a password reset and then 48 seconds later transfers away 100 domains, somebody should be looking at that type of transaction. It may be legitimate, but it's suspicious. And where appropriate -- if you go back one, please -- to deploy CAPTCHA systems in the registration or purchase path to make sure you're dealing with a human on the other side. And, if you have API services and things of that nature, that's great. You probably know those people, and they're under a stricter agreement. But CAPTCHAs can help in this regard. So forming relationships, collaborating, you know, build relationships with registries, registrars, but also ISPs and law enforcement agencies. Monitor and contribute to data sharing. There are various informal and formal data sharing systems out there ranging from mailing lists, which I know we monitor, to some more formal exchange systems or different black lists that are passed around. If you have other areas in your business, whether it's a reseller agreement or hosting product, make sure that your terms of service or your acceptable use policies are aligned with your registration policies. And, you know, participate. ICANN is one good step. But there are others. There's payment card industry. There's APWG and the registry Internet safety group. And this is where you can learn more, collaborate, and even set up more data sharing agreements. So this is just kind of an idea of what some of the -- what a registrar can do unilaterally on its own to help guard against that type of abuse. >>JEFF NEUMAN: I'll try to go quickly, too. So we can go to the next slide. My name is Jeff Neuman. I'm with NeuStar. And I was going to talk about what we do at a registry level, which, again, just remember at the registry level, we don't have a relationship with the end user or the registrant. So for a registry to take action has got to be significant. Why did we get involved? We got involved in 2006. We were the first gTLD registry to actually get involved in this kind of manner. Essentially, what had happened with the dot biz domain was that we noticed that dot biz itself was put on a number of black lists from ISPs. So legitimate dot biz owners were not able to send e-mail or other people weren't able to receive e-mails from people that had dot biz address. So what we did, essentially, is kind of weighed the pros and cons. There's a lot of registries out there that were kind of saying, well, we don't want to incur liability by just taking a domain registration down. We thought in order to protect our brand and to make sure that our legitimate end users or legitimate registrants could actually use the domain, we decided to actually take some action. You want to go to the next slide. Essentially, the way we define abuse at the registry level, we actually did in 2006 with the renewal of the biz agreement. We have appendix 11, which defines a bunch of restrictions for the dot biz domain. In appendix 11 we added a provision that said using the domain name for -- using the domain name for the submission of unsolicited bulk e-mail, phishing, pharming, or other abusive or fraudulent purposes was a violation of the biz restrictions. We also have a provision in our agreement that a number of registries share, which is that we reserve the right to deny, cancel, place on registry, lock or hold or transfer any registry that we deem necessary in our discretion, one, to protect the integrity and stability of the registry. And then there's two others. And then you go to number 4 which is to enforce at its sole discretion any of the restrictions above. It's important to note that our definition of abuse does not include IP infringement, defamation, or any other content or use of a domain name. And that's important because, you know, we're not experts in that field, right? We don't -- I don't know how to -- I'm a trademark attorney, so maybe I could evaluate some cases of infringement. But in general we're not a judge or jury. We're not WIPO. We don't have that experience to make those kinds of determinations. So specifically with respect to things like phishing, pharming, malware, botnets, we go through a process that's outlined on that diagram. I know it's small for people to receive. But, essentially, we receive a complaint or actually in the last two years we have a program where we go proactively go out there and lock for incidents of phishing, pharming, malware. We conduct our own investigation. We actually have a laboratory in-house where we're able to test out the domains. You know, normally, when you get alerted to a phishing or pharming, you don't want to click on the link because, obviously, you can subject your own computer to a number of evils that are associated with that domain. So we have several computers that are set up basically on its own network so the only thing that gets destroyed are those computers and that little network which we can continually wipe out. So we basically perform an investigation. That also includes things -- James actually was indicating we belong to a number of lists. There's a number of sources out there. We have connections with law enforcement as well. And we analyze the data. And what we do is, if there's issues found, we notify the registrar. We also could notify cert agencies or law enforcement agencies as well. If you go on to the next slide. So, if we decide to take action, essentially we verify that it's being used for phishing, pharming, et cetera. We send a report to the registrar that sponsors that domain name registration. And that report is pretty extensive as to all of or most of our findings. And we basically indicate that to the registrar that we found this domain to be used for phishing, pharming, et cetera. And we give the registrar, essentially, 12 hours to take down either -- take down the domain name. If they don't take down the domain name within 12 hours or they just don't respond, then we will do it for them. So it's essentially an automatic take-down. It's not a deletion of the registration, but it's essentially automatic where we're not going to wait, if the registrar, you know, is just not responding or in some cases we found complicit in the activity, we take the name out of the zone. We found, especially over the last two years or so, that actually most of the registrars -- I'd say a great majority of the registrars actually do do the take-down themselves. Either it's because of the information we provide them or the registrar does its own check. In a good majority of the cases -- and I would estimate -- this is not a hard figure, but somewhere around 90% of the notes that we sent out to registrars are responded to by the registrar in taking the name. It's important to note, especially to a lot of people in the community that have been raising issues about registrant Bill of Rights due process and all that fun stuff, we've taken down thousands of names, tens of thousands if not over a hundred thousand names in dot biz in the past years. And we've never had a lawsuit. In fact, we've never had a complaint, which is pretty good. And I think it's indicative of the fact that we do verify the complaints that we receive. So that's just what we do. >>MARGIE MILAM: Now we're going to turn to Kristina Rosette. >>KRISTINA ROSETTE: I don't have slides. I'll just talk a little bit based on talking with a number of folks in the trademark community. I should say that, first off, a lot of the information that I've gotten is from the Internet monitoring enforcement group that we actually run out of our London office that does software, piracy, phishing, pharming, et cetera. This is a huge problem for brand owners, not surprisingly. It's a huge problem for everyone, really in the stream of commerce. As resources become scarcer and scarcer, our team in particular -- and this is true of folks that I've spoken to, that it's becoming more important to them that there be a more uniform mechanism for them to pursue. For the most part, people have to rely really on ad hoc contacts and relationships with ISPs, with registrars, and some cases with registries. And particularly when you're talking about countries that don't necessarily -- to use your term, don't necessarily criminalize certain activity, it's increasingly difficult to get cooperation. And I would say the one point that really came across in talking with people about what would you like to see come out of this working group is that there's really a strong feeling that to the extent it's possible to come up with a policy, or at worst case a best practices that would really create kind of uniformity, central points of contact for a process that is fair. And that really does intend to focus and does focus on the bad actors and not inadvertently sweep in somebody who who's site may have a page on it that's gotten affected by malware or botnet or whatever, that that is really, really important to the IP community. >>MARGIE MILAM: Now we're going to turn to Mike Rodenbaugh. >> MIKE RODENBAUGH: We are? A few thoughts on this. Registry contracts there are provisions in all of them, I believe, gTLD registry contracts, except for dot com and dot net. They're assigned contracts. That basically incorporate into the registrar/registry agreements and are just fundamentally in the registry agreements that allow the registry and the registrar to take action in response to abuse. I don't know why those are not in the VeriSign contracts, and they are in all the other contracts. Something that we need to figure out, explore, decide whether that matters and, if so, what we can do about it, if anything. So whole notion of best practices -- I mean, these guys should absolutely be commended for developing these best practices and putting them in place. There's no doubt about it. they're good companies and they have good reputations. So they take action in response to bad activity involving their products. But the problem, of course, is that there's plenty of ICANN contracting parties. I'm thinking primarily registrars here, because I know behind the scenes, VeriSign actually does take action in response to abuse. It happens for sure. But they don't have any policy, like Afilias or NeuStar, and they don't have any, really, requirements, apparently, to do that in their contracts. They do it anyway. But you have got a lot of -- you have got plenty of registrars -- too many registrars, put it that way, and there are resellers, more importantly, that don't take any action in response to abuse. That don't even have an abuse contact. So the SSAC has put out a good report on that. So, you know, as Tim Ruiz made the great point, I think, Monday morning in our meeting, best practices are really good so far as they can, but unfortunately, there's people that don't follow them. So my view clearly is we have got to find some subset of these best practices that have been adopted that were recommended by the APWG, that have been adopted by players in the industry and we have to make them mandatory so ICANN functions can take over when they are violated. >>MARGIE MILAM: Any questions? Okay. Fabricio. >>FABRICIO VAYRA: Fabricio from Time Warner. Mike, I agree with you, and I commend you guys on the best practices. And think that's amazing. If it was across the board, that would be great. Unfortunately, it's not. And what this turns into being, especially with as much money that's involved in the domain squatting world, these guys kind of go until the registrar doesn't do anything. So it turns into a situation we run into a lot with DMCA sites or copyright sites where we file DMCA. We file DMCA, the site goes down from the host, who complies, and then they just move it to another site, another host. And it just keeps going until you find a site that doesn't comply. And the same thing is happening with registrars, and I am not afraid to name a few. The jokers of the world and name views, and, yeah, it just goes on and on. And we know them. We know them by name. They make it difficult for us. They are suspected of registering their own names, they collude. They do all kinds of stuff. So, unfortunately, unless there is a way to actually force the best practices across your counterparts, we're kind of left with having to ask for policy implementation. >>MARGIE MILAM: You want to respond? >> I understand your point and it makes sense. We obviously do our best to keep our yard clean, but we can't chrome the entire neighborhood. One thing I would just throw out there is the idea that when something goes into policy, you might notice that my slides are pretty generic. We do a lot of things we are not going to put on a slide show in meeting like this. Because it starts to run into the transparency issue a little bit. Do we want a policy that basically spells out what you should do, what you shouldn't do and lay out a blueprint for future bad actors to develop new abuses. So there is a question of how effective something can be, as well, once it's put out to the community like that. So it's just another thought and another angle of looking at -- I think ultimately, we want a policy that's enforceable and practical, and sometimes they become unworkable and unenforceable or unevenly implemented. >>MARGIE MILAM: Fabricio, quick comment. >> And I fully agree with you. I would much rather everybody clean up their own yards. It's much easier for us as brand holders and as companies to deal with when we have a good relationship with the registrar and we know they enforce their policies. When we contact Go Daddy, they go through the steps, when we contact other registrars and put in a false WHOIS, we don't have a problem with going that route. It's much easier -- It's much more malleable, as the industry changes, instead of having a set-in-stone policy to have a, basically, constantly changing cleanup your own yard policy that works. So we would much prefer that. The question, again, is how do we get everybody to play ball and understand that this is a problem that they should be cleaning up their own backyards. >>MARGIE MILAM: Rick. >>RICK WESSON: Rick Wesson again. An observation and a comment. Something that I think would help the group is if you are able to document some statistics about the particular issues that you are calling malicious, and then understanding how those particular issues impact the situation that you are trying do. I have observed ICANN for many years, and I can tell you that by the time that you develop your policy and that it's accepted, the threat and the issues that we're dealing with will have changed. And so understanding what the issue is today will hopefully influence the development of a policy that is flexible enough to deal with new issues that we haven't even thought of yet. I believe that's most effective when we can actually document how many, in some statistical terms, occur with different kinds or sizes of registrars. Certainly Go Daddy is very responsive, as almost all of the very large registrars. And the ones that have the least capability to respond are the ones that have the least number of names, the least number of employees, and potentially speak other languages or are in other time zones than the organizations that are trying to effect change against some particular threat. >>MARGIE MILAM: A question over here, comment. >> My name is Michael Young from Afilias. Just listening to everybody, and thinking a little bit about some of the -- it sounds like everybody is well aligned with the goals and the results that they would like to see out of things, but it's very challenging in many areas, how to effect this, particularly since, as many of you, I know, are lawyers in the room, feel that there are -- this whole discussion area is surrounded by contractual obligations and concerns and gray areas. Perhaps, since we keep talking about best practices over the last 30 minutes, the goal here -- or one of the goals could be really to develop a gold-seal standard that people can choose to comply with, have a criteria by which they have to match to earn that status or ranking so it's a motivational thing. And that allows for flexibility, because this is a moving target. You know, you define ways to prevent or control undesirable behavior, and bad actors shift to another tactic. So a gold-seal type of standard approach might give that kind of flexibility. But it's just a thought for everyone to consider. >>MARGIE MILAM: Fabricio. >>FABRICIO VAYRA: To add to both of these comments, I think it's a great idea. And one way to document who the non-gold seal standard people are is using the WDPRS that's come out, which is basically, as false WHOIS complaints and the like are reported, if they are not actually addressed by the registrar, then they can be called out, put on a list, whatever it is, not accredited under gold seal, so you can identify who the good registrars are and who the bad ones are. And then take that further when the compliance office actually goes in, under whatever amendments or not under RAA and things of that nature, you can use that as a report to enforce against what these registrars aren't doing to comply. >>MARGIE MILAM: Mike, you had a comment? >>MIKE RODENBAUGH: I think it's a fine idea, as far as it goes. It allows registrants to pick a safe registrar. Great. But bad guys don't care. They are still going to do what they are going to do. So it just doesn't go anywhere near solving the problem. >>MARGIE MILAM: Fabricio and then Dave. >>FABRICIO VAYRA: I will stop talking eventually, but, Mike, I agree. But one thing it does make easier for us, from brand-owner perspective, is, just like in the WHOIS, the question of who is the registrant and who are we going after, the same applies to registrars. And when it comes to things like lead networks, where brand owners are saying, you know what? Let's go to the root of the problem. Let's sue these guys, let's draw them into court, it helps us identify these people. Not only that, it will consolidate all the bad actors in one place, so it's much easier to target them because these guys over here who have the gold seal standard won't be capitulating to what they do. So all the bad guys will be in one place and it's easier for us to deal with. It's not an absolute fix, but it makes things easier for us. >>MIKE RODENBAUGH: Follow-up on that briefly? So it's -- again, it's fine, but the problem is the bad guys choose the weak links and exploit them. The weak links often are totally benign. They are innocent. They don't even know they are being abused until someone like Rod or Rick or somebody calls them and lets them know. So again, I just don't see the point about that, although, again, I think it's good that at least it raises awareness of the issues amongst the community of people who want to buy domain names. That alone is important. >>MARGIE MILAM: Dave. >>DAVE PISCITELLO: One of the things that I learned when I was consulting and providing services to enterprise networks was the value of service level agreements and the value to be able to measure the way -- measure the performance of a provider. And that concept is relatively absent in the ICANN community and in the kinds of contracts that we have. And the thought occurred to me that abuse is an area where we have -- we just have a bazillion terabytes of information that sort of tells us what's going on and who the sponsoring registrar is and how many issued domains are within a particular registrar's portfolio. And we don't use any of that. And it seems that it would be valuable to at least explore using the data that we have to try to get a better picture of where is the problem? It's not necessarily just simply to be punitive, but also to be corrective. Because in networks, when we measured capacity or we looked at systems that were not working well, we didn't just grab the server and throw it out. We looked to see whether it was the load balancer. We looked to see whether it was the firewall or it was the capacity of the switch or something else. We looked at all the parts and said, okay, here is how we fix it. Maybe we fix it by going to a registrar that's struggling and we tell them, "You are just not handling credit cards very well, and if you did this, a lot of this would go away." And I think that as a community, we can probably make a lot of policies and we can specify a lot of best practices, but I also think we can help each other. And there ought to be some way for the community to reach out, just as Go Daddy and the others do with very clear generic ideas about how you improve it. But then follow through and have some organization within the ICANN community that says, okay, we're going to make it our mission to go and clean up this place. And I know that sounds very grand and lofty, but it's the way you do it in an awful a lot of other businesses and it's very effective. >>MARGIE MILAM: Tim, you are in the queue. >>TIM RUIZ: I'm just curious as to what the -- with registrars being nonresponsive is kind of the way it's been put, is it that they are contactable and nonresponsive or is it the bigger issue that you can't contact anyone? Anyone, I guess. I am just curious if we know. If we don't, that might be a good piece of information to try to gather. >> Rod Rasmussen with Internet identity. That has changed over time. In the early days of phishing and malware and things like that, it was often very difficult to get ahold of a registrar, even some of the larger ones. These days, it's typically you are going to be able to get ahold of a registrar. You may not be able to get ahold of him during the weekend or overnight, but you can get ahold of him within usually 24 -- a working day, 24-hour period. There are some, however, that remain difficult to get ahold of. There are also resellers involved. When -- the reseller model presents significant challenges for registrars that insist on pushing the issue out to the reseller that is involved. So that is an area we need to look at, I think, as well as the contractual obligations of the registrar vis-a-vis resellers and how they respond to abuse. >>MARGIE MILAM: Jeremy, and then we will go on to the next topic. >> Jeremy Hitchcock from Dynamic Network Services representing SSAC. So the abuse contact was something that was recently discussed in a report SSAC presented last Friday about registrar abuse contacts. And I have get the feeling, although I don't think there was any particular data, but I get the feeling that there's no real -- the majority of the issue is that the abuse contacts that are published just simply go to black holes. They are not monitored by the right people. And one of the topics that we had discussed in the report was what is the requirement for an abuse desk? Is it something where it's business hours? Is it something where it's 24 by 7? If you look at all the registrars, certainly there are some that are able to do a 24-by-7 abuse desk, but how feasible is that, actually, to happen. >>MARGIE MILAM: We are now going to change the topic to the way forward, what is the role for ICANN. And I am going to turn to some of the representatives from the different constituencies to talk about their perspective on this. We'll start first with James Bladel. >>JAMES BLADEL: Well, you know, I'm actually coming into this workshop and that (off microphone) minded. Certainly there is research to be done and knowledge to be gained. I think that from talking to our abuse team and from participating in some of these groups I know they are having a lot of success with best practices. So I guess I don't want to throw that overboard in a chase for areas that are targeted for policy. Also, I also want to think about areas in this working group where policy maybe possible under -- Mike knows I am not a lawyer, but he may have found some language that supports something like that, but then we should probably also take a look at whether it will be effective. There are things that, programmatically, humans are much better at doing as well. So we would want to make sure we would measure that and it's not just another string in a net. That it's actually catching the bad actors. >>MARGIE MILAM: David Maher from the registry constituency. >>DAVID MAHER: Thank you. David Maher, senior vice president much public interest registry, the manager of dot org, and chair of the registries constituency. I agree with James, and I also want to follow-up on some of the things that Jeff Neuman said. Dot org recently adopted a point of impact that is roughly comparable to what dot biz is doing. Our back-end technical provider is Afilias. And our takedown policy is modeled on the one that has been in effect for dot info for some time. Even though our policy has only been in effect for a short period, it's been very effective. And I believe that in an industry or a field of endeavor as dynamic as the Internet, it's a mistake to try to adopt fixed policies at this time to deal with these malicious practices. I think that -- I understand that all of the registries that are really afflicted with the malware, phishing, botnets and so on have been able to deal with it effectively through best practices. And I would like to see that continue. >>MARGIE MILAM: Kristina Rosette from the IPC. >>KRISTINA ROSETTE: I come at this from a slightly different perspective, I think. From a community, frankly, that has serious concerns about what's going to happen once we have 500 new gTLDs. And particularly if we don't have something -- at a minimum, best practices -- by the time that happens. And I do find the idea of best practices appealing. But I also, frankly, think that we need to have a stick, and the only way we can have a stick is to have a policy. I do think we are going to have to work very carefully to make sure that it's narrowly targeted at registration abuse, however we end up defining that, and that we don't define it in terms of specific types of conduct. Because I forget who over here said it, but, you know, the last thing I think we want to do is a give a roadmap to the bad actors as to how to circumvent it. >>MIKE RODENBAUGH: Mike Rodenbaugh, business constituency, and I certainly agree with the last comment there, Kristina, that was made, and with James earlier. So where we are at right now with the new TLD process, right? This has been identified as one of the four overarching issues that needs to be resolved, basically, by community consensus, and some way or another before that process is going to move forward, before the application round is going to open, and I am pretty certain that best practices recommendation is not going to get that sort of consensus. We have had best practices. They were put out last summer by the APWG. They were circulated to every registrar, I believe. Some of them have been adopted by some registrars, many registrars have done more. Some registrars, of course, have done nothing. And that's the problem. So I'm with Kristina. We are going to have to have a stick at the end of the day. >>MARGIE MILAM: We have -- Richard, do you want to comment? >> Richard Tindell from Demand Media I think I disagree with the correlation between new TLDs and an expansion of (off microphone) because I think any domain name that I can get in a new TLD, I can get in existing TLDs. So the premise that there are bad actors that enable to that currently and not get the domain they want doesn't make sense. I can't see that there are people out there who are waiting to be bad actors that are held back by the absence of new TLDs to do that. >>MARGIE MILAM: Mike, you want to respond? >>MIKE RODENBAUGH: Again, what it does is it opens up many more weak links. You are going to have hundreds of new registry operators, for example, all with different policies like we have today. Perhaps we're going to have a whole bunch new registrars, too. Why not? It certainly would make sense if we got a lot more registries. And they are going to have resellers. A bunch of them are going to have a lot of resellers. You are bringing a lot more weak links into the system for the bad guys to abuse. We are not talking about registrants who want to go and suddenly become abusers. We are talking about the ones already out there. And now suddenly a lot of guys have locked down their systems, registries and registrars have done a lot in this area to prevent abuse of their products, but some still haven't and now we are going to open the floodgates to all these other new actors. Many of them will be inexperienced. And so it's just a whole new playground for the bad guys. >>MARGIE MILAM: We'll go to questions in a minute. I want to give Tony Harris from the ISP constituency to talk about what he sees as the role for ICANN and the way forward. >>TONY HARRIS: Well, from the point of view of ISPs, we don't normally perform except as resellers for the registrars. And the customers are known and validated. We don't -- an ISP doesn't normally buy a domain name through a template from somebody he doesn't know. He is providing that customer with other services, such as Web hosting or connectivity and so forth. So he is in a better -- he is actually -- normally an ISP is validating who is buying a domain name. I spent a lot of year on the WHOIS task force -- actually, since 2001, I am probably one of the oldest people involved in that -- and I was always surprised hearing from many people that was justifiable for people to lie on their contact data when they bought a domain name because that way they could protect their privacy. Seemed like a rather perverse argument to me. But anyhow, I think the only element you have to sort of detect and try and block people who constantly and repeatedly abuse domain name is the credit card they apply when they buy one. Because, I mean, anything else, they can say, "My name is John Smith" or Joe Smith or whatever, or John Jones, and change it every time they buy a domain name. But how many credit cards can they get to buy -- to keep buying domain names? So basically, I mean, throughout the years, we looked at this so many times, and there is a consideration of the registrar business model, which obviously has no margin to increase cost in validating and controlling with buying the domain names. It's all done automatically. And, actually, if you implement a lot of best practices, as Mike just mentioned, these guys are experts at alluding best practices? So what are you really going to gain at the end of the day. So I think basically, you can rethink a lot of things with domain name registration which would not be popular with the registrars, and I sympathize with them, but the way things are structured right now, I wish you luck on the solutions. >>MARGIE MILAM: And we were going to have Beau Brendler speak from ALAC, but he is not here. I think he was in another session, but he will participate in the working group. And then I want to give Jeremy Hitchcock, from the SSAC, to speak a little bit, and then we will open up the floor for questions. >> Jeremy Hitchcock: I guess as the working group continues, it will be interesting to see how best practices are compared and certainly what the bad actors do with those and what's the conversation behind informing those type of users or those type of registrars. It's going to be an interesting thing, because as -- ISPs certainly have a lot more at stake. There is a much more vetted process that they go through. Certainly registrars have the same type of incentive. They want to get paid. But on the other hand, there is a lot of fraudulent credit cards that are out there, and there's some heuristics that you can use to try to verify whether or not a card is actually legitimate or not, but in the end it's still a pretty rampant problem. And if it's used for abuse in a general sense, then it's probably something more phishing, and only having a ten-hour, five-hour window is perfectly okay for a bad actor. Another point that will be interesting as this goes on is defining the different types of abuse, both the legal, unlawful, and actionable. I think that there is -- even today, there was some discussion as far as the -- what are all those buckets and which ones are legal, which ones are actionable. And that's something that will be interesting as this working group thinks about those. Another interesting issue is what are the compliance tools that -- or the enforcement tools that are available right now. Registrars really only have de-accreditation as a stick, and that doesn't seem -- that nuclear type of option doesn't seem like a very useful stick, because you are going to get all sorts of different levels of compliance in this area. If somebody responds within one hour, 24 hours, five days, never. I mean, those are all very different things. And so what's the level of expectation that's expected? Finally, as we think about this, some gTLDs and ccTLDs don't have rampant types of abuse, and so as we think about the gTLDs that are under the RAA, what's going to happen with ccTLDs and their policies if the current gTLD RAAs have their contract requirements clamped down? Are people just going to shift to an environment where it's a little bit easier? And as we move the bar further on the gTLDs, the ccTLDs perhaps are a lot more open. So just an interesting thought as far as what is the weakest link in the chain and thinking about where that is, there will always be bad actors there. And so how do we make it most difficult, I guess. >>MARGIE MILAM: All right. Questions from the floor. I know, Rick, you had a question or a comment. >> Rick Wesson: I think you all are making a business mistake, and it's a common one that we make in ICANN. It's that we are not documenting -- we have no statistics to back up what the assertions are from the different constituencies. Everyone's looking at this from a different angle. The angle that they have -- that they perceive the issues around. And there isn't a common framework to discuss what the problems are. You're up against an automated system. Everyone runs automated processes, and you're trying to handle them through manual person-to-person contacts. And you're trying to optimize the person contact function, function of interacting with registrars. I think the mistake that you're making is that you aren't trying to align the problem solution with this recommended best practices. Best practices is something that you're observing that would help because this is a human interaction problem. But what I think that you need to move to is an understanding of the problem in detail. And then work from that detail to create automated systems or systems that can be automated from the human perspective to perform the actions that are going to remediate the problem. So step one, document the actual problem areas. What is it that you're trying to solve? Not just we're trying to create best practices, and we're trying to get everybody to agree to some common set of best practices. You can go and do that, and it won't solve your problem. >>MARGIE MILAM: Kristina, were you in the queue? >>KRISTINA ROSETTE: I was just thinking I think Jeremy made a really good point. And maybe, if we can find out if the CCs are working on anything best practices-wise in this area, it would be a good starting point. >>MARGIE MILAM: Richard Tindell. >> RICHARD TINDELL: Back to new TLDs, because that's my thing. Again, increasing the players of registrars and registries, again, it doesn't seem logical to me that that exacerbates the problem. If there are more -- it seems to me it's the standard that the registrar works to, not the number of registrars. So I think we already said that bad actors will find the lowest common denominator. So, if there's already 10% or the lowest common denominator, I don't know where the bad players are. I'm just going to find those guys with registrars out there. That doesn't make sense. With respect to registries, I think competition can solve problems. I think if I introduce a TLD, call it dot secure for now, and I introduce through my registry to compete in the marketplace differentiating capabilities that reduce this sort of activity, I think that's a good thing in the process. I should be looking forward to TLDs that compete and introduce new services that reduce these sorts of activity. >>MARGIE MILAM: Tony, I think you had a comment. >>TONY HARRIS: Richard just said it, so I'll defer. >>MARGIE MILAM: Following up on -- were you following up on Richard Tindell? Then we'll go to Tony, sorry. >> FABRICIO VAYRA: One just quick on the documentation. We, as IPC and COA and many groups in the phishing groups, have actually well- documented abuse and how rampant it is and how it evolves and who performs it. So those studies are already out there. And anyone who wants them can easily get them or write one of us and we'll send it to you. Richard, I guess it's hard for us to -- and to support Mike and Kristina on this -- it's hard for us to argue the negative to say you say -- many proponents say, well, I can't see how that will happen. So, basically, until it happens, we can't really argue against it. So we can't argue in the negative here. I thought what would be enlightening here would be, going back to my BWI domains, for example, they registered SportsIllustratedCNN.com. They can't actually go back and register that because we've got it now. They also registered CNNweather.com. They can't register again because we've got it. Using the dot eco situation, it's conceivable -- and the question you posed was I don't know why new gTLDs would offer new opportunity, I guess, for squatters to expand. There's nothing stopping -- Unless we address the overarching issues and the registries agree to go with the resolution of addressing trademark concerns, there's nothing stopping BWI domains from them going into the dot eco domain space and saying CNNweather.eco. Right? So therein lies the issue. I agree the same bad actors will continue to go. But the problem still remains, which is, if we don't address the issue now, we're, basically, going to find out that the problem is there. And then we're going to have to go back, as Marilyn Cade has been saying for a while, and bolt on the resolution, which I don't know will fix things at that point. >>MARGIE MILAM: Jeremy, were you in the queue. No. Paul? >> PAUL STAHURA: I think you're wrong about predicting -- we could kind of look -- we have introduced (off microphone) we can look back in time at the ones we introduced and comparing them to the older ones and see if the newer ones have more bad stuff than the older ones. I contend that the new ones have less bad stuff than, say, com which is older. So I believe that introducing new TLDs does not increase the amount of bad stuff that's happening. Not going to happen, but has already happened. We can go back and show the new TLDs have less bad stuff than com. >> FABRICIO VAYRA: And I would argue that the new TLDs have less bad stuff than com because the new TLDs are less successful. The people who are infringing go to where they can make the most money. So, if dot eco or dot spore or dot whatever you want to call it is actually successful, as the brand or new TLD session was all about, then the infringers, the domainers will go there. It really is a matter of demand and profit. And it really is a matter of just probabilities. So, if -- if the space is marketable, they will go there. The fact that -- and they did try and biz XYZ. We have documentation and a lot of enforcement to show that initially things did go there. Once users stopped going there and the TLD itself wasn't as successful as dot com, that's where the infringement stops. It's not a matter that they can't. It's a matter that they won't, because the money is not there. >> PAUL STAHURA: What you're saying is it's not the number of TLDs introduced. It's the success of them. >> FABRICIO VAYRA: What I'm saying is if -- >> PAUL STAHURA: There's a number of registries in the room that might disagree on whether their TLD is successful or not. >> FABRICIO VAYRA: That's fine. >>MARGIE MILAM: I'm going to go back to the queue now. Jeff? >>JEFF NEUMAN: Just as a preliminary statement, I agree with Paul that you really shouldn't judge success. I think that people left our TLDs because we've actually implemented effective procedures to stop abuse. So I think that has been effective and successful. But the point I was making is actually going back to Rick. Because you said, well, these problems are documented. I think there's a couple different problems that I've heard. Are we talking about the problem of phishing or that kind of abuse? Or are we talking about a problem of registrars not being responsive and not having best practices? I think the first one may be documented. But I think the second one is not necessarily. I know you have anecdotes and stories and others do. But I think Rick's point is that we do need to document that to figure out what the problem is as to why we need to, as Mike points out, why we need to use a stick and require certain things. Because, if there are a number of registrars that are implementing these and it's only a small number that aren't, you know, that's a different problem than stopping phishing. Right? >> FABRICIO VAYRA: Actually, no. There's studies on false WHOIS and who complies on registrars. There's studies on infringement generally and squatting. I mean, literally, there's studies on every single one. The reason there are studies is because this argument constantly comes up. And the IPC and COA and all the other brand owners have to actually get together and produce those studies. With regard to success in TLDs, I use that only with regard to commerce, which is -- with dot com there's, obviously, a lot more registration and a lot more accessibility and people flock there. So, when you look at where you're going to get the most bang per buck, say in a Google ad words and paying, it's going to be on a dot com and not on a dot biz. I do agree that a lot of your policies lend to abusers not being there. But that's my only reason for commenting on success. >>JEFF NEUMAN: You have a single focus. Your single focus of abuse is infringement, essentially. False WHOIS, that's kind of related to infringement because you can't find the infringer. But there's a lot of other types of abuse that we've been talking about here that have nothing to do with intellectual property and also need to be addressed by the group. >>MIKE RODENBAUGH: I think it's definitely a good idea to go back and look at what happened with the new TLDs. But I don't think we should spend a lot of time on it. I did recommend it on Monday. I think can be a okay idea. It can validate points on both sides of the thing. But those were very slow rollouts, highly public rollouts. One at a time, you know, and then five months and then six months and then a year. Now you're talking about introducing potentially like one a day or something. Big difference. >>MARGIE MILAM: Tim? >>TIM RUIZ: I was just going to -- again, it became clear to me too, as Jeff mentioned, that some here have a focus on a single type of abuse. And I realize that, you know, the intellectual property issue is one of the overarching issues that's been brought up. I'm wondering if that -- is that a separate issue perhaps to some extent then solving some of the other issues that this group is going to be looking at? In other words, is there a single solution that's going to solve both the concerns the intellectual property community has as well as the other issues that have been raised here? That might be something to think about. But I will say this: What impressed me about tonight is it's, like, 7:00 or just about 7:00. And this is a pretty good turnout. So I think, you know, this is something that the community is concerned about, clearly. And that, you know, you should have a lot of support as far as you go forward trying to find solution. >>MARGIE MILAM: Richard? Anyone else? Rod? >> ROD: I just wanted to echo that last point there. I'm from the opposite perspective from the intellectual property community. We deal with the other stuff. I think that a one size fits all solution is not what we want to look at at all here. They're totally -- they're completely different types of issues here. So, as we go forward, we need to be thinking about the types of abuse we're trying to address and the right appropriate solutions or recommendations, et cetera, to address those and the scope there. Thanks. >>MARGIE MILAM: We'll do Paul, and then we'll wrap up. >> PAUL STAHURA: Real quick. I just want to say I agree with that last statement. >>GREG AARON: We are coming up on 7:00. As Tim mentioned, this is a large turnout for this time of night. It's been a very long day. So, on behalf of the working group, I'd like to thank you for attending this session. I think, while there's a diversity of opinion, as there always is at ICANN, your comments have also been very thoughtful. As we close, I want to mention that this working group will start its meetings probably within the next two weeks. If you're interested in joining the working group, we'd like to solicit your interest now. And you can approach one of us after the meeting, if you'd like to do that. We'll be putting together a working list, so we can set up a meeting time for our first meetings. So -- >>MIKE RODENBAUGH: Just to add on that a little bit. Don't be scared. People get scared about ICANN working groups. But, you know, we're only going to meet on conference calls every other week. You don't even have to attend the conference calls. Just sign up for mail lists and put in input when you want to. Please, we would love to have participation. >>GREG AARON: We'll be following usual ICANN working group processes, including gauging consensus and so forth. So, again, thank you, and have a good evening.