New gTLDs Implementation Consultation Session
ICANN - SYDNEY
24 June 2009
Part 1 - Trademark Protection

>>KURT PRITZ:   Is everybody read it start?  Can we be seated?  Great.
Thank you for coming, everybody.  I'm looking forward to a really
interesting session.

We have two sets of panel discussions that are intended to address a
couple of the so-called overarching issues that apply to the new top-
level domain process, the process by which entities can apply for new
gTLDs, new top-level domains.

And particularly as we move down the path towards implementation,
we've identified two sets of issues that are very important that we
have adequate discussion of those issues and put appropriate safeguards
and measures into the applicant guidebook in order to have a safe,
productive, and helpful launch to the new TLD process.

So I want to thank you in advance for coming, and I want to thank you
in advance for participating in this session, because this session is
all about taking a product that's been developed so far and moving it
along to a point where we can amend the applicant guidebook, amend the
process for applying for a new it will TLD, and with great
particularity and specificity, create solutions to address potential
trademark issues and also issues of potential malicious conduct.

So I have a few words in welcome and then a few words in introduction,
if you know how to parse those two terms.  I'm not sure I do.

But this is the first in a series of live consultations.  And, in
particular, this is the first in a series of three consultations to
attack specifically the issue of trademark protections in the new gTLD
process.  The GNSO policy recommendations are very clear that the
introduction of new top-level domains should not infringe the rights of
others.  And so the -- implementing that noble and necessary policy
goal requires a great deal of discussion, not just for creating sort of
an umbrella idea of solutions, but then developing specific
implementation models.  So that takes a lot of work.

So this is the first of three meetings to discuss these trademark
issues.  There's this one in Sydney we're going to have.  There's going
to be another session in New York on July 13th, and another session in
London on July 15th.  And as I said, it will be -- those sessions will
be targeted specifically at these trademark and malicious conduct
issues.

There'll be another series of events following that also to discuss
these issues and also to do additional outreach to educate regarding
the new gTLD program and other areas of ICANN work, IDNs, our policy
work will be discussed there.  And those sessions will be in Abu Dhabi
and Hong Kong a little later in July and August.

You should also know we're developing other materials, other venues,
webinars, and the like.

How to participate, you can see, there's plenty of information on the
ICANN Web site if you go to any of the pages on new gTLDs or the front
page, you'll find your way to a way to participate in these events. 
Wide degree of formats, wide degree of participation, remote
participation wherever possible.

Note that the cutoff date for preregistrations for the London and New
York conferences is July 10th.

So this is the agenda.  We're going to keep it somewhat flexible. 
These issues are complex.  We want to drive to solutions in the
trademark issues.  If we overrun a little bit, I think that might be
okay.  But I'm going to leave it to Bruce, who's moderating the
discussion, to do that.

So there's two sessions.  Trademark issues is first.

These -- you see up at the panel -- are members of the Implementation
Recommendation Team and a couple others.

As you know, the Implementation Recommendation Team was formed at the
direction of the board through a resolution in Mexico City to develop
in very short order solutions for the applicant guidebook to potential
trademark issues that may arise through the introduction of new top-
level domains.

I am talking way too fast, aren't I?

So the IRT did significant, important, and just amazing work, prolific
work, to deliver in a timely manner preliminary and final reports for
our consideration here.  And so that's what they're here to discuss. 
Depending on how you parse them, five or seven specific
recommendations, however you want to read the report.

The reports are published for public comment.  And now they are
presented here with the goal of reaching an implementation model for
the guidebook.

And so the panelists are going to present their findings and the
reasoning behind their recommendations, and then we're going to ask you
to come to the microphone and comment on those.

And the idea is that, you know, the IRT brought a broad range of
experiences to the table, as you'll here.  Members outside their group
and with their own specific experiences.  But they are sure that they
haven't covered the field.  And what we want to hear here is new
thoughts why these solutions are good or how they might be changed in
order to form a final implementation.

So what do we want to get out of this?  

What we want to get out of this is look at the transcript and notes
taken here and say, there are some issues we haven't thought about in
this implementation or in this development.  So we can now sit down and
refine the models and then present them again for public comment in
what's going to be the third version of the applicant guidebook.

So how are we going to do that?

Well, first I want to introduce -- you know, I don't believe I get to
introduce people like this.  But again I get to introduce a panel of
very esteemed people.  Bruce Tonkin, from the ICANN board and Melbourne
I.T. is moderating the discussion.

And the members of the Implementation Recommendation Team, Russell,
David, Mary, Jon, and Jeff, owe them some thanks for the time that has
been spent.  I tell everybody they worked half time on this, and it was
half time of 16-hour days.

And they're joined by Eun-Joo, who you all know, too, from WIPO.  And
so I want to introduce our panelists.

And then a final comment on how I'd like to see this run, anyway. 
We're going to take questions after this.  We'd like substantive
questions, you know, questions about the solution or recommendations
about the solution proposed and not so much about the process of how we
got there.

I know there's been some public comment about the formation of the IRT
and the selection of the team.  So there's time -- if you have comments
about that, they're sure welcome.  Because we want to hear all of that.
And that's why we're having the public forum tomorrow, among other
reasons.  But we really want to target this session at honing the
solutions for the guidebook.

So we're going to try a rule, and, hopefully, Bruce will back me up on
this when he's taking questions.  But if you could start all your
comments or questions with, you know, "I support this solution in the
recommendation because," or, you know, "I support this recommendation
in the recommendation, but I would amend it to do this, because," or,
"I oppose this solution."  So identify the solution you're talking
about, whether you're for it or against it and why or how you'd like to
see it change.

And I'll tell that you when we read through the transcripts, it's not
always clear whether somebody's for something or against something. 
You might be surprised to know.

So I'd ask you try to support that rule.  And it could be kind of fun,
too.

I'm going to turn the discussion over to Bruce.  And while he gets up,
maybe you guys, it's all right if you want to walk in front and disturb
for just a second.  There's lots of seats over there, so you're not
stuck standing in the corner.  Because I have attended a few sessions
from that corner, too, and it's kind of difficult.

So, Bruce, do you want to come down here or just take it --

>>BRUCE TONKIN:   I'll take it from here, make it easy.

Just while I'm talking, if you can just queue the presentation from
WIPO.

Okay.  Just a couple of introductory remarks about the process so far.

Where we are in the new gTLD process is, the GNSO developed a policy
for the introduction of new gTLDs.  That policy was approved by the
ICANN board some time ago.

Since then, the staff have been working through implementation details
and have been getting public comments on those implementation details. 
One of the -- and there's been sort of four, I guess, overarching areas
where there's been extensive comment.  And one of those has especially
focused around issues that if we have more top-level names, some of the
problems we have with the existing top-level names and some of the
methods we have to deal with those problems start hitting scaling
concerns.  And so the scaling and cost to manage problems could
potentially become higher.  And so the board has identified that as one
of the areas that needs some more work and asked a team of people with
experience in the -- one particular area around sort of trademark
protection to come up with some proposals and then bring those
proposals back to the ICANN community for their, you know, feedback
and, obviously, extensive review.

In this particular session, we're not going to try and go through
every detail of those proposals.  They have been presented, this is
probably almost the tenth time they have been presented, I imagine,
since Saturday.  So they will be generally framing the topic, but we
want to use most of the time here for getting feedback.  And the slide
decks will be available online.  And, of course, the IRT report itself
is online.  So by and large, we're assuming that those that are going
to speak for or against have actually read those documents.  If you
have questions, that's perfectly acceptable as well.  And the panel
will do the best to answer those.

So just to comment a little bit on some of the trends in the current
top-level domains.  And this could be gTLDs and ccTLDs for that matter.
We'll just cut across to Eun-Joo Min, who's the head of the legal
development section of WIPO, just to make a few introductory remarks
about some of the trends that WIPO has seen.  And, again, we're just
trying to not cover the details of all these slides, because they are
online, but just to sort of pick a few highlights, if you could, Eun-
Joo.

>>EUN-JOO MIN:   Thank you, Bruce.

The World Intellectual Property Organization, WIPO, has noted on a
number of occasions that the envisaged expansion of the domain name
system envisaged by ICANN represents a watershed moment in the
development of the DNS, that it presents opportunities for businesses,
for individuals, for different purposes, but at the same time, it also
poses legal and practical challenges.  And also it is a development
that is of genuine concern to trademark owners, and at the same time,
to Internet users.

I think it is useful to recall at this stage that trademark protection
is not only about protecting brand owners, but it is also about
ensuring an orderly marketplace.  It's also about ensuring consumer
protection.  And it is also about protecting and ensuring the public
trust in the domain name system.

By way of illustration from the experience of the WIPO arbitration and
mediation center as an ICANN-accredited UDRP service provider, I would
like to share with you some of what we are seeing.

Number one, in the current DNS context, there is rampant trademark
abuse.  Cybersquatting is, in fact, rising, you can see from this
graph.  And this chart illustrates that no sector of industry is spared
from cybersquatting.  It affects all industry sectors.  And you'll see
the part circled in red.  It is, in particular, the pharmaceutical --
not in particular -- the pharmaceutical manufacturers represent some
10% of the UDRP complainants in WIPO cases.  So they have been
consistently subject to trademark abuse through cybersquatting.

Then is it only about protecting the trademark owners?

It may be useful to look at what some of the WIPO UDRP panelists have
said.  These are citations from published UDRP decisions.  And just the
last slide, you'll see is a case that involved the trademark term
Cialis, and the domain names, the two domain names that incorporated
the trademark term Cialis.  The Web sites were being used for online
sale of counterfeited goods.

We're talking about the trademark owner, but also the people that get
onto the Web site, believe they're purchasing a genuine Cialis product,
when in fact they are confused and potentially buying products that may
be harmful to their health.

So you'll see that in the underlined part, that is potentially harmful
to consumers' health, is a public health issue.  It's not only about
trademark owners.

I think this is a very important aspect to remember.  And this is only
-- and I've taken only one sector, the pharmaceutical sector.  And
there are many other examples.

So are these -- did I just select some isolated cases?

So staying within the pharmaceutical sector, I thought I would choose
a well-known -- rather well-known trademark, not in the legal sense,
but -- not necessarily in the legal sense -- Tamiflu.  We're all
talking about influenza A.  WIPO has a publicly available search
facility.  You can type in a term, and it will give you all the cases
that contain that term.  So I typed in Tamiflu, and it gave me 72
cases.  So this is just your random sampling.  And this is just a tip
of the iceberg.

So I would like to use -- I'll probably stop here.  But I think it is
really to get the message across that we're not only talking about
brand owners.

>>BRUCE TONKIN:   Eun-Joo.  If we can just queue the next presentation.

So I'll hand across to start with David Taylor, who's a partner in
Lovells, who will give an introduction of the IRT team and one of the
first recommendations from the IRT, which is the I.T -- I.P.
clearinghouse.

>>DAVID TAYLOR:   Thanks very much, Bruce.  And thank you, everybody,
for being here to listen to some of our findings and recommendations
and thoughts.

So I'm queuing these, I think.

What we want to do briefly today -- and all these slides are online --
is cover the experiences of right owners, what our mission was, and how
we went about doing it.  And then run through the recommendations.  And
after each one, we'll be opening it up for comment so we can get
everyone's input and feedback.

On the experience of right owners, well, Eun-Joo -- I'm sorry.  On the
experience of right owners, Eun-Joo has already given us some
information there.  The only thing I point you to here is the last
comment, which I think is quite telling, from Francis Gurry of WIPO on
the 16th of March, with a concern that the sale and broad expansion of
new TLDs, in the open market, if not properly managed, which is what
we're trying to do here, will provide abundant opportunities for
cybersquatters to seize old ground in new domains.

As for the experience of right owners, again, we've got to deal with
things like registrar failure, termination, and compliance problems. 
All these issues are being discussed this week.

Also the confusion of consumers, again, as Eun-Joo mentioned there, I
think that's very telling that even on the Tamiflu, with 72 cases, on
filing fees, that's over $72,000 of filing fees to get those domain
names back, which are clearly infringing and things which really
shouldn't be in the DNS whatsoever.

But it's not just rights owners which we're talking about.  It is
consumers and consumer protection.  And what I think everybody in the
room would agree is we're looking for transparency and accountability
and a safe new gTLD space for all.  We're hoping that some of our
proposals do help registry operators to put in place appropriate rights
protection mechanisms and prevent the bad actors.  That's all we're
keen on, is sorting out the bad actors.

With registrars as well, by putting in place standardization process,
we remove uncertainty and then hence some of the risk.  And, of course,
ICANN itself is being sensitive to calls from governments and some very
vocal calls from business and consumer groups.

So on to the IRT itself.

As I think everyone in the room knows, and further to a board request,
the intellectual property constituency formed the team to be comprised
of an internationally diverse group.  And our aim was to develop and
propose solutions to the overarching issue of trademark protection in
connection with the new gTLDs.

The team itself here in this slide, 15 team members from nine
jurisdictions.  At this point, (Speaking French), but I'll stick with
English, luckily.

The IRT timeline, I'm not going to run through that, because, again, I
think most people have heard what we've done and what we're aiming to
do.

How we went about doing things.  Well, over this eight-week period
which we had to consider all of the comments from DAG 1 and DAG 2,
which was the basis of our consultation and our work, we did exchange
thousands of e-mails, and we had weekly two-hour telephone conference
calls from various parts around the world.  Our two face-to-face
meetings, which we held each of two days.  An interesting full-day
consultation where we invited many parties who are interested in the
DNS and rights protection mechanisms to come forward and take on board
their views, all very valued.  And we put together our draft proposal
and then the final proposal.

How did we go about doing this?  Well, we prepared a checklist on the
very first day, within a couple of hours, trying to figure out what we
should be considering in each case.  And these are the ten points
listed.  Basically, what are the harms that are being addressed by the
solution?  Critically, will the solution scale?  And there are doubts
that the current solutions in place for the 21 gTLDs won't scale.

Do they accommodate territorial variations in trademark rights?

Do they confirm -- conform -- typo -- to the extent of actual legal
rights?  We didn't want to invent new legal rights.

How would they work in the light of Internationalized Domain Names? 
Critically, to what extent could the solutions be gamed and abused?

Was it the least burdensome solution in each case?

Are they technologically feasible?

How will solution affect consumers and competition?

And then at the end of the day, what are the costs and who's going to
pay for them?

So every solution and every problem which we looked at, these were the
points which we were considering.

So the problems themselves -- this is where we start.  The first one,
cost and administrative burden to rights owners of reacting to a
sunrise and other rights protection mechanisms.  Each time we have a
new sunrise, whether it's a dot EU, a dot Asia, the rights protection
mechanism is significantly different.  And that's quite complex to have
to understand and ensure that not only trademark owners, but applicants
and registrars understand how to get through that.

If we're coming up to 500 new registries, we could have the trademark
data being validated 500 times.  So this is potentially a significant
issue.

I'm going to hand over now to the solution which we thought about on
this one, the I.P. clearinghouse, and Mary is going to cover this.

>> Excuse me, before do you that since we're going to be asking
questions on different aspects of the report, can I ask a quell
regarding the premises that have been presented?

>>BRUCE TONKIN:   So on the -- yeah, go ahead, Kathy.

So just for the purpose of recording, just state your name to make it
easier for the scribes.

>>KATHRYN KLEIMAN:   Thank you.  Of course.  And I appreciate it.  My
question goes to the WIPO panelist.

My name is Kathryn Kleiman.  I'm a cofounder of the noncommercial
users' constituency.  I was also one of the drafters of the UDRP, where
we dealt with many of these same issues ten years ago.

Okay.  Here's my question.  I keep seeing the statistic about the rise
in cybersquatting.  There is a small rise in the number of cases that
have been filed, UDRP cases filed before WIPO.  Apparently in other
dispute resolution providers, like Czechoslovakia, the number of UDRP
actions is down.

>>BRUCE TONKIN:   Slow your speech down a little.

>>KATHRYN KLEIMAN:   Me, slow down?  Come on, everybody here.

>>BRUCE TONKIN:   Just to sort of -- a little slower and sort of pick
out the key points for the scribes.

>>KATHRYN KLEIMAN:   Okay.  How do you know that the rise in UDRP
actions is a rise in cybersquatting instead of a rise in trademark
owners seeking more protection from the UDRP than it was originally
drafted for?

And, yeah, how do you know that --  And also, isn't the number of UDRP
cases filed with WIPO actually going down proportionate to the number
of domain name registrations?

Thank you.

>>BRUCE TONKIN:   Would you like to respond to that, Eun-Joo?

>>EUN-JOO MIN:   Sure.

I think it's quite interesting the different data that are being used
and the reference to the fact that the Czech arbitration's court
caseload is going down, when, if I'm not mistaken, the Czech
arbitration court was accredited or -- as a UDRP service provider in
January 2009.  Maybe somebody could help me with the specific dates.

There's a person from the Czech court basically lining up.

So I'm not sure that -- what that --  We have six months of the Czech
arbitration court providing UDRP service.  I'm not sure what kind of
data you're referring to.

That clarification.

Number two, what we're seeing is, there are more UDRP cases.  That's --
 And we're -- this is -- we're not giving any comprehensive study
comparing number of domain name registrations and number of UDRP cases.
We're trying to just illustrate the types of problems and why it's a
matter of concern for -- not only for trademark owners, but for all of
us.

>>BRUCE TONKIN:   So I think, basically, what Kathy is saying is --
you've presented absolute numbers which are facts, but also, it would
be equally interesting to use a percentage of total number of domain
names to give perspective as well as just another piece of factual
information.

>>DAVID TAYLOR:   Just to pick up on that point as well, because I
think it is a very interesting point.  And the other question we need
to ask ourselves is, is the UDRP an effective deterent.  It may be a
good deterent which is preventing these number of cases coming. 
However you look at, it based on the domain name registrations of 190
million around the world, there's a very few that go to UDRP.  And
that, I think, comes into play of we want things which are a deterrent.
Because if there's a deterrent, we don't have these issues or we
minimize them.

>>BRUCE TONKIN:   Certainly a lot of cases from my discussions with
trademark holders can be dealt with in cooperation. 

>>BRUCE TONKIN:   Certainly in a lot of cases, from my discussions
with trademark holders, can be dealt with in cooperation with the
registrants.  They don't always need to go as far as a dispute.

Elliot.

>>ELLIOT NOSS:   Yeah, and just to, I think, put a correction onto
that previous point, my understanding -- sorry, Elliot Noss, Tucows.

My sung that total UDRP cases, cases filed under the UDRP, had
actually declined year over year on an absolute basis, and that it was
the percentage, that WIPO's market share, in fact, had gone up and the
total cases under WIPO.

So before I go on to my second point, I will let you respond to that,
but again, I believe the data is total cases filed across all providers
in the UDRP has gone down on an absolute basis.

>>DAVID TAYLOR:   I don't think -- I've put in that slide just to
illustrate, one, a part of the problem.  But not all cybersquatter
cases -- not all cybersquatter domain names go to UDRP, as David Taylor
was correctly mentioning.  

The UDRP, according to data that was published by MarkMonitor, if you
pick the 30 top brand owners and look at the numbers involved, it's
450,000 domain names.  450,000 domain names to file UDRP proceedings
against --

>>ELLIOT NOSS:   I think that's great, and I don't mean to interrupt,
but I think you have used that piece of data and the IRT has used that
specific piece of data as a strong piece of evidence about the problem
we're trying to solve here.  And I'm pointing out I believe the data
is, again, total UDRP cases have gone down on an absolute basis, and I
think the record should reflect that.

>>J. SCOTT EVANS:   Elliot, as a large brand owner I will cut this off.

The UDRP only deals with a very small numbers of gTLDs.  We have
ccTLDs that we file in, there are other dispute mechanisms that we file
in, and based on having to file one of these a day, it's gone up, at
least for my mark.

Now, I don't know about their data.

>>ELLIOT NOSS:   If we're into anecdotal evidence -- and again, the
point is with respect to your presentation, you have both presented a
piece of data that I would suggest is not getting the true picture.

So I put that out.

The second point is, again, to go to the anecdotal, what we have seen,
and love to do a study on this and I am wondering if WIPO is concerned
about this, is a significant increase in the use of the UDRP as an
alternative domain acquisition procedure for rights owners and other
trademark holders.

It is very simply a way to take an approach to go after a domain name
at a cost of $5,000 that might cost 50- or $100,000 to go and acquire
if it was available at all.

And I have come this week, I have spoken to the people from the IRT
all week, we are going to speak on a couple of points.  I have found it
to be a very good open and productive discussion.

So I think we need to balance this discussion by recognizing that
there are good actors and bad actors on both sides of this issue.

And I think it's very important going forward, if this is going to be
credible, that organizations like WIPO take people, from my
perspective, abusing the system that you are providing for the purposes
that it's not intended.

Thank you.

[ Applause ]

>>FABRICIO VAYRA:   Can I?  Not to belabor the point.  And this is for
Fabricio Vayra and Time Warner.

Elliot, we have had several conversations, and I appreciate your
comments, but the UDRP is also used, again, to flush out bad actors,
and as you have pointed this out several times, one example would be
where Time Warner had gone after Sports Illustrated domain names, and --
just wait -- and they were used for male enhancement drug sales in
Canada.

When we sent the C&D letters, the registrant originally agreed to
transfer the domain names.  Once the transfer started to go through,
the registrant dropped off and stopped talking to us, so we had to file
a UDRP.

Who responded was Tucows to tell us that they had actually taken
control of the names upon expiration.

The reason they did so was because they were attractive names that
were picking up a lot of traffic.

>>ELLIOT NOSS:   Yep.

>>FABRICIO VAYRA:   And could we just go ahead and drop the UDRP and
we'll hand you the names.

>>ELLIOT NOSS:   Yep.  And did we return them to you?

>>FABRICIO VAYRA:  Yeah.  That's like saying after we caught you
robbing the bank, did hand me give back the money.

>>ELLIOT NOSS:   No, it's not because the alternative for you would
have been for those names to drop into the expiry string where instead
of dealing with a good actor like us who recognizes trademark rights,
who you would have been dealing with --

>>FABRICIO VAYRA:   Elliot -- Elliot -- Kathy, hold on.  The point is
this.  Not only did you take the names when you took them, you switched
them and deposited them with Google.  So you didn't just take the names.

>>ELLIOT NOSS:   When you say switched them and deposited them with
Google, what does that mean?

>>BRUCE TONKIN:   Hang on, guys. Let's shut this down.  If you want to
talk about a particular case and work on how to improve the
relationship between the two companies --

>>FABRICIO VAYRA:   I agree.

My point is just this.  I agree there are good and bad actors on both
sides but we should be careful when we throw rocks and live in glass
houses.

>>ELLIOT NOSS:   You know what?  No.  That's a cheap shot taken in a
specific situation, so I am going to respond to it.

When an expiry stream flows through and names are taken that are
trademarks in what is an automated process, what a good actor does is
as soon as being notified of them is return them, which is what we did.
Your alternative would have been to have those names go into the drop
and then be dealing with some registrant in some deep corner of the
world that you would never have been able to get a response from.

And at the end of the day, the issue is not whether there should be a
UDRP or whether there are lots of cases of cybersquatting.  That's not
what we are talking about.  Everybody in this room acknowledges that.

What needs to be part of this dialogue, if we are all going to work
together to run a clean game for good actors, is to also acknowledge
that there is abuse of the process.

[ Applause ].

>>BRUCE TONKIN:   So the summary of that discussion is twofold.

One is that getting data is to important to inform.  And the data can
be absolute in one area, and you are saying data across the market so
it's available, so we can ask the staff to actually confirm those
statistics that Elliot's claim, the total number of UDRP cases as a
whole.  And we can certainly determine that as a percentage of domain
name registrants and just have that factual information on the table.

It doesn't change the fact that there are abuses happening and there
is an absolute number of those.

The second issue Elliot is raising there is what are the current
processes being abused and able to be abused.  And that's one of the
criteria that the team has been trying to use here, is saying any new
process that's put in place, as Elliot points out, needs to protect
against both sides that may try to abuse any new process that's put in
place, and the feedback the team is looking for is how are they going
to abuse it.  If people can come to the mic and say, "This is how I
would abuse it if I was a bad actor," that's useful point of
information as well because then people can respond to that and say,
okay, how do we stop that abuse happening.

So there's no point in having an argument about whether abuse happens
or not.  Of course it does, on both sides.  What's more important is to
identify where is the area where these proposals can be abused and
preferably propose solutions to those.  Because that's moving the issue
forward.

So next speaker.

>>ZBYNEK LOEBL:  Zbynek Loebl from Czech Arbitration Court.

In the beginning I would like to say that we support the results of
the IRT team.  We think that it's work in the right forward-looking
direction.

And we look forward to construction discussion on the individual
proposals which David mentioned.

And just to clarify, ICANN board approved our pilot related to
electronic UDRP on the 21st of May, and actually we are now receiving
new cases, only online cases.  So we are functional only few weeks now.
And we are getting cases.

Okay.

>>BRUCE TONKIN:   Okay.  Thank you.

Next, Mr. Foody.

>>PAUL FOODY:   Thanks.  Paul Foody.  And are you talking about
specific cases of abuse?  I mentioned last time in Mexico that I
registered yesplease.com back in 2000, or something like that.

A guy approached me, tried to buy the domain.  I refused to sell it to
him.  He came back six months later and said, right, I have now
registered this trademark in these various locations.  You are going to
sell it to me, and he used some technical legal term.  I said no, I am
not going to sell it.  I ended up at WIPO.

Now, the point is, you guys, I heard your presentation the other day. 
I won that case because I had an unregistered trademark.  Okay?

Now, fortunately it might be an unregistered trademark, but the great
thing about the dot com registry, which was created at a time when the
trademark classifications had no classification for the Internet, and
at a time when the Internet had no classification for generic terms,
something which the Internet guys have innovatively used to their
advantage, now we're being punished.

I heard your presentation on the IRT, and so far as I heard, I have
heard nothing about the guys with the unregistered trademarks.  And it
should be that easy to find out whether or not a dot com was registered
before some legal shark decides to spend money getting the trademark.

>>BRUCE TONKIN:   Okay.

Thank you.

>>PAUL FOODY:   So my question is, I guess, what are you going to do
about unregistered trademarks?

>>BRUCE TONKIN:   Let's address that question a little bit later and
take it on notice, because there's several methods of solutioning there
to talk about.  And then they can also talk about things like IRT,
about different types of marks that don't necessarily have to be
registered trademarks.

>>PAUL FOODY:   On the good actor/bad actor thing, in the last week I
have registered icannnick.com, "nick" meaning to steal, defraud, and
icannnix, where nix means to prevent, to put a spoke in the wheel.

Once ICANN has e-mailed every dot com and every domain name owner and
given them notice of your intention to release these 100 or 10,000 new
gTLDs or whatever it ends up being, I will happily transfer those to
ICANN.

>>BRUCE TONKIN:   Thank you.  Just hold the questions on this
particular topic, but we can come back to it later.

So far we have had a bit of presentation with the statistics, some
presenters came back with their own statistics, so we now know there's
a range of statistics out there.  But we do want to focus this session
on actually getting tangible feedback from people, whether they are for
or against specific proposals.

So I would like to start with the first proposal.  And perhaps in
addressing that proposal, I could -- one of the panelists could respond
to the question from Mr. Foody about how unregistered marks would be
potentially protected in that mechanism.

>>MARY WONG:   Thank you, Bruce.

So you are stuck with me for the next few slides, which are somewhat
dense.  Hopefully I'll be helpful rather than a hindrance in going
through them.

You remember that David spoke briefly about the problems that the IRT
was trying to address.

The first problem was the cost and administrative burden to trademark
owners, particularly in the proliferation of the new generic space.

In trying to come up with the few things that I will speak to you
about, the IRT also tried to keep in mind that we had to design a
solution in line with the points on the checklist that David also
mentioned.  And I will try and take on board a couple of the questions
that Mr. Foody and others have asked as I go through the I.P.
clearinghouse and some of the other solutions.

So with respect to problem one, we had proposed an I.P. clearinghouse.
And let me just backtrack one slide, to give you an idea that as I talk
about the I.P. clearinghouse, which as many of you in this room have
heard, is a database or, in effect, an information repository, I wanted
you to look at this slide because when we speak of the Globally
Protected Marks List which is a different solution, one thing to note
is the I.P. clearinghouse will include and support data that relates
not just to the Globally Protected Marks List, which is the GPML, but
other also other forms of marks that do not qualify for the GPML.  So
in effect it really will be, if it works, a large-scale repository of
data relating to all kinds of rights that support new gTLD registries.

So when we talk about database, and I have mentioned that it will be a
large information repository, that is a central, single entity, what
will happen is that all new gTLD registries, potentially also
registrars, will interact with this registry in a push-pull manner to
extract and to provide information relating to the GPML that I have
mentioned briefly and two other services that can be provided by the
I.P. clearinghouse, including the URS, which one of my colleagues will
speak to you about.

Some of the principal features are summarized on the rest of this
slide.  I would like to highlight in particular a couple of them.

First is that the data is not just to be submitted once by trademark
owners but it is data that has to be validated annually.  And in this
respect, the burden will largely be on trademark owners to provide and
to update accurate information.

There have been questions asked as to, well, who owns that kind of
data and what will happen to it.  The short answer is the trademark
owners are always the owners of whatever data they provide.  Nobody
else's but their own.

What use is made of it?  Only the sole and specific uses for which the
I.P. clearinghouse is set up.  And to that end, a license -- this is
our recommendation -- will be granted by the trademark owners to ICANN
who will, in turn, grant a sublicense for those limited purposes to the
I.P. clearinghouse.

Another feature that we thought important to highlight to everyone is
that this I.P. clearinghouse, it's not going to be run by ICANN.  It is
not going to be run by any entity in a contractual relationship with
ICANN.

Instead, we've recommended that by an open, competitive tender process
that the setting up and the running of the I.P. clearinghouse be done
by an entirely separate outsourced entity to which equal access will be
required to be provided by all the other entities that need to interact
with it.

This slide pretty much speaks for itself, and we have made several
presentations to different constituencies already.  So I don't propose
to repeat the information on here except to emphasize that the features
we would like to see include scalability.

And to that end, with respect to the question on the types of rights,
for everyone who has read the report, you will notice that we have
specifically focused on registered trademark rights for a number of
reasons.  And I will get to those when we talk about the GPML. 
However, in the recommendation, the IRT has also said that the IP
clearinghouse should be capable of supporting not just all kinds of
data not just relating to registrations but relating to all kinds of
rights that may or may not be relevant in the future.

And of course the cost should not be prohibitive, because one of the
things -- one of the benefits about having a centralized repository is
that it is a one-stop shop, and so there ought to be incentives in
place for trademark owners to want to use the I.P. clearinghouse.

So that's the umbrella framework, if you like, in the first
recommendation.

And within the IP clearinghouse, we have data that sits relating to
trademark rights.

So one of the things that then comes up is well, are there different
kinds of trademarks that are going to be protected?  Are there some
trademarks that are going to be, in words that we have been asked,
worthy of more protection than others?

And in this respect, this is usually where controversy or discussion
over the GPML takes place.  I would like to emphasize that in proposing
the GPML, the IRT team -- or I am getting mixed on my acronyms now. 
The IRT are not proposing a well-known marks list or a famous marks
list in the way that those terms are understood by trademark lawyers.

Instead, the criterion that we have proposed be adopted for this GPML
are numerical and purely objective, and I will get to our thinking on
those in a second.

But that was an important point to emphasize.

A second important introductory point is that one reason, a large
reason why the GPML was the subject of the discussion and ultimately a
recommendation by the IRT, is that of all the comments received in
relation to the DAG and new gTLDs, this was perhaps the singlemost --
certainly one of the most common requests that were received and that
were heard repeatedly.

And it wasn't a request for a GPML.  It was a request either for a
reserved names list or some kind of white list in some formulations
that would have removed particular names outside of the gTLD space for
an indefinite period.

The IRT felt that while we looked at those suggestions and considered
the merit behind them, that such a list would be neither reasonable nor
fair.  And we hope that the GPML goes some way towards assuaging the
protection concerns without going that far.

And to that end, we have emphasized also, in the report that, the
legibility requirements for the GPML are to be very high and therefore
very strict.  At this point, I would like to address some comments that
have been made with respect to the different criterion or allegedly
different criterion adopted in the draft report we sent out in April,
and the final report in May.

There were figures draft report that were suggested by the IRT as an
illustration of the strict thresholds that we had in mind.

At that time, we had not engaged in any data collection.

As comments came in and as suggestions for places where we could look
for data came in, the IRT requested ICANN staff to assist our work by
going out and collecting those data and presenting them to the IRT in
an aggregated manner.

Certainly, I think speaking for every member of the IRT, we don't wish
to know whose brands or trademarks are on that list.  I don't want to
know where Russ's company is or anybody else's.

By the time we had to send out the final report, we had not yet
received the data, so it's important to emphasize that do not take the
lack of numbers.

But by the time we had to send out the final report, we had not yet
received the data, so it's important to emphasize that do not take the
lack of numbers in the final IRT report on this score to indicate that
the IRT has backed off on its recommendation that the threshold
requirements be high.

Apparently I have to hurry a little bit.

So let me just go on to the next slide after mentioning that the --
some people have raised questions about the November 1st, 2008 date. 
That was a date taken from the DAG.  And if you've read the IRT report,
you have noticed that we contemplate that as registrations go on, as
new application rounds are launched, that certain criteria requirements
as well as these dates may well have to be revised.

The other thing, the last thing I'll mention about the GPML, is that
it operates at two levels.  So if anyone's mark makes it past the
strict criterion on the GPML, they will have for that mark a top-level
protection and a second-level protection.

And for the top level -- let me just cover the differences.  At the
top level, what is analyzed when a new gTLD is applied for is either an
identical match with the actual mark on the GPML, or confusing
similarity.  And with this respect, the language and the text that
we've suggested for confusing similarity pretty much comes from DAG,
too.

One important point to emphasize is that, unlike other proposals or
earlier solutions, if, after this evaluation, the applied-for gTLD is
an identical match or is found to be confusingly similar to the actual
mark on the GPML, there is a reconsideration process, and the IRT
firmly believes, it's in the report, that all applicants who fail the
initial evaluation should have a chance at reconsideration.

At the second level, the main difference is this, that the match
between the mark, the actual mark on the GPML and what is being applied
for at the second level is limited only to an identical match.  At that
point, a dispute resolution process can be initiated that includes an
appeal, and if the applicant can show that he or she has legitimate
rights or interests in that domain name, and that can include generic
uses, for example, or permissible product descriptions, that will go
through the registrations process.

I do not have time to speak much about I.P. claims or sunrise.  So I
will just note that the I.P. claims service is a service that notifies
both potential applicants as well as trademark owners who have put
their data in the I.P. clearinghouse that either, on the one hand there
is a narc the I.P. clearing us that identical matches what you're
applying for, and, on the other hand, where the owners of the marks are
concerned that something has been applied for that matches your mark,
if the applicant then chooses after notification to proceed with his or
her registration, he will be asked to make some representations and
warranties with regard to his legitimate use of the mark and accuracy
of information provided and so forth.

>>BRUCE TONKIN:   Okay.  Thank you, Eun-Joo.

I want to clarify some terminology.  You mentioned DAG and DAG 2.  In
Australian English, I'd often be referred to as a DAG, and Chris
Disspain is probably a DAG 2.

[ Laughter ]

>>BRUCE TONKIN:   But in ICANN English, "DAG" refers to the draft
applicant guidebook.

At this point, I'll just allow the -- Eun-Joo just to briefly respond
from a WIPO perspective, perhaps if she could clarify whether or not
she supports the I.P. claim -- not the I.P. -- the I.P. clearinghouse
and GPML list or whether she supports it with changes or whether she
doesn't support it at all.  But if you could provide perhaps a brief
comment.

And while she's doing that, perhaps those that wish to comment to like
to approach the microphone, and we will commence the questions.

>>EUN-JOO MIN:   Thank you, Bruce.

I would just like to reiterate that the WIPO slides have been posted
on ICANN's Web site.  WIPO has also submitted written comments in the
form of a letter, comments to the draft IRT report and also to the
final IRT report.  And that is available both on WIPO's Web site and
also ICANN's Web site.

So today, I'll limit my comments or my reactions to the core -- to the
gist of WIPO's comments to the IRT recommendations.

In connection with the I.P. clearinghouse, in light of the central and
the ubiquitous role that is currently envisaged for such a
clearinghouse, we believe that there should be a very close oversight
by ICANN and adequate safeguards should also be put into place.  

It's unclear to us today what would be the different roles for the
clearinghouse.  But because of these reasons of -- in a different
session, I think it was described as a benign monopoly, if a monopoly
is granted, there should be safeguards, and the roles should also be
limited.  And one way of doing it may be differentiating the --
granting the roles to different entities, for example, data collection
and storage could be granted to one entity, and data validation could
be granted to a different entity, and I.P. claims to a third entity.

So those are some comments.

One overarching comment would be, one of the questions that IRT -- I
think IRT had ten or so questions to judge the relevance or the
implementability of these recommendations, and one was, who will pay.

And it's unclear who will pay for the I.P. clearinghouse.  But we
would recommend that the fees of the clearinghouse should not be
entirely on the trademark owners, but that it should be shared by all
relevant actors in the DNS.

>>BRUCE TONKIN:   Okay.  So I'll just alternate between the queues.

So I'll start with Jordyn Buchanan on this queue, and then I'll jump
across to Amadeu.

So starting with Jordyn.

>>JORDYN BUCHANAN:   Thanks, Bruce.

I am, in fact, Jordyn Buchanan, and I will clarify.  I'm asking
questions only on behalf of myself.

So the last question posed was -- actually relates to the question I
was going to ask, which is what the funding model for the clearinghouse
might look like.  I ask this largely because I was looking at the
wonderful slide about all the features it should have, and these
include, it should be very reliable, it should be available 24/7, it
should be fast.  And then later, I noticed that we want to actually
tell registrants, apparently at the time they're registering, that
there might be a claim on the name.  So that means that it has to be at
least as fast and reliable as the registry infrastructure that already
exists, which makes it a fairly robust system, I think.

Otherwise, this would be the weak link and would be, you know, make it
so when people tried to register, it would be -- they would have a less
reliable experience than they have today.  Presumably, we don't want
that.

So when I heard that, I thought, wow, that sounds expensive.

And then I looked further down and said, oh, but it should be cheap.

So I'm somewhat baffled -- I mean, I guess what it says it should be
cheap with regard to mark holders.  But I'm baffled as to how to
disentangle the tension between those two concepts.

Has any thought been given to where money for this is going to come
from?

>>BRUCE TONKIN:   Who would like to try to answer that question?  Jeff.

>>JEFF NEUMAN:   I was hoping it would be Google.  But -- that's a joke.

You know, look, we did give some thought to the funding question.

But, you know, with the short amount of time that we did have, we
obviously didn't come to any conclusions.  You know, but some of the
thoughts of the group were that through this competitive process, we
would assume that someone bidding on this for a -- to operate this
clearinghouse would suggest some funding models.  So we didn't want to
necessarily dictate what that funding model would be.

But we did envision that it would be shared, that the trademark owners
would, in essence, be paying fees to -- to the clearinghouse to have
their marks validated.  But, you know, also, there were ideas thrown
about the group about ICANN funding some of this, as we know, its
budget has grown.

So there were ideas thrown about.  There was not a consensus of the
group to actually put this into the report.  But -- and that was also
balanced with the fact that funding models could be proposed either by
comments like this or by the bidders that bid on this opportunity.

>>J. SCOTT EVANS:   And, Jordyn, the I.P. claims service is not for
every registration ever registered in a TLD.  It's merely during the
startup process, so it's not a real time.  It's just an alternative to
sunrise.  

So when you go out and you open your registry and you do some
prelaunch mechanisms, that's one of them.  It's not a real-time
service.  It would only work during the prelaunch mechanism, which I
don't believe has ever been real time, has it?  It's always been take
in all the information and do things ahead of time, and then they
launch afterwards; correct?

>>JORDYN BUCHANAN:   If you had a mark that wasn't registered,
subsequently, someone could go and register and (t) and they wouldn't
get any warning that this was taken?

>>J. SCOTT EVANS:   Right.

>>JORDYN BUCHANAN:   One more question?

>>BRUCE TONKIN:   You can ask one more, then to the back of the queue.

>>JORDYN BUCHANAN:   I think I only have two, so --

My second question is --  So it relates to the thresholds for the
GPML, the elusive and disappearing or whatever they are thresholds for
qualification.

I'm curious, since I did -- since apparently the -- there was this
first stab at numbers and subsequently it was decided that there wasn't
enough data, I was wondering --  Was there thoughts within the group as
to whether we had to take the numbers out because they were too high or
too low?  Or was it just purely that we have no -- we made numbers up
and we have no ideas -- idea what they mean and we're going to wait for
data?  And I'll ask my follow-up so you can answer them both at the
same time.

Which is, have we -- have we subsequently gotten any data from ICANN? 
I'm specifically curious as to how many marks would have qualified
under the original criteria that were laid out in the draft report.

>>MARY WONG:   I'll let my fellow team members jump in to supplement
what I'm about to say.

I'll first answer the second question of your second question.  The
answer is, from the IRT's perspective, we don't know.  We haven't yet
received the data.  So perhaps that's a question to be directed to
ICANN staff.

On the first question, like I said, my belief, anyway -- and I think a
lot of the members, when we put those numbers out there in the draft
report, it was an indication that it had to be really, really high.  I
don't think we made it up.  I think we've got a sense of a number of
countries of the world, bearing in mind that in both versions of the
report, that we emphasized that there have to be registrations across
all five ICANN geographic regions.

So I don't know if that answers your question sufficiently.  But that
was the thought behind it.

And we haven't yet received the data.

>>JORDYN BUCHANAN:   Thank you.

>>BRUCE TONKIN:   Okay.  Amadeu.

>>AMADEU ABRIL I ABRIL:   Okay.  Thanks.  Amadeu Abril i Abril, CORE,
Internet Council of Registrars.

Three very short comments.

The first one is very simple, is a language question.

The IRT insists in the document and every presenter like Mary here,
that the I.P. clearinghouse provider shouldn't have any contract with
ICANN.  I think he they mean any other or prior contract with ICANN. 
Because I hope there will be a contract, if nothing else, for what they
do with the data and what they do with the data you are collecting.

Putting that aside, the two real comments.

First, on the type of rights that should be there.  I really don't see
how there is any excuse for also putting designations of origin and
quality into that category with registered trademarks.  This is not
about what is the international value of the different types of things
of national origin according to international law.  It's the fact that
they do exist and in different national regimes, and they should have
at this level of preventing abusive registration the same level of
protection.  Because they have less mechanism frameworks, because we
are only thinking about trademarks, and precisely, it's not a
trademark, so, by legal definition, it doesn't have this tool.

The third question is, I think it was David Taylor, I recognize the
voice, but I didn't see the voice, sorry, who said that the most
important thing is aligning the incentives to prevent abuses.  And we
completely agree.

We think that the IRT has unwittingly inserted an incentive for more
conflicts than needed.  And this is one of the consequences of the
globally protected trademark list, where it says that at the top-level
domain, it means that any identical registration would fail.  And then
they can appeal or challenge or ask for reconsideration or something
like that.

This is putting the thing in the wrong perspective.  Why not at least
allowing that this applicant, like we do with geographic designations,
goes to the trademark and negotiates a letter of no rejection.  I will
give you a historical example that some people at the table also know
from the other side.  

It's dot cat and cat for Caterpillar.  

If you simply say because everybody is thinking about the big, open
TLDs, that you want your trademark being protected against using that
as a TLD, the only rationale (inaudible) trademark owner or company
says, "Indeed, I want this." 

And then when you see the type of TLD that dot cat is, well, I don't
think that there is a conflict.  

And this was negotiated not through the trademark lawyers, beforehand
in 2004.  And there was no problem.  

Afterwards, there have been some accidents, not the fault of
Caterpillar at all, but because of the wrong incentives.  

So here is not the same that beforehand you can go to the company and
explain what you are trying to do and have no objection as being
killed, being shown as a guilty person, "Do you want to release this
guilty person?"  And the company that's a defend in the challenge will
do what is only the logical thing to do, defend themselves.  And the
simplest thing, say, no.  Why?  Wasting money.  Just writing what they
are doing, these guys.

So I think that it's a little bit overkill and the protection should
at least allow for negotiations between the parties and not automatic
killing, automatically killing the application.

Thanks.

>>BRUCE TONKIN:   Amadeu, I think we can -- I think the I.T. team can
take that on as a suggestion.

The first part of your question, though, I think was asking, was there
sufficient rights.  What was the -- what was his question number two?

>>JEFF NEUMAN:   So on that question, this may be just a
miscommunication in the report.  I don't believe we meant to say that
the clearinghouse had to collect all of these elements.  I think it was
more as a tool, that if there's a registry in the future that wants to
have some distinction and give some sort of preference to those marks
based on designation of origin, that the clearinghouse could be a
repository for that information.  It's not --  We weren't suggesting
necessarily that that element was used in every single TLD it launched.
It was really to help future registries to have one source to go to if
they choose to give a preference for that type of mark.

But it wasn't any kind of mandatory that had to be there.

And --

>>BRUCE TONKIN:   So an example there probably, Jeff, would be on the
type of TLD, so a TLD that's like a dot food, something like those
designations of origins are probably more relevant to, you know, a TLD
that's related to sport or something.  So it's probably going to vary
on the TLD; is that right?

>>JEFF NEUMAN:   It could be.  There are other types of things.  For
example, you know, if -- well, dot Berlin is being proposed.  If they
wanted to give a preference towards trademarks in Germany, they can do
that, and the clearinghouse would be able to collect that information
and validate that information as a tool, as a one-stop shop,
essentially registries to be able to validate that information.

And I forgot what the second question was, but I remember I was going
to address it.

>>MARY WONG:   With regard to --  Yeah, Jeff, you can jump in anytime.

'Cause now I've forgotten the question, too.  It's terrible.

>>BRUCE TONKIN:   That shows that rather than asking three questions
at once, it's better to ask one question, then pause, and then we can
respond to it.

>>MARY WONG:   And with that sentence, Bruce, you've reawakened my
memory.

I think, to go to the second question, with respect to the finding of
confusing similarity and the challenge and so forth, one response would
be that that really is exactly why the globally protected marks list
has to be something that's truly globally protected, so that really is
only very few marks where a potential top-level applicant will find
himself or herself in a position of potential conflict.

Even in those limited circumstances, there would still be an
evaluation.  And I'm just talking about initial evaluation, not the
reconsideration, of either an identical match or confusing similarity,
which I would argue then lessens even those few numbers to even further.

>>BRUCE TONKIN:   Okay.  Kathy.

>>KATHRYN KLEIMAN:   Kathy Kleiman, NCUC again.

I'm going to take up Bruce's original question that we do kind of one
topic at a time.  So I'm going to do the I.P. clearinghouse and then
you'll get me back to talk about the globally protected marks list.

Two-part question.  And I will ask it together, because I don't -- I
think it's okay.

First is --

>>BRUCE TONKIN:   Just remember to slow down.

>>KATHRYN KLEIMAN:   That is so hard.

Regarding the I.P. clearinghouse, aren't we recreating the wheel? 
Aren't there watch services now existing and information all over the
world in various languages doing exactly the job of notifying large
trademark owners that their mark is being registered as domain names
and where to go to find those domain names?

Second, there seems to have been some modification of the I.P.
clearinghouse at the table.  But let me go back to the text.  Maybe I'm
misunderstanding.

That we're going to have an I.P. clearinghouse that is kind of a
dumping ground for undefined intellectual property rights, including
registered rights and unregistered rights -- I'm not sure what an
unregistered right is -- trademarks in use and not necessarily yet in
use, and that will include every noun I know in the English language,
every noun I know is registered, at least in the U.S. Patent and
Trademark Office, every noun I've ever looked up is a registered mark. 
That includes Tide, Cheer, Sun, Panther, and by the way, there are
three registrations for Jesus.

Based on what you've said here, even if it's just sunrise, that the
I.P. clearinghouse, the claims service -- let me see if I understand
this -- will notify new gTLD applicant and trademark owners that a
current validated right exists for the identical term being applied for
at the second level, regardless of what category of goods and services
that identical term is in.

So let me see if I understand.  I go to register a basic noun or name
or last name, and some new top-level domain, even if it's kind of a
noncommercial intent, and I'm going to get some kind of flag, some kind
of flag that says, "You are using a word that's registered in English,
French, Spanish somewhere in the world for some category of goods and
services, and you should just know that and waive all your rights, you
know, click here if you want to go forward knowing that someone
somewhere has some rights, something, may be completely unread, click
here to go forward."  Aren't we going to be turning a lot of people
away, a lot of people using basic dictionary terms, aren't we going to
be turning a lot of them away and chilling their use of domain names,
because maybe they'll just say, Hu, maybe I shouldn't register, maybe
I'm walking into a problem.

>>BRUCE TONKIN:   Kathy, to clarify sort of the last bit, want to make
sure the language is correct, they're clicking through -- maybe the
I.T. group can clarify for me, too -- are they actually waiving their
rights or just accepting that they have been notified of the rights? 
Because I think they're different things.  I want to clarify perhaps
from the team.

>>KATHRYN KLEIMAN:   Even now when I register a domain name, I agree
that I'm not violating anyone's rights.  I mean, that's part of the
registrar agreement.

>>BRUCE TONKIN:   You're not waiving your rights, though.

>>KATHRYN KLEIMAN:   That I'm not violating someone else's rights. 
But here, we've got something with much more detail.

Thank you.

>>JEFF NEUMAN:   So, Kathy, it's interesting.  I remember having the
same conversation back with you in 2000.  It's like déjà vu.  But the
reality is, dot biz did it.  I don't think it chilled anyone from
getting any generic marks at all during that.  So it's a good argument.
It didn't really pan out back in 2000.  I don't think it'll pan out
this time.  But I'm happy to listen.  It's just my opinion.  I don't
think it was chilled.

But, essentially, that's right, you'll get notified.  This is, again,
prelaunch.  You get -- the idea was -- and, again, this is a minimum
that's proposed.  You can propose doing a sunrise instead of all this. 
But if you choose to do an I.P. claim service, you would get notified
when you apply that you are attempting to register a mark that's on the
GPML -- I'm sorry, this is I.P. claims -- that someone has registered
that remark and you get a notice of those rights.  And you're free to
ignore, you're free to proceed with the registration.  It asks to you
make a representation that to your knowledge, you are not infringing
the rights of another.  The same thing that you would normally have in
your domain name registration agreement.  So I'm not sure that that
would really have the effect that you're saying about chilling.

But I guess, you know, you can have that -- that opinion.

With the unregistered marks, I mean, you read a passage.  And I think
it's a fair comment.  Maybe we didn't necessarily word it correctly. 
But the intent was to allow this database to get as much information as
the registry needs for implementing its rights protection mechanism. 
So if it wants to recognize unregistered marks, not that it has to, but
if it wants to, it could then use the clearinghouse.

So and remember, it's just a database.  It's nothing more than that,
than a repository of information.

And in respect with the question of the watch service, isn't this --
aren't there watch services out there already?  To my knowledge, and I -
- I'd be glad to hear about it, to my knowledge, there is no watch
service that I know of that actually validates and verifies that you
have the rights you're claiming to have before getting the results.

We used -- we did in the draft have a section on watch reports.  We
took that out because of the comments that we received, just like the
ones you mentioned, that there are other watch services out there.  And
we did not mean to intend or we did not intend to mean that it would
replace the existing services out there.  So that's comments that we
heard and addressed by taking that actually out of the draft report.

>>MARY WONG:   Can I just do a brief follow-up to Jeff's points.

First of all, I guess the law professor in me has to say, when you
abbreviate your presentation, you do leave out words like existing
contractual relationship from the earlier question.

But also that there is a critical distinction between making a
representation and warranty that you will not violate someone else's
legal rights, which all good actors will not do and will not want to do.

And waiving your rights, including rights to go to court and so forth,
which -- and these rights and warranties are actually listed in the IRT
report itself.  And I don't believe that we go anywhere near a waiver
on that.

Then, secondly, with respect to the use question that you posed
earlier, our intent, at least as I read it, is that there are a lot of
marks all over the world that are registered on different bases.  And
many are registered on an intent to use bases.  If they are registered
trademarks and they fulfill the criterion, then that ought to qualify
them for inclusion as trademarks if they satisfy the national
registration criterion and they are marks of national effect and so on
and so forth according to the rest of the criterion.  That may or may
not be the case in other countries.  If you do not have a right to
register based on an intent to use in your country, that does not make
you a trademark rights holder in the eyes of the I.P. clearinghouse.

>>KATHRYN KLEIMAN:   Just a quick response.  Thank you to Jeff and the
idea that this is just a database.  I think we're creating a monster
that could easily be misused far beyond anything we're anticipating. 
Thank you.

>>JEFF NEUMAN:   Just to respond to that, if you can suggest comments
as to how we don't create that monster, we'd love to hear it.  ICANN
would love to hear it.  Because I share your view that if we are
creating a monster, we should devalue it and make sure that it doesn't -
- that it doesn't do anything beyond what we intend it to do.

>>BRUCE TONKIN:   Thank you.  If you can state your name for the
describe and --

>> Greg Chynoweth with Dynamic Network Services.

I guess my question related to the bounding of trademark law by free
speech law.  And I was interested in hearing, in your discussion of the
protections for trademark owners, whether or not you considered or had
any testimony or had discussions of how this could be used or could
chill potential free speech in the context of the GPML.

So I guess the question is, what -- how much did you consider, if at
all, and how did you consider, if you did, the role of free speech in
the implications of the suggestions, the recommendations that you're
making?

>>MARY WONG:   So just very quickly, we considered, read, and
discussed all the public comments that we received in response to the
draft report when we met face to face for the second time to prepare
the final report.

We also looked at the comments that were received in response to the
draft applicant guidebook, no longer called DAG, either version 1 or 2.
And during the face-to-face meetings, we had meetings and discussions
and presentations from representatives of different types of
organizations, constituencies watching out for consumer interests as
well as other interests.

So my personal belief is that we took all of that on board, we
considered it, and we put forward a set of recommendations after a good
deal of debate amongst all the members, not all of whom agreed on every
point when we started out what we hope is a fair and balanced set of
recommendations.

>>KRISTINA ROSETTE:   Can I supplement that slightly?  

I think it's important to keep in mind that we very much did encompass
freedom of expression concerns when we were talking about how do we
ensure that potential applicants that may have a right or a legitimate
interest in using this term have the opportunity to do so.

And I think, frankly, the best example of that is that the GPML is not
a reserved list, period.  Lots of trademark owners wanted it to be. 
And we intentionally designed it so that it's not, so that there are
opportunities both at the top and the second level for someone who may
have a right or a legitimate interest in using the term that
corresponds, whether it's in a free speech or some other right or
legitimate use that's protected under their respective national law,
that we've carved that out.

So we very much were cognizant of that.

Whether we have an actual phrase, free speech, in the report, I don't
think so.  But it was very much part of our concern that we were trying
to accommodate when we were doing our balancing.

>>BRUCE TONKIN:   Okay.  Richard.

>> Richard Tindal from eNOM.  We support the I.P. clearinghouse.  We
think it's a very sensible, practical RPM that's going to save
trademark holders a lot of money.  As a couple of folks have mentioned,
it is not setting policy in any respect.  It is a database.  And so the
registries get to choose how they apply the data in that database.  Not
to say I think that potentially it couldn't be misused in some way. 
But I think that point was also taken, there are protections that can
be put in place for that.  So we think it's a great RPM.  We think
perhaps that if ICANN didn't mandate it, that the marketplace would
probably produce one, because it's an efficiency measure.  It stops
trademark holders having to go to individual registries and do this
thing over and over and over.  It just makes sense to us.  So....

The I.P. claims service we think is also a strong RPM, both the I.P.
claims and its sister RPM, the sunrise.  You choose one or the other is
what the report says.

So it's worked before, as Jeff noted.  We operated it, and it worked
well.  It's only during the launch phase of a registry.  It doesn't
happen all the time.  So important everyone understands that, that this
is not something that would happen in perpetuity in the registry, but,
rather, just during the first month or two months.

So again we think that the I.P. clearinghouse is a strong RPM and we
support it.

We oppose the GPML, the globally protected marks list, for a number of
reasons.  The first reason is, we think it's going to be hugely
complex, controversial, and politicized to actually come up with what
this list is.  The criteria by which you get included on the list is
subjective.  And as such, it's inherently going to be politicized in
our view.  We don't know how we're going to decide what is that
threshold number?  Who's going to decide and on what criteria are we
going to decide who's on the list and who isn't?  And we can see all
sorts arguments and disputes from folks about who and who shouldn't be
on it.  We can see political globalization in the sense that there will
be folks from less-developed countries who have strong marks there and
want to be on the list but don't meet the criteria.  And so we're going
to see lobbying, in our view, from some countries that, look, you need
to lower the threshold from our country versus what happens in western
countries.  So we just think there's going to be a lot of trouble
producing lists.  It's always very hard to produce lists unless you
have very clear-cut criteria, we think.

But if the benefits of that list sort of were sufficient, maybe it's
worth going through all that, all that hassle that I just talked about.

But we don't think it is.  We don't think it is.  We don't think the
list really adds much value at all.

At the top level, we think that the list adds no additional value to
what the draft applicant guidebook already provided.  As we look at
what the GPML would do for you at the top level versus what the draft
applicant guidebook legal objection process would do for you, we really
don't see any difference.

At the second level, the list really doesn't add much value, in our
opinion.

Being on the list doesn't give you any preference in sunrise.  And so
if you've got a trademark and you're in a sunrise situation, you're
going to get access to that name anyway.  So, in our view, at the
second level, there's kind of marginal benefit from being on the list. 
It's an exact match.  You get one domain name.  If you want Microsoft,
you get Microsoft.  That's it, in that particular TLD, which you would
have access to during the sunrise as well.

So, in summary, we think that the list -- that the costs of the list
are going to significantly outweigh the benefits.  And we would
recommend that that particular RPM be dropped.

>>DAVID TAYLOR:   I could just reply briefly on that, Rich.  And I
think we absolutely appreciate the comments and it's good to hear the
thoughtful ones.  And the GPML does pose problems.  And I think every
trademark owner who's on it would love it and every trademark owner who
isn't on it will hate it.  So we're saying put the bar high.  We're not
going to please that many trademark owners around the world, in any
event.

>>BRUCE TONKIN:   Okay.  On that mike, yeah.

>> (saying name) from -- working for dot Asia registry, but speaking
on my own behalf.

Just like to echo what Richard and probably many of you in the
community will consider.

Just like to echo what Richard and many of you in the community would
consider, I would like to touch a little bit on the IDN -- I mean on
the issues on that, coming from the Chinese, Japanese, and the Korean --
I mean, speaking, the community.

We are launching this new gTLD and also the fast-track ccTLD.  The
programs really eager to see if the plan is being implemented, how this
incorporate the dealing with the -- I mean, at the minimum level, the
Chinese, Japanese, and the Korean's languages, especially when we are
talking about for those who are most here in this room are owning brand
names in their local language.

In our languages, I'm seeing probably an easier way to -- for them to
do that, but for brands and for trademarks coming from Chinese,
Japanese, and Korean, how they will like to work with and to meet the
criterias that you set for.

And I think that's one issues that could be addressed in the upcoming
works.

I mean, obviously, there's other works.  For example, in registry, in
the registrar dealing with the variants, the top level, and also on the
second level.  I think that would also create some of the issues here.

So my second comment.  And my final comment will be to echo what Jeff
and, I mean, the previous person just said.  Instead of creating one
centralized database or services for the GPML, maybe there's an
alternative way of doing that is by dividing the service into different
languages.

I mean, probably this has been raised in your discussion, but just
like to offer, I mean, the alternative view on that.

Thank you.

>>BRUCE TONKIN:   Thank you.

I might jump across to this mic here, if that gentleman would like to
speak.

>> Is that on?  (Saying name).  I am speaking in my own personal
capacity in some respects.

One of the things that the IRT mentions is the thick WHOIS model.  And
you seem to harp back to the current status quo within ICANN for the
gTLDs.

However, considering the number of new concepts that you are
introducing to the process with these clearinghouses and GPMLs and
everything else, in my opinion I think your views on the thick WHOIS is
a bit narrow.

While you seem to think it's acceptable to introduce a GPML which
basically creates a tiered trademark holder type scenario whereby a
small trademark holder doesn't get to be on the list and a few big
brands do, which is pretty controversial in some respects, at the time
you seem think to think, okay, the status quo with regards to WHOIS and
what is and isn't displayed in WHOIS should be maintained, while
ignoring the fact that ICANN has given dot tel the opportunity to grant
private individuals the opportunity to opt out of WHOIS display.

So I would just like to go on the record saying I think it's a bit
narrow-minded of you.

>>BRUCE TONKIN:   Okay.  Thank you.

In the middle.

>>GUAN YUANYUAN:   Good afternoon, everyone.  I come from CONAC. 
China Organizational Name Administration Center.  And in my opinion, to
protect I.P. right I think is quite valuable.

Now I still have some curious about this final report.

For the GPML, how does the strict criteria of requirements which GPML
should satisfy get a global consensus?  How to get a global consensus?

Because, you know, as far as we know, different countries have a
different jurisdiction, especially different trademark laws.

So according to the different trademark laws, what kinds of trademark
should be protected is different.

So according to the spirit of laws, which is justice?  If that means
that every country with can provide their list of trademark according
to their national trademark laws, isn't it more fair and reasonable?

Thank you.

>>MARY WONG:   I will just say, and I know that people probably
disagree with the IRT on this point, that in crafting the GPML, we have
tried to come up with what we think is the probably the most objective
criteria.

So to the point about different national laws and different
jurisdictions, the fact is that we have a couple of very basic
requirements, and one is that you have a trademark registration of
national effect.

So that will be validated by the I.P. clearinghouse, but there will be
no question as to, well, if it's a trademark from country X, that's
going to be more suspect than if it was a trademark from country Y.

It's a question of adding it all up.  If you have the requested number
of national registrations and they cut across all five global ICANN
geographic regions, that's the criterion.

So in my personal view, I think the criterion actually do not run into
the sorts of problems which, in other ways for other criterion, might
well encounter, as you've pointed out.

>>BRUCE TONKIN:   Okay.  Philip.

>>PHILIP ARGY:  Thanks, Bruce.  Philip Argy from ArgyStar.com.

We are coming up to the tenth anniversary of the UDRP and some 30,000
or more cases have been heard.  And I would like to focus attention
back on the checklist here and, in particular, the first bullet point. 
What are the harms that are being addressed by the solution?  And
really a subquestion of that is how are those harms currently being
addressed?  And how is the way that they are currently being addressed
so inadequate that it needs a new solution of the sophistication and
complexity of the kind being proposed?

Because it seems to mean if you come right back to the comment that
was quoted from Francis, what we really have is simply a new
opportunity or a new domain, to use the pun, for all ground to be
reclaimed.

Cybersquatting is the problem, and every new TLD that's created simply
creates a new opportunity for a fresh round of permutations of
trademarks to be embodied in a TLD.

So it seems to me you have got 30,000 UDRP cases.  There would be, I
would suggest, none of the prospective entrants in the GPML that have
not already been the subject of a finding in a UDRP case that they have
trademark rights.

So you have sort of got a de facto GPML in the body of UDRP cases
already.

And the other thing you have got to recognize is that UDRP panelists
aren't totally stupid.  At least those from credible providers aren't
totally stupid.  They know what reverse domain name hijacking looks
like.  They know who the goodies and baddies are, to the extent to
which you can test evidence, and we accept that we can't test it
exhaustively.  But the alternative to no UDRP is litigation, so you
have still got a vastly superior solution to litigation.  And it's fair
to the trademark owners to say, "Here we go again."  We are not going
to rerun every case we have already run.

So why can't the starting point simply be that before you can
register, and not just in a sunrise period, before you can register any
new TLD, you check whether the underlying mark, if you like, or the
domain is the subject of an existing UDRP decision.  And if it is, the
default is that you run the dispute in a UDRP proceeding before
registration.  Not force it to happen afterwards, after some potential
harm is done.

So that may be a bit unacceptable to the panel who put a huge amount
of intellectual effort into devising a new scheme, but it seems to me
the harm is the cybersquatting.  All we're doing is creating with new
TLDs a new opportunity to do what's been done before.  So simply say
where it's been done before, simply say the default is know that's
effectively, if you like, a black list, and you have to make good your
right to register before you are allowed to go out and do it and
indulge in the harm that's already effectively been the subject of a
panel decision.

So that's just a thought that might be an alternative approach. 
There's always a danger that people are so wedded what they have come
up with that something somewhat more facile isn't as attractive, but I
do put it for people's consideration.

>>DAVID TAYLOR:   I am going to start off and say thanks, Philip.  As
a WIPO panelist myself, I am not entirely stupid, I think.  But then I
am a panelist with many different providers, so there you go.  It
depends how you look at it.

I was just going to say when we considered this and you look at the
list and how to be on it, we did consider quite a few different ways of
doing it.  Should it be based on trademark rights, should be it based
on number of domain name registrations in ccTLDs, should be it based on
number of filings before WIPO or CAC or whatever.

So there are a large amount of sort of different areas which we
covered.  And I think that's an interesting point.

I don't know whether we could be looking at a UDRP-type decision prior
to filing for a domain name registration.  I think there would be quite
a few people probably who wouldn't like that idea.  But it's an idea to
consider, without doubt.

>> (speaking off mic).

>>BRUCE TONKIN:   Thank you.  In the middle.

>> Hi, my name is David K. from Electronic Frontiers, Australia.  I
have two questions, one about the I.P. clearinghouse and one about the
GPML.  I will start with the I.P. clearinghouse question.

I sort of thought about this and why it was that I sort of found the
I.P. clearinghouse problematic.  Keeping an open mind and essentially
saying, well, if a whole bunch of trademark people got together and
said more or less at our expense for trademark holders we are going to
create this database and offer it to ICANN and registrars as something
that can be used to help the process and stuff, we sort of going that's
a really potentially useful thing and thank you, and why is it then
that the I.P. clearinghouse is kind of not sitting well with me.

And I think it's basically we seem to be creating -- it seems to be
ICANN creating, for a start.  And then -- well, not quite mandating but
very strongly encouraging a one-fits-all solution when there are
existing rights services in the area, and for many TLDs, it is not
going to be appropriate.

You know, for an IDN TLD, it may not be appropriate to be talking
about global names.  But a lot of TLD spaces -- we want people to use
them in a variety of ways.  So things like dot tel where there is
already a whole different set of case law covering that specific TLD
and things like that -- we are hoping there will be other gTLDs that
are used for innovative purposes rather than just putting an extra word
on the end of a whole bunch of other dictionary words.

So that's basically my criticism.  You have got a one-size-fits-all
solution that ICANN sort of is creating and mandating -- well, not
mandating but strongly encouraging.  Merely mandating for use in
certain circumstances.

And like for a lot of TLDs, I'm like, okay, sure, that would be
useful.  But it does seem like, you know, there's going to be a lot of
situations it is going to be inappropriate.  And then why are we
committing to this one mechanism?

>>BRUCE TONKIN:   Any comments?

No?

Alexander.

>>ALEXANDER SCHUBERT:   Yes, Alexander Schubert, CEO of dotGAY LLC.

Before I ask my question, I would like to ask you a question.  Maybe I
didn't write it right.

If you are at the GPML list, if you manage to get there, are you
automatically entitled to the respective domain name?

>>JEFF NEUMAN:   No.

>>MARY WONG:   No.

>>ALEXANDER SCHUBERT:   So for like Apple, for example, would surely
manage to get there.  What do they do then?  They are on those lists
with Apple?

>>MARY WONG:   And they are on the list.

[ Laughter ]

>>MARY WONG:   No, I'm serious.  The list does not create additional
entitlements, rights, or privileges.  It does exactly what the report
says, which is that if somebody applies for -- using the Apple example -
- dot apple, that gets matched against Apple on the GPML, again
assuming Apple is going to be on the GPML.  This may be a great
example.  As you said, we have been talking about it all week.  It
brings up an identical match.

But two things could happen.  If it is generic apple growers from
whatever region that want to use dot apple, that may or may not lead to
a finding of confusing similarity, because if you are using it as an
apple grower you can show you have a right of legitimate interest, even
a common law right in some instances to use that name, then there is
nothing that Apple Computers or Apple Records, for that matter, can
stop you from getting that top-level domain.

Secondly, and going back to the  "no" that you heard from a few of us,
where sunrise is concerned, because there were some questions outside
of this room about sunrise, being on the GPML does not entitle
whichever the mark owner is to priority or any other benefit under
sunrise.

If generic apple growers go in through sunrise and they have a right
of legitimate interest, they will get dot apple and not Apple Records
or apple computers.

>>JEFF NEUMAN:   Are you asking just an implementation question?  How,
if you are on that list, how you actually get the name?  Or to prevent -
- In other words, is your question if you apply for the name at the
second level but the registry blocks you, how do you actually get that
name if you are that owner?  Is that your question?

>>ALEXANDER SCHUBERT:   No.  The background being simply that domain
name speculators are extremely innovative, and if the threshold or the
barrier is not high enough -- I know you intend to make it very high,
but if it is somehow possible by buying together trademarks, I mean
those generic words are trademarked everywhere.  Like trademark hotel. 
You find it almost everywhere in the world.  If you are able to buy
enough trademarks hotel, could that lead to a situation that is not
intended GPML lists -- no.

>>BRUCE TONKIN:   So you had another question?

>> This is my GPML question.  Okay.  You said at the start that, you
know, you are not intending to grant any additional rights.  And it
sort of strikes me that, I mean, the whole point of the GPML is to
grant the people on that list additional rights within the ICANN
administrative system.

I mean, they may not be legal rights to that trademark, but the whole
point is to create this new class of people and then give them sort of
some special administrative rights over -- surely.  Isn't that -- isn't
that the whole point that you are granting these people some special
administrative position?

>>JEFF NEUMAN:   I think there's a difference between giving someone
an administrative right as opposed to a legal right.  And the point is
we are not giving anyone a legal right.

>> And that is what I just kind of wanted to say.

So surely -- yeah.  It was actually just to pin down the panel on that
point.  You are not granting people additional trademark legal rights,
but you are granting them administrative rights which surely are going
to empower them and having a chilling effect and so forth and all of
that.

>>KRISTINA ROSETTE:   I would actually respond to that that at the top
level, the entities that own marks that are on the GPML will merely be
given the same opportunity that ICANN in DAG 1 and 2 is reserving for
itself and its contracted parties, the registries.  Because in the
current initial evaluation, string confusion will be done against
existing TLDs and reserved names.  So we are simply adding on to that.

So to the extent that folks have an objection to that idea, it should
be across the board.

>> Okay.  And I also kind of -- I mean, it seems to me like you have
got a very big hammer for not really -- I'm not really convinced the
problem is real at the TLD level in that this isn't $6 cybersquatting. 
These are people who have to front up $185,000.

So if you want to front up $185,000 minimum just to get in the game in
order to get a domain name that other mechanisms, besides this, are
almost sure to take away from you in swift order if it's truly -- you
know, if you suddenly pop up, especially if you are using a coined and
fanciful trademark, your chances are actually holding on to that are
nil.  It's not even going to cost lawyers $185,000 to take it away from
you if it's that obvious, why is there this huge hammer to hit a
nonproblem?

>>DAVID TAYLOR:  Yeah, I completely agree with that.  In our report we
say the problem and issues are at the second level and not at the top
level, because there are not that many cybersquatters with 185,000 out
there to just go and do this and lose it.

>> The gTLD issue is not that big a deal.

>>J. SCOTT EVANS:   I want to say one thing about that.  The problem
is that if you do object, you have to continue to object.

Once you have proven you have rights, unless I pony up the $185,000
and make the initial investment to run my own TLD, it just goes back in
the pool and it becomes whack-a-mole.  Even on the top level.

So I have to go again and again and again and again to everybody who
comes forward.

ICANN hasn't done a process that says once you win one objection, that
name goes out of the list of marks that will be -- and strings that can
be used because somebody has already shown a right.  And you don't have
to register it for 180 -- it's just out of the pool.  What I am
concerned about is it may not cost me $185,000 every time, but it
becomes, when you put it on top of the second level, and I am having to
do it every time again because there's no preferential treatment and
there's no prejudicial effect, it's just whack-a-mole.

>> So maybe the ones that have already been successfully defended,
basically, rather than --

>>BRUCE TONKIN:   What I want to doctors wasn't to get onto the next
topic shortly so I will take one more question from the mic on the far
right and then one more on the mic in the middle because I know the
gentleman in the black coat hasn't spoken.  Then we are going to go on
to the next topic, which is URS.  I know Paul is there but I think
Richard said (inaudible).

[ Laughter ]

>>BRUCE TONKIN:   So if you could come across at that mic.

>> My name is Rebecca McKinnon.  I am cofounder of Global Voices
Online, which is an international citizen media community, and I have a
very practical question regarding languages and cost.

So with the clearinghouse, how many languages is this going to need to
be in?  And how is this going to have to -- I mean, I know that you are
expecting your subcontractor to figure out a business model, but to
what extent are you expecting that they are going to be able to
accommodate dealing with a truly global Internet on which many of the
registrars and so on are working with IDN gTLDs and are going to have --
are going to need to be dealt with in many different languages.

So I am wondering the extent to which that has been examined, just how
multi-national is staffing this entire enterprise is going to have to
have.  And what kind of cost this entails.

And then secondly, the issue is if this is going to turn into a very
expensive enterprise, the whole question of who is paying for it, and I
know again you haven't figured out the business model and that the
subcontractor would be doing this, but there would be a concern amongst
people from the developing world operating IDN gTLD in Urdu and Farsi
and operators who don't have a lot of money, in terms of whether or not
this cost is going to be passed on to the people running the IDN gTLDs.
And if that's the case, might that amount to, inadvertently perhaps,
but amount to a regressive tax on non-English or non-Roman language,
Roman character language speaking people and be something of a damper
on the entire purpose of IDN gTLDs and trying to make the Internet as
linguistically diverse as quickly as possible?

>>BRUCE TONKIN:   Okay.  Did someone want to respond to that?  Perhaps
Mary?

>>JEFF NEUMAN:   I think you have raised a lot of really good
questions there, a lot of good points and things that we have only been
together for eight weeks to do this work.

So those are obviously implementation questions that need to be
figured out.

I would add that the intention was for this clearinghouse to be to be
able to collect all these things in multiple languages and to be able
to be used for IDN registries.

The second thing was the intent was not to pass on the cost to the
registry that was operating a TLD for the reasons you mentioned, or at
least partially because of what you mentioned was that we did not want
to hamper competition in the registry space, and we didn't want to pass
those burdens on to the registry so that we could have new and
innovative registries from all around the world come forward.

So the intent is not to pass the cost on to the registry.  But all of
your other questions are excellent.  I don't have any answers for you,
but I think they are good ones that the scribe has taken down.

>>BRUCE TONKIN:   In the middle.

>> I am David from Australia.

>>BRUCE TONKIN:   Speak into the mic.

>> Hi.  I am David B. from Electronic Frontiers Australia.  Basically
I was just asking in regards to the clearinghouse.

I'm kind of concerned about the expansion of existing national
trademark enforcement to be basically greater, more greatly expanded
into an international right that trademark holders don't currently
have.  And basically this seems to be open to a lot of abuse, not only
for existing trademark holders but for cybersquatters who are basically
one of the reasons we're trying to do this.

I can think of lack of convenience trademark registrations to get
around the trademark holder rules and basically helping cybersquatters
get to second-level domains.

But, yeah, basically, are we really giving a lot more rights and
opportunities to people who wouldn't already have them?

>>MARY WONG:   Just very briefly, we recognize that with many of these
mechanisms, there's always the problem of gaming and people trying get
around the system, and in each of them we have tried to design it in
such a way that it would minimize those problems.

With respect to the clearinghouse, one response would be that is
exactly that validation function, that you submit your data as a
trademark owner to the I.P. clearinghouse, that that gets validated
with whichever national trademark registry you got your trademark
registration from.

So that would be one way to minimize that problem.

>>J. SCOTT EVANS:   Yeah, I think we just need to be really clear to
understand that this has all been done before.  Dot EU did it, dot Asia
has done it.  All these databases and things have been used previously.

We just heard from people who were actually involved in the launch of
these to tell you, they have all been used before.

What we are saying is, rather than having to go to registry A, B, C,
and do everything 500 times, you just do it once.  And the 500
registries all feed into that.

But all your concerns, it's -- all these mechanisms have been used
over the last ten years.  They are all taking in this information. 
They have all validated this information.  They have all been used in
prelaunch mechanisms, but it's always been different.

And when you talk to a paralegal in my office who says, "I can't
remember if you are supposed to staple this stuff or you are not and
which one goes out and when is it supposed to be?  Can it go by Fed
Ex?"  They get so confused and it gets very expensive.

So we are saying let's just do it once and then all the registries can
choose, of the information that is in that clearinghouse, what they are
going to offer protection for, what they are not going to offer
protection for.  But they just have to knock on one door to get that
conversation, and the trademark office -- I mean the trademark owner
only has to send out one packet of information to one place.

It's just an efficiency mechanism.  It's not creating anything that's
not been done before.

Now, the GPML part it have is different and new, and that is different
and new.

But the clearinghouse model, it's out there, it's been used, it's been
successful.  And all we're saying is let's aggregate that into one
central location.

>>BRUCE TONKIN:   Okay.  So just to -- I just want to close off this
particular discussion and move on to the next topic.

But just before I do that, so we have had two --

I know, I will get back to you in a second, Paul.

We have heard a broad proposal around establishing an I.P.
clearinghouse, essentially a database of various rights that can be
used by registries.  And secondly, we have heard about a subset of that
which is to create a Globally Protected Marks List.

I just want to get a very rough straw poll based on what you have
heard -- so you have heard the panel, you have heard people asking
questions, just raise your hands if broadly you would support the
creation of an I.P. clearinghouse.

Okay.  Now, put up your hand if you do not think an I.P. clearinghouse
should be created.

Okay.  So it's a smaller number.

Now, the second question is, who would support, secondarily, the
creation of a Globally Protected Marks List?  Okay.

And how many would be against the creation of Globally Protected Marks
List?

So that gives you a sense that that issue has probably got less -- in
fact, probably more against than for.  But the previous probably had
more for. But it's useful to get a straw poll and it helps for the
panel to get a sense of where the room is at.

Obviously this is a sample that is somewhat skewed by people that can
afford to travel to ICANN meetings.

Or by too many Australians is the other option.

[ Laughter ]

>>BRUCE TONKIN:   I want to move on to the next topic.  We are going
to close this session down in total at 4:00, but I did want to note
there was a lot of thought around globally protected marks so I will
let that run through.

We will jump onto the second topic which is the universal -- URS, and
then Paul can be first in the queue to comment on that and he can ask
combined questions.  I'm sure he will innovate here.  It's going to
game the system, yeah.

What I am interested to see is Paul actually monopolize all three
queues.  He hasn't worked that out yet.

[ Laughter ].

>>BRUCE TONKIN:   I want a brief summary.  Again, most people have
heard the URS system described in earlier presentations.  So try to
summarize the main details and we'll get into a discussion on it.

>>DAVID TAYLOR:   The second problem, one which we would certainly
agree, I think everyone in the room, that cybersquatting continues,
whether it's going up or down, we can debate.  Consumers are being
mislead, and the UDRP courts do take time and do take money up.

We just put for example here of cases, CNNPORN.com.  For instance,
there, CNN were not too happy with that sort of domain name being
registered.  Another example there, facebook.ie.  But we're going to
have a lot of new TLDs coming along there where Facebook were faced
with a competitor who literally just had the same social networking
site up there.  Again, I don't think that's the right way of going
about things.  Nobody here would like that to happen to their brand.

Pokemonl.com.  It's a typo.  This was brought to attention with a ten-
year-old girl, and her mother brought it to the attention of a certain
lawyer, and then that went through.  That went to a pornography site. 
We don't like that.  And prada-baby.net.  All of these are WIPO cases. 
That was a child pornography site.  

So those are the sort of things which are around there.  And,
obviously, there are issues.  And this is an attempt at addressing that.

>>RUSSELL PANGBORN:   As we've been hearing, what we are really after
here is going after the bad actor cybersquatters.  To address this, the
IRT has proposed this Uniform Rapid Suspension system, the purpose of
which is to cost-effectively and timely give trademark owners a means
for protecting their brands online, but also to promote consumer
protection on the Internet.  And the intent is to go after these clear-
cut cases of trademark abuse.

It is not for the more fringe scenarios where there may be some
alternative generic meaning to a trademark or, in some jurisdictions, a
free speech or other fair use scenario.  Those are not what this is
intended for.

So how does this work.

The -- ICANN would select a neutral dispute resolution provider.  The
IRT has not made any recommendation as to who that should be.  I want
to be clear about that.  But it would involve a complaint, a notice to
the registrant, an answer, an evaluation of the case, and then,
ultimately, a decision, and then means for appeal.

The complaint, tying back to the I.P. clearinghouse, can be lodged in
one of two ways.  If you are participating in the I.P. clearinghouse,
you can utilize the clearinghouse to effectively bring in your data to
the complaint electronically and then submit the ecomplaint.

Alternatively, you can do it as just a straight form, fill it out and
do it.  So you're not obligated to be participating in the I.P.
clearinghouse to take advantage of this process.

The complaint, once it's lodged with the third-party service provider,
will immediately be -- the third-party service provider will notify the
registry operate.  And at that point, the Web site will immediately be
frozen.  And by "frozen," we're not meaning taking it down.  We're
talking about it cannot be transferred.  The content on the Web site
would remain.

Thereafter, once the Web site is frozen, the dispute service provider
would then turn around and immediately notify the domain holder of the
complaint.  And this would be done within 24 hours through e-mail and
then followed up with certified mail and then a third time by e-mail to
give the best possible chances to ensure notification to the domain
holder.

Once the domain holder receives the complaint, he or she then has 14
days to answer it.

The complaint will, of course, set forth the claims of infringement,
will have the accurate WHOIS information, and will also show snapshots
of the Web site and the actual infringing activity.

So then the registrant would have the ability to respond to that. 
Once the answer is submitted, then a final evaluation is made by a
qualified legal expert to be chosen by the dispute resolution provider.
And then, ultimately, the decision is rendered.  It's important to note
that once that decision is rendered, if in fact the complaint is
successful, the site will remain frozen.  The content will come down. 
And instead it will redirect to a standard URS process page.

It's important to note that there is no transfer of the domain name
happening.  This is not a scenario that we are looking to replace the
existing UDRP.  We are solely looking for the removal of the abusive
content.

Next slide, please.  A few things that are important to note.

We are striving to strike a balance here and avoid abuses to the
system.  So we've built into this process a means by which aggressive
trademark holders attempting to abuse the system can get shut out.  So
if an examiner reviews the complaint and it appears in the decision
that the examiner has decided that there has been an abuse of the
system three times, that particular complainant will be locked out of
the system for a period of one year.  Again, this is intended to be a
faster, inexpensive, and more effective fast option for these clear
cases of abuse.  And, again, in the case of appeal, we've built in that
if a complainant wins and somebody does appeal, the Web site goes back
up during that appeal process.  So with that, I know you have many
questions.

You were lined up before we even started.  So let's start responding
to questions.

>> What happened to Paul --

>>ELLIOT NOSS:   I'm in front of Paul.  He wasn't standing up.

>> I'd like to point out that Tucows jumped the queue.

[ Laughter ]

>>BRUCE TONKIN:   Actually, you can go first, Paul.

>> Paul Stahura:  I don't have a comment.

>>JEFF NEUMAN:   But do you support it?

>> Paul Stahura:  The URS?  Yes, I support it, with modifications.

Can I read mine?  It's really quick.

>>BRUCE TONKIN:  We'll come back to you later, Paul.

>> Sorry, Paul.

>>PHILIP CORWIN:   Philip Corwin, counsel to the Internet Commerce
Association, representing domain investors and developers and the
companies that serve them.

We strongly oppose the URSP.  And I will continue to refer to it as
the "URSP."  We believe it's a major new policy. 

And I want to focus on the statement made a minute ago and the
sentence on page 25 of the final report, statement -- the sentence
reading, "The URS is intended to supplement and not replace the UDRP."

We believe that sentence is completely erroneous.  And our evidence
for that is the April 3rd letter sent by the World Intellectual
Property Organization to ICANN in which WIPO stated -- WIPO proposed an
expedited suspension mechanism which was nearly identical to the
recommended URS and stated that their analysis of 400 UDRP cases -- and
I quote, show that an ESM limited solely to identical matches would
quote -- would capture, quote, a significant majority of UDRP disputed
domain names.

Now, if an identical match expedited procedure captures a significant
majority, wouldn't it be reasonable to assume that an expedited
procedure which extends to confusingly similar names, particularly when
there's no limitation on how many degrees of separation from the
original trademark that name might be, and given that the costs of
bringing a URS are substantially lower to the complainant and that
there is no cost to acquiring a name if successful, would capture the
vast, vast majority of UDRP cases and would, in fact, be the new UDRP
at all new gTLDs?

>>BRUCE TONKIN:   Go ahead.

>>EUN-JOO MIN:   Thank you.

Some clarifications are in order, I think.

The WIPO arbitration and mediation center did, indeed, publish a
letter that is sent to ICANN with a discussion draft of an expedited
suspension mechanism.  So I think it's a question of terminology.

But I think it is clear from -- if you read that draft that WIPO
shares the IRT's view for the need of a rights protection mechanism
that would complement the UDRP.  It would not -- it would not displace
the UDRP.  It would not replace the UDRP.  But it would narrowly
complement the UDRP.

And there are some certain common features with the URS, but there are
also some significant divergences.

And I will take this opportunity to provide some comments to the IRT
recommendation for the URS.

First, the final IRT report represents a shift from the draft IRT
report in that it requires a full examination by a panelist also in
cases of default.

And we believe that while we have to be fully mindful of the rights of
legitimate domain name registrants, with adequate safeguards put into
place, it would be more efficient to have a mechanism that simply
filters out these default cases, but, again, without a full examination
by a panelist.

I think it is really important to emphasize that we are proposing that
model instead of a full examination model of in case of default, but
that there be a process for a domain name registrant that did not
respond within the time period to put up a claim and assert legitimate
interests.  And if those legitimate interests are proven, to retrieve
that domain name.

And if -- just by way of illustration, in UDRP -- in WIPO's UDRP
cases, at least, there is some -- a default rate of some 70 to 75%. 
And if we adopt this model, it could be a very efficient way of
filtering out those cases.

A second difference would be that the proposal made by WIPO
recommended that the domain name that is suspended be put on some sort
of a reserve list so that it cannot be registered immediately
thereafter.  The IRT is recommending that the domain name be suspended
for the duration of the life of that domain name registration.

So how will that play out in practice?  It will probably mean that the
domain name will be suspended for a few months, maximum.  And then it
will go back to the pool of available domain names.  It will be subject
to cybersquatting again.  And therefore, for the trademark owners,
we're recommending these mechanisms to address and remedy rampant
trademark abuse.  And providing a remedy of such limited effectiveness
would translate, forcing trademark owners into engaging repeated serial
URS proceedings in lieu of defensive registrations.

So those are the primary differences.

>>PHILIP CORWIN:   Well, I admire your attempt to distance yourself
from your April 3rd letter, but I don't believe you've responded to my
question.

We do not believe the differences are significant enough to draw a
different conclusion.  But also referring to that April 3rd letter, in
that same letter, WIPO questioned whether an expedited suspension
provider could ever decide a confusingly similar claim on an expedited
basis.

Is WIPO now changing that position and supporting the IRT and stating
that this can be done on an expedited basis?

>>EUN-JOO MIN:   Phil, some clarifications.

The WIPO April 3 letter did not provide for one model.  That is why we
called it a discussion draft.  We provided for different options, and
we tried to illustrate what would be the advantages and the
disadvantages.

And you mentioned that -- you were referring as us saying that if the
disputed domain names are identical, if we limit the category of
disputed domain names to identical, that WIPO said it would cover the
vast majority.

It is not at all the case.

If you read our letter, what it says is, the category of disputed
domain names that include identical, but also that domain names that
incorporate the trademark in its entirety, if you add those two
categories, it would cover the vast majority.

>>JEFF NEUMAN:   So if I can just jump in.  Phil, I understand your
disagreement with WIPO --

>>PHILIP CORWIN:   We'll get into this in detail in our comment
letter, which will be find.  But --

>>JEFF NEUMAN:   Just stick to our agenda.

>>PHILIP CORWIN:   I will conclude by stating that we believe that the
URSP would be the new UDRP at new gTLDs, that it is basically UDRP
reform undertaken from only one side of the question, without taking
into account registrants' problems with the current UDRP, and that
further, it is a major policy change and should go through the normal
ICANN policy process and not simply be adopted without further
development.

Thank you.

[ Applause ]

>>BRUCE TONKIN:   That mike on the right.

>>PATRICK VANDE WALLE:  Thank you.  I'm Patrick Vande Walle from ALAC,
speaking in a personal capacity right now. Just wanted to ask a few
questions regarding the URS, and especially its implementation. 
Because you mentioned that suspended domain will be redirected to a
standard Web page hosted by the third-party provider.  That's fine for
the Web.  But I'd like to remind you that there are 65,534 other ports
allowed by the TCP/IP protocol.  So I'm wondering, are you going to
deal with this?  Because -- and especially, are you going to deal with
incoming e-mail for the suspended domain?  Because it's a crucial
privacy issue, and because it could lead to interception of e-mail, et
cetera.

The other question is that --

>>JEFF NEUMAN:   Can we take it one at a time, just so we remember it?

Sorry, because I'm pretty slow, I guess.

On that question, look, I think you're asking a technical question
when you got a response from an I.P. attorney.  So when he said it's
taking it down or diverting Web site, I understand the question you're
asking.  The real answer is that the name servers will be redirected to
the name servers of the service provider who will display that page.

So all of those applications will be shut down.

So when they say --  We're kind of talking past each other.  But when
they say the content comes down, what they mean in technical terms is
that the name servers will be redirected to the name servers of the
service provider.  So all of those, however many thousand applications,
will be -- will be shut down, including e-mail.

>>BRUCE TONKIN:   So, technically, so I'll just jump on it if we're
going to play technical games, what we're talking about, you're
redelegating the name.  Right.  That other provider could actually
intercept e-mail if it's set up MX records and things.  So you do need
some controls on where it gets redelegated to and what that other
party's allowed to do.

>>PATRICK VANDE WALLE: That was one of my points, indeed.

I noticed with some relief that you will be sending out the
notifications through certified mail with a 14-day period for response.
But I would like to remind you also that certified mail takes time to
be delivered, and especially my personal experience is that certified
mail between the U.S. and Europe usually already takes five business
days to be delivered.

So either you use FedEx or a similar system if you want to be sure
that the notice gets on time, or -- because you cannot just trust e-
mail.  Currently, we -- 97% of the e-mail we receive is spam,
especially if you're going to send out a notification in English to a
part of the world where English is not the main language, be sure that
it will be immediately directed to the spam folder, and you will get no
reply.

Furthermore, 14 days, while -- I can figure out that someone who is
doing a business can be expected to read his e-mail on a daily basis
and be able to act on the e-mail when it is delivered.

But if you send me an e-mail notification mid-August and I'm on
vacation, sorry, but my domain name will be suspended but me even
knowing it.

So especially for these individual domain name registrants, there
should be a possibility to extend this delay.  Because 14 days is just
unworkable.

Thank you.

>>JEFF NEUMAN:   Well, I was just going to just jump in.  I think it's
a valid point.  I think that's something the group considered.

It's also, actually, one of the reasons why the IRT actually differed
with WIPO in the sense of why we do require an evaluation in the case
of a default, because of that scenario.

So, you know, that builds in an extra protection so that even if you
do not respond, at least the panelist has made a decision based on the
evidence in front of it, whereas -- so that differs from WIPO's
suggestion why we didn't actually adopt that.

>>RUSSELL PANGBORN:   And even if you are on vacation to Tahiti for
five months, if it's in the course of the registry of your domain,
we've built into it that you can do a default answer, the Web site goes
back up, and then you go through the process.  So we did consider that.

>>BRUCE TONKIN:   Elliot.

>>ELLIOT NOSS:   Thank you.  Elliot Noss, Tucows.

We again have had the opportunity, or at least myself and some of the
panelists, to discuss some of the comments I'm going to make now with
respect to the URS.

You know, I would like to see a cleaner name space.  A cleaner name
space is good for all good actors.  And a cleaner name space is bad, if
done right, for only the bad actors, again, on both sides of the issue.

I have four modifications to the URS that I will propose and will
submit in comments.

First, that there be a separation between the business processes and
the adjudication process in dealing with the URS.  The vast majority of
the actions that need to be taken in the URS -- and there are a series
of complex actions that are communications between parties speaking
back and forth between systems -- are -- should be effected separately
from adjudication.  Adjudication is a very narrow part of this.

And second point, to have a competitive service provider process.  I
should have put that out first.  Competitive process.  And a separation
of the business processes from the adjudication process, such that
complainants would have the ability to select the supplier of their
choice, who would provide those business processes, and there would be
the assigning of an adjudicator, as opposed to the current UDRP system,
which allows the complainants to shop for adjudicators.

The last part with respect to adjudication, because I really think
that if we are going to extend rights, that we, in the URS, have to
have a system that has fundamental fairness at its core.  And the one
thing on top of the random assignation of adjudicators that I would
call for here is for an adjudicator to qualify for the post, they
could, indeed, be a panelist in the existing UDRP, but they would then
forgo the ability to appear before the panel, such that practitioners
would have a choice.  They could be on either side as complainants or
respondents.  They could either be panelists in the process, or they
could choose to be advocates in the process.

The UDRP is the only system of administrative law that I know -- or
administrative process that I know where that fundamental principle of
administrative fairness isn't present.  And I would not like to see
that principle extended into the URS.

Thank you.

That was four.  I'll split them out for you.

And then I have a comment of Paul's that I'd like to read.

[ Laughter ]

>>BRUCE TONKIN:   Paul.

>>PAUL FOODY:   Thank you, Bruce.

The child pornography thing I think we all agree is absolutely
disgusting.  It's something that a single person in this room wouldn't
have any argument about.

Okay.  But what we've got to remember is that -- was it two weeks ago
David Letterman cracked a joke about Sarah Palin's daughter, she was
14, and he made a joke about her getting done by A-Rod or something. 
The point is, everyone in the audience laughed.  They thought it was
funny, because they believed that this was the 17- or 18-year-old girl
who got pregnant during the election.  The point is, the problem is
child pornography.  But that is the tip of the iceberg.  It's
pornography on the Internet.

And when ICANN allow these new domains to be released and somebody
comes up with the amazingly innovative idea of saying, right, we're not
going to have pornography on our registry, everybody, such as myself,
with kids, are going to say that's it, I'm going to close off access to
dot com.  Okay?  And the guys with the new registries are going to
cream it.

Given that, if ICANN does not, as a matter of urgency, introduce a dot
XXX with the opportunity for everyone with a dot com address to get a
dot XXX, should they wish it, then if there is a massive increase in
the amount of child pornography, criminal activity, you name it,
following the release of these new registries, or even up to it, ICANN
can consider themselves complicit in the very worst of that sort of
filth.

Now, talking about complicity, at the same time as we're talking about
cybersquatters, we've got in the room here Jon from Network Solutions. 
If I go to Network Solutions and I do a search for a domain, what will
happen is it will say, you can either register this one or register --
you know, if you can't, it will give me a list of domains with the --
with a particular string that I have searched for, saying, "You can
register all of these."  And, Jeff, I'm sorry to tell you that dot biz
and dot info seem pretty high up on the list of domains that show up.

So when we talk about complicity and cybersquatting, let's recognize,
we can get rid of those sort of programs tomorrow.  Why are they on
there in the first place if cybersquatting is the issue that it is? 
Innocent people are going to Web registration sites, and they are
registering sites in good faith because their registrar has given them
a list of domains that they are able to register.  And the fact that --
and it's not just Network Solutions.  I'm not picking on Network
Solutions deliberately.  It's just that that was the last one that I
was at.

And the second point is, I have a hosting program with Network
Solutions, and I had a problem whereby my password had changed.  So I
phoned up Network Solutions and said, "Look, I'm having an issue with
my password.  Could you please tell me if someone has had access to my
account?  Has it been changed?"

The response was, "You're going to need a subpoena."

Now, you know, surely, any Web hosting service worth their salt, given
the sort of ecrime that we're experiencing, surely it should be quite a
simple thing for the domain -- for the host to e-mail or send some sort
of notification every time anyone tries to get access to any hosting
service.

>>BRUCE TONKIN:   Okay.  Well, thanks.  So a lot of suggestions there.
And I think some of them relate to what the IRT is doing.  Many others
are potentially for policy development.  So the GNSO has a process
where some of those suggestions can be taken into account and put
forward as potential new areas of policy.  Because most of those things
will require, essentially, changes in the rules.  But all of this is
being transcribed.  So all of that information is there.

So thank you for that.

>>PAUL FOODY:   One other thing.  What I -- if I -- should I decide to
go to Seoul, given what I have said and given the amount of money that
people have made out of pornography on the Internet in the past, I'm
going to make sure my bags are checked going to Seoul and back. 
Because I've heard what sort of things come from the Far East.  So....

>>BRUCE TONKIN:   I think we'll pretend we didn't hear that.

>>Ed (saying name) from Electronic Frontiers.  I'd like to thank Paul
for his comments and also the panel for their balanced and unemotive
choice of example of domains to show.  

Luckily, thanks to the Australian Communications Minister, we here at
Electronic Frontiers are used to being accused of being the pornography
lobby on a weekly basis.

My questions are about if the URS is just there as a Band-Aid on the --
 You are supposed to supplement the UDRP, I guess it seems like this is
sort of a Band-Aid solution that helps out, you know, large trademark
owners with a big cybersquatting program.  It doesn't really help
anyone else much except indirectly.

And the -- and certainly -- I mean, I'm not really sure -- I don't
want to support the proposal, but I'd really rather see much more
effort going into reforming the UDRP much more rather than Band-Aiding
it with this one solution.

I guess that's my question, the URS, if it really is designed to
supplement the UDRP, why isn't it more a sort of feeder into the UDRP
process?  Like the -- the UDRP should -- the adjudication process
should not actually be going, in a lot of -- in a lot of cases, the
adjudication process looks like it should not be saying either we find
in favor of either.  If it is really supposed to deal with only these
cases where it's absolutely open and shut and trivial, surely the
result of the adjudication in many cases should simply be, this is not
trivial.  It needs to go to the UDRP.  It should feed directly into the
UDRP process.

And, surely, if all you -- all you should be able to do in order to
defend against a URS order is say, no, I think this is a real domain. 
I want to go to the UDRP.  And then we can concentrate on fixing the
UDRP.  But --

>>RUSSELL PANGBORN:   I appreciate your comments, to the comment this
is only a tool for the big brand owners.  It's actually a tool for any
trademark holder.

>> Yeah, okay.  Appreciate it.

>>RUSSELL PANGBORN:   It's not limited.  And for that reason, the
faster and more cost effective aspects of it would be beneficial to all
trademark holders.

>> It's true.  But it's primarily people having the UDRP often enough
that it's a really big issue for them.  It's -- people that have to do -
- that don't have to do UDRP one time a year it's not helping as much.

I take your point.  I take your point.

But that's my general comment, is just shouldn't it just be far more
integrated into the UDRP process?

>>RUSSELL PANGBORN:   Appreciate that comment.  And as Bruce noted,
this is being scribed.  So that comment will be in the record now. 
Thank you.

>>BRUCE TONKIN:   Thank you.  Philip.

>> Philip Argy from Argystar.com.  I won't repeat what I said earlier
in relation to the I.P. clearinghouse or the GPML, but I do want to
supplement those remarks specifically in regard to the URS.

In my view, it's misconceived.

And I think it's unfair on both trademark owners and registrants,
because it's closing the door after the horse has bolted.

Implicit in this concept is that the registration was a mistake.  And
it seems to me a successful URS application is really a finding that
the registration shouldn't have gone through, and a dismissed URS is
that it shouldn't have been interfered with.

But isn't the better balance of the respective rights, rather than let
a registrant get their Web site up and running and invest in it only to
lose it summarily in this fashion, is to delay their registration so
this can be thrashed out and not let them proceed to registration where
you have this threshold demonstration of rights in an existing mark.

And as I said earlier, we have already been the subject of a UDRP
finding that you have rights in your mark.  Shouldn't the default be
that registration is put on hold until a UDRP hearing has been
conducted, and yours worst outcome is that the applicant has the
registration delayed by perhaps, I don't know, four to six weeks, worst
case.

But that's a small price to pay compared to the risk of having them
invest in their Web site up and running and having the trademark owner
having to reagitate whether they have rights, which they have already
demonstrated, in time.

So it seems to me here is yet another additional process being
proposed when the ill, the harm that's being addressed, could be
addressed in a different way, more efficiently and, indeed, more fairly
in my view.

>>BRUCE TONKIN:   So, Philip, you seem to be confusing a process for
registration versus use of the name.

So there is nothing I think wrong with someone holding a domain name
and they can use it for all sorts of different things.  And this is a
dispute process.  So basically what it is saying in URS -- because bear
in mind the name does not get given to the other party as a result of
this process.

So you may have a name that is, let's say, an exact match to a
trademark term, and there is a dispute, and so that dispute is saying
you are violating the rights of a trademark in a particular
classification.  Let's say it's a domain name that relates to the
computing industry and they have computers on the Web site.  There's
nothing wrong with them having apples and oranges on the Web site;
right?

So the domain name itself is not the infringement.  It's the use.

And a domain name can be suspended based on inappropriate use.  But
you have the opportunity to come back and say, whoops, I didn't
understand that you had the trademark in that area, and you can change
the content on your Web site and the domain name can come back up.

The name never gets given to somebody.

So just be careful that you seem to be equating something that is a
process for choosing whether somebody gets a name or not, whereas this
process is related to what is the use of the domain name, is that
infringing a right, and there is a dispute process, and this is
effectively a fast dispute process.  But the name never gets given to
the other part.

>>PHILIP ARGY:   But what I am saying is this process as proposed is
tantamount to a finding that the name shouldn't have been registered
for that applicant for that proposed use.

>>RUSS PANGBORN:   No, he is saying it's based on the use on the site
that makes it so.

>>PHILIP ARGY:   But once you get into that qualitative consideration
you need a full-fledged UDRP.

By abbreviating in this fashion, you are not doing justice to either
party.

My view would be this should be reserved for those cases where you
have got identical -- or marks already the subject of a finding of
rights, the same permutation, whether it be identical or confusingly
similar, where a finding has already been made, and nip it in the bud
by preventing it going to registration.

So what I am saying is you should be devising a mechanism where things
don't proceed to registration where there is a possibility that they
will fall into this.

I think it's unfair.  I understand what you say, that it might be the
use rather than the fact of registration.  But it seems to me you can
predict those with some degree of assurance.  If the permutation
proposed under the new TLD is the same permutation that's been the
subject of an adverse finding under an existing UDRP, why not nip it in
the bud and say you have to go through the process before you make it
to registration.  That's my proposition.

>>RUSS PANGBORN:   Thank you.

>>BRUCE TONKIN:   In the middle, thanks.

>> Danny Yee from EFA.

You used terms like "slam dunk" and "clear-cut," but it seems to me
that's a bit like I know it when I see it.  And until you have a body
of precedent for URS, it's not clear how it's going to work.  Even in
your four examples that are supposed to be so clear-cut, I don't see
that cnnporn.com, for example, a porn site that didn't pretend to be
CNN, I don't see that would necessarily with a trademark infringement
or would necessarily lose a UDRP case.  So you need to give much
clearer instructions to a URS that ICANN empowers than just we want you
to block all the stuff that's made obvious, because that's not an
operational algorithm.

>>BRUCE TONKIN:   Okay.  Thank you.

Jordyn.

>>JORDYN BUCHANAN:   I am going to make two quick comments echoing
what people have said before and then I have two hopefully quick
clarifying questions.

The quick comments, I agree wholeheartedly.  This seems exactly --
it's impossible for me to conceive of this as not being a policy.

The UDRP is the uniform domain name resolution policy, and this, from
the perspective of both rights holders and registrants, has much of the
same effect.  It is not identical, but covers a lot of the same ground.
And to conceive this could be an implementation detail I find to be --
would be a shocking misuse of the notion of what implementation is
versus policy.

None of this mechanism or these rights exist today, and we're creating
them out of whole cloth.  

To the extent you believe this is a really good idea and we get good
consensus around it in this process, you have this fabulous set of
recommendations, a big long document, it should be an awfully fast
policy development process.  And so make that happen, and then it will
apply to other TLDs as well, including dot com which will make it a lot
more useful, I suspect.

So I would very much support this going through the policy development
process rather than being simply back doored into new gTLD applications.

>>BRUCE TONKIN:   Jordyn, did you have any comments -- that's a
comment about process.

>>JORDYN BUCHANAN:   Yes, I do.

>>BRUCE TONKIN:   What we understand is are you for the actual concept
of URS or against?  And if you are for, are there things you want to
see changed?

>>JORDYN BUCHANAN:   So I'm not sure.  So I have some questions, in
just a moment I am going to ask.

The other thing that I would like to echo is the notion that having
this feed -- having this much more tightly aligned to the UDRP seems
very useful, and having sort of an early notice and takedown process
that would feed into the UDRP seems like a better model than having
these two sort of independent structures that don't really interact. 
And that way we can gain from what the UDRP already does or doesn't do
for us.

So my questions are, I think it was said, and this is just a pure
question of clarification, I think it was noted that the -- whoever has
the sites, the current registrant that is 14 days from the receipt of
the complaint to respond to it.  But it's 14 days from the
transmission.  Is that correct?

>>RUSS PANGBORN:   Yes, the 14 days starts from the first e-mail, but
there are follow-up notices by certified mail and follow-up e-mail.

>>JORDYN BUCHANAN:   14 days from sending, not receiving.

>>RUSS PANGBORN:   Yes.

>>JORDYN BUCHANAN: Great.  And the other thing I am curious about, so
you said if rights holders misuse this system, they are going to get
banned from using it for a little while.  What is -- is misuse defined
anywhere?  How do we know if someone is misusing it?

>>RUSS PANGBORN:   We are looking for the language right now to see if
it's in here.  Hold on one second.

>>BRUCE TONKIN:   They will respond to that question once they have
looked up the answer.  So we will jump to Kathy and then we will come
back to that, Jordyn.

Kathy.

>>KATHRYN KLEIMAN:   Since the mic was cut off on the GPML, I am going
to make a quick statement about that or I won't have done my duty, and
then go on to URS.

The comment was noncommercial users constituency strongly opposes the
GPML.  We believe it's a masked extension of legal rights as they
exist.  There has never been a string for.

[ Speaking too quickly ]

Than what it's actually registered in.  And had that even with the
appeals process, the idea is that if you register a $6 noncommercial
second-level domain and then get the right to arm wrestle a multi-
national corporation as the cost of preserving that domain name,
everybody is just going to go away.

It is a massive extension of existing rights.

Okay.

That said.  Moving on to the URS, I really wish there had been some
registrant attorneys on the IRT team because I think you might have
seen this a little differently.

What it's like to have to respond to a complaint.

It's bad enough having to respond to it under the UDRP.  I often get
called in in the last few days of a notice period.  And the person,
first they have to get the notice, then they have to go to their local
attorney, or their uncle up the street who says I have no clue what's
going on, and then they have to go off and find somebody who actually
knows something about Internet law.

And that's under the existing UDRP.  No one is going to have the
chance to respond in a reasonable manner with 14 days.

You, as the trademark owners' attorneys, will have all the time in the
world and all the legal staff to prepare, and you get to pick your
timing on when you submit it.  So the middle of December, the middle of
August, when people are away, when they can't respond.

You get to game the system.  You get to pick it.  And then 14 days to
respond.  Not 14 business days, 14 days.  It's going to lead to massive
default or very inadequate responses, even by people who have a
reasonable response.

>>BRUCE TONKIN:   So, Kathy --

>>KATHRYN KLEIMAN:   Completely unfair.

>>BRUCE TONKIN:   Let's take one of them at a time, so let the panel
respond.  So your concern there is a trademark owner has time to
prepare a -- it's called a URS complaint, but the respondent doesn't
have enough time to prepare a full case in response?  Is that your
position?

>>KATHRYN KLEIMAN:   Right.  That the UDRP was at least somewhat fair,
not particularly fair but somewhat fair, and we are cutting that
dramatically.

>>BRUCE TONKIN:   Can we have a response?  Because I'm not sure they
have to come back with a complete case, do they?

>>RUSS PANGBORN:   No.  There were sample form complaints and sample
answers that would be used to expedite for both parties.  And then to
your point about you wish there was some registrants as a part of the
IRT, every one of the brand owners has large portfolios and at least we
have had to respond in the past to complaints.

So there was.

>>KATHRYN KLEIMAN:   Can you tell me a little bit more about this fast
response?  I agree with Phil Corwin that this is going to replace the
UDRP.

>>RUSS PANGBORN:   The intent is not to replace the UDRP, because the
UDRP, often when people are using it, it's because they are seeking to
own the domain.  That is not what is part of the process here.  This is
fast relief for the obvious cases, again.

>>KATHRYN KLEIMAN:   That's what the UDRP was created for ten years
ago.  That's exactly.

>>RUSS PANGBORN:   But built into it, the transfer of ownership, which
is specifically what we are not doing.

>>BRUCE TONKIN:   So the name stays with the registrant the whole
time, Kathy.  That's the key to --

>>KATHRYN KLEIMAN:   Whether they use it or not.

>>BRUCE TONKIN:   But you can use it again as long as it doesn't
infringe but I still retain the name.

>>RUSS PANGBORN:   And the form of the answer is in appendix D to the
report.

>>BRUCE TONKIN: Do you have an answer for Jordyn's previous question?

>>RUSS PANGBORN:   Yes, we did look and there is not a definition of
what would be abusive.  So any comments you have on what it should be
would be appreciated.  Thank you.

>>JORDYN BUCHANAN:   It seems like whether or not this is -- the
balance is tilted too far in favor of complainants is very much
centered around what the threshold is for determining whether it's a
clear-cut case as well as whether -- what abuse looks like.  Because if
you -- if you get hammered down relatively quickly for abusing it, I
would expect you to have a much lower incidence than if you had a large
amount of latitude.

>>BRUCE TONKIN:   And that's probably going to depend on experience
once something like that starts.

The fellow behind you, Jordyn, is next.

>> Hi, David B. from Electronic Frontiers Australia again.

Basically coming back to some of the example domains that we used,
quite emotive.  No one really likes child abuse in the slightest.  I
think it's really important that ICANN isn't and shouldn't be a
criminal law enforcement body.

And I don't really think that's part of what it's set up to do at all.
And I don't think -- I'm just wondering, is it really -- especially
given the URS and things like this, is it turning into a civil law
enforcement body and should we even be doing that?

>>BRUCE TONKIN:   I think we'll let -- I'm not sure I fully understand
the question but we will get an answer back to you later on but you are
welcome to come and talk to the people afterwards.  They are not able
to process the question right now.

>>EUN-JOO MIN:   I think it would be, in that context, it would be
useful to recall why the UDRP came into place.

These, the URS as proposed, the UDRP as well, they are intended to be
alternative dispute resolution procedures that would complement
existing national legal procedures.

In the context of the Internet, it becomes very difficult to use these
civil law enforcement measures that you are alluding to.

If the enforcement is happening in a very far-away jurisdiction, then
it becomes extremely costly, both for big trademark owners, SMEs,
individual registrants, and that is why we are recommending these
administrative mechanisms be incorporated to complement the civil law
enforcement measures.  And therefore it would be really up to the user
to determine which path to follow.

I think it is extremely important to recall that in IRT's report, the
recommendation for the URS and also the WIPO's discussion draft on the
expedited suspension mechanism, it was made very, very clear that the
court option would always remain available.

>>RICHARD TINDAL:   Richard Tindal from eNOM.

Go ahead, yeah.

So we think that the URS is conceptually sound.  We think the
principle makes sense, but we do believe that it will be abused as it's
currently established, in a variety of ways.

And so we have proposed in our comments a couple of ideas that we have
to reduce that sort of abuse.  One is to make it more expensive to use.
Another is to sort of reduce or to lower the threshold under which you
can be deemed to be an abusive claimant.  I think you have got three
strikes and you are out.

So we have proposed a lowering of that threshold.

We don't know if there are other ways to reduce the abuse potential,
but we know there is abuse potential.  Something like this will be
abused.

On the other hand, we think that it makes sense.  It's conceptually
sound.  It's clear infringement cases, it's actual use, it's all the
things that we ask to see, and we do appreciate you incorporated a lot
of those ideas from the first draft to the final draft of the report.

So we don't know what the solution is yet, but we think the problem
with this is it will be abused.  But we don't think we should throw it
out for that reason.  We think we should find ways to stop that abuse.

If you do have a straw poll at the end, those for and against, we are
raising our hand for neither of those at the moment, but we would raise
our hand for the category we would like to proceed with this if there
are some additional caveats and changes to it.

>>BRUCE TONKIN:   Thank you, Richard.  One more in the middle, and
then we just want to get on to the next topic.

>> Hi, my name is Victoria B., I am from Baker and Mackenzie and I
just have a question in relation to the URS criteria that will be
considered during the evaluation process.

One of the criteria or the issues to be considered by the Examiner
will be whether the domain name has been registered and used in bad
faith.

For example, in Australia, under the UDRP for the Australian domain
names, this requirement is "or."  Used or registered in bad faith or
used in bad faith.

And I just wanted to know if you had thought about using "and"
specifically, or if you have thought this is a better threshold than
"or."  Because there will be cases where you cannot prove both, that
the domain name may have been registered in good faith but then later
on used in bad faith.

>>BRUCE TONKIN:   I think the intention, as I understood it from the
panel, is not to create new criteria.  So it is using the same criteria
as UDRP.  That in itself, picking up Jordyn's comment, is subject to
great debate in the UDRP context, but I think the panel wanted to make
changes to something like that.  But they are welcome to --

>> But the UDRP, in terms of the dot com domain names or the.com dot
AU domain names, for example?

>>BRUCE TONKIN:   They are different.  So we are talking about the
rules for gTLDs, and then specifically new gTLDs.  So dot com dot AU is
considered a ccTLD.  So the UDRP rules that they are using are the UDRP
rules for gTLDs.  So com, net, biz, info, et cetera.

So those are the rules, if you like, for the dispute process.

>> And in that case, perhaps page 35 needs to be revised, because it's
a bit confusing.  It says a finding on whether the domain name was
registered or used in bad faith.  So it's inconsistent with the
previous criteria that was in question.

>>RUSS PANGBORN:   Okay.  Thank you for the comment.

>>BRUCE TONKIN:   Okay.  I just want to go on to the next topic. 
Before I do that, you have heard a general description about the
Uniform Rapid Suspension.  You have heard a number of comments, some in
favor, some with questions.  I will come back to you.

So just to give the panel a sense of interest, if you like, in the
audience, how many people generally support the concept of the Uniform
Rapid Suspension as it has been presented?

Okay.  How many people are against the Uniform Rapid Suspension?

Okay.  Probably slightly more against than for.

Okay.

The next topic I wanted to cover was the topic of post-delegation
dispute mechanism.  So this is where a registry operator is granted a
new top-level domain, but subsequently violates their contract in some
way, and is there some dispute mechanism that ICANN can use to deal
with that situation.  So I will let Jeff Neuman give a very sort of
short summary that and then open that up for questions and comments.

>>DAVID TAYLOR: And just to introduce this, the actual problem itself -
- and I will go straight to the example.  This is aimed at where you
have a dot apple, which the apple growers association set it up and
says in its charter it is only going to be allowing apples, et cetera,
in there, and a few years later starts putting in software, iPhones,
iPods and that becomes an issue for Apple who may have been quite happy
to let dot apple set up in a completely different area.

So Jeff.

>>JEFF NEUMAN:   I am going to try to cut to the chase.  It's based on
a proposal that ICANN received from WIPO back earlier this year.  But
essentially, it's really sought to limit the possibility of systemic
abuses by bad actor registry operators.  And it's where a third party
can submit a claim first to ICANN alleging one of the disputes I will
mention in a second.  And if ICANN -- it imposes an obligation on ICANN
to investigate it and if the matter is left unresolved, then the third
party, the ISP owner, can bring an action under this post delegation
dispute process.

Really, the three applicable disputes, as Bruce was kind of alluding
to, is really when a registry operator either acts inconsistently with
its representations and warranties in its application -- for example,
the example that David gave with dot apple, or if it acts
inconsistently with the rights protection mechanisms in its contract.

So for example, if the URS is adopted and the registry operator does
not follow through with its obligations under that policy.

And the third one, which is probably the most meat to it, is where the
registry acts in a manner of operation or use of the TLD and exhibits a
bad-faith intent to profit off of essentially systemic cybersquatting.

If that can be shown, then there's penalties that are provided in the
contract which are recommended by this group, and also there are just a
really briefly, there's a penalty in there if they find that the system
or the dispute process is being abused.  It's all in much more detail
in the report.  And I just think it's more valuable to take questions,
if there are any.

>>BRUCE TONKIN:   Any questions on the post-delegation -- did you have
one on the post delegation or --

>> No.

>>BRUCE TONKIN:   Well, I'll come back to the previous topic, if
there's no more questions on this one.  So I'll come back.

Richard, did you have a question on this?

>>RICHARD TINDAL:   Yes.  So we think this is another one where the
costs of setting it all up really outweigh the benefits and the
likelihood that we're going to see this sort of thing happen.

We don't believe there's going to be -- we don't know.  We think it's
extremely unlikely that there are going to be entities that go to all
the lengths to get a TLD like dot apple and then to engage in that sort
of activity.  It's -- a registry is a very large and immobile target. 
A lot of money's invested in it.  And it seems to us though possible
that this could happen, that it is very unlikely.

And so -- and we think there's other remedies in law and under
contract with ICANN to (inaudible).

So we're in the really in favor of this particular mechanism.  We
think there's going to be a lot of work around it.  

At the detailed level, it puts some provisions in there that in fact
sort of take the control of the contractual relationship out of the
hands of the two contracted parties, to some extent.  So we don't like
that, either.

If we're going to put something like this in, we think it would be
much better to have -- to leave it in the hands of ICANN to enforce
ICANN's contracts rather than have some third -- third party involved
in that.

>>BRUCE TONKIN:   Yeah, go ahead.

>>EUN-JOO MIN:   Thank you, Bruce.

As Jeff mentioned, the genesis of this IRT proposal is in fact a
recommendation that WIPO made for a trademark-based post delegation
diffusion procedure, because we felt -- and we made this proposal as
soon as we learned that ICANN was considering implementing a
predelegation abuse diffusion procedure.  Because our experience is at
least the or the more harmful abuse occurs once there is (inaudible). 
And the predelegation procedure would not cover that.  And that
explains why we feel there is a need for a post delegation procedure.

To the two specific comments that were made by Paul, -- by Richard,
sorry, first, we believe in the preventive effect of this procedure. 
And therefore, if there are no cases, even better.  We believe in
designing a dispute resolution -- a well-designed dispute resolution
procedure may guide relevant actors into responsible behavior.  And if
that -- if it can have that effect, I think it would already be
categorized as a successful -- as a successful procedure.

>>BRUCE TONKIN:   Okay.

Philip.

>>PHILIP SHEPPARD:   Thank you, it's Philip from AIM, the European
brand association.

In fact, I think we probably just got from WIPO something that we
support.  I think it's important to look at where we are in the history
of domain name expansion.  And we are at an important juncture.  We've
moved from a series of rather small test beds to an unknown expansion
of domain names.  And I think that caution dictates that putting in
place now preventative measures for potential bad actors is entirely
the right thing to do.  And therefore this measure, which, if you're a
good-faith actor will have no effect whatsoever, seems to be right. 
And I get a little bit concerned when people say, hey, there are other
ways of dealing with it, particularly when they talk about let's leave
it up to ICANN to enforce the contracts.  Because ICANN's history of
enforcing its contracts has not been good.

>>BRUCE TONKIN:   Jordyn.

>>JORDYN BUCHANAN:   I agree entirely with Philip that ICANN's history
of enforcing its contracts has not been good.

And I would further note that, you know, I've called for a long time
for policy work to be done to give ICANN a tool of graduated sanctions.
So I strongly support the notion of graduated sanctions.  I think so it
would be really helpful.  I have no idea whatsoever why it would only --
would it should only apply to one particular type of contractual abuse.
There's all sorts of things that we see ICANN contracted parties to
that are abusive.  And we ought to create a sanctions model that can be
applied across the board.

To that extent, once again, I think this is -- it's great.  I think
whatever work we do here could be really useful input.  I think it
would be really useful to feed into a policy development process that
could also apply to all the existing contracted parties, because that
would presumably have a much broader and more useful effect.

>>JEFF NEUMAN:   I'll quickly address that.  Actually, the graduated
sanctions wasn't only supposed to apply to this situation.  It was in
this document.  But what we recommended was that ICANN should, in its
contracts, have these graduated sanctions.  But it was silent as to
when those sanctions could be exercised.

>>JORDYN BUCHANAN:   Fair enough.  And I think that's great.  I also
think it would be great if it applied to all the people who already had
contracts with ICANN.  Once again, following this through the policy
development process would allow that to take effect.

>>BRUCE TONKIN:   Tom, last question on this topic.

>> Bruce, just to address that, Jordyn, actually, the ICANN board
approved a registrar accreditation agreement form at its last meeting,
and many of us signed it today, that includes a graduated sanctions
program for registrars.

>>EUN-JOO MIN:   And just on that point as well and related point,
WIPO is also recommending a similar procedure for registrars as well. 
So not only for registries, but also registrars.

>>BRUCE TONKIN:   Okay.  Tom.

>> Tom Barrett from Encirca.  It strikes me that a far more likely
scenario is going to be abuse by a registry at the second level, not at
the first level, in widespread registration of trademark names.

Now, certainly you could handle that on a case-by-case basis.  But I'm
wondering if you considered that scenario and why it's not included
here.

>>JEFF NEUMAN:   Actually, that is -- that's the third ground there. 
That is for systemic cybersquatting that occurs on the second level.

But one point I do want to make that I didn't make in the quick
description was that it is not to punish registries that act in good
faith and it does not impose an obligation for registries to actually
monitor the registrations in its space.  In other words, if it's a
registry like a generic domain, let's make up dot Web, and they never
hold themselves out to ever do any kind of monitoring.  This does not
impose on the registry operator an obligation to do any monitoring. 
It's got to be systemic cybersquatting where there is a bad-faith
intent to profit by the registry itself.

>>BRUCE TONKIN:   Okay.

Is it on this topic, Paul, or -- Richard?

>> Paul, Paul.

[ Laughter ]

>>RICHARD TINDAL:   One more strike and you're out.  Just to build on
the previous.

So the problem here I think that I'm hearing is that you think ICANN
is not going to enforce its contract and someone else has to do it for
them.  So I think this is going to be a pretty slippery slope here. 
There's all sorts of things that contracted parties have to do for
ICANN.  And I am concerned at the idea that we're going to start to see
all sorts of provisions where all sorts of third parties can inject
themselves into agreements between ICANN and contracted parties and
force third-party, you know, adjudications of issues.

To me, that's a concern.  That trend is a concern.

If the problem is that the contracts aren't being enforced, let's do
something in ICANN to get contracts enforced.  Let's not hand things to
third parties.

>>PETER DENGATE THRUSH:   Can I have a quick response as chairman of
the board to this canard about enforcement of contracts.  This is one
of these things that if it keeps getting said, starts to be believed.

I think there's been problems in some areas.  But the usual response
at this stage is to say if you have evidence of a breach of contract,
let us have it and we'll act on that.  And we ask that and get nothing
back.  So let's just get the facts sorted.

Since I became chairman, there's been an enormous increase in the
compliance effort.  There's a huge number of staff who have been hired,
and registrars and others are being deaccredited and struck off.  

So there is no interest in having contracts that are not enforced. 
Let me assure you about that.  

If you've got evidence of breach of contract, send it to the board,
send it to the staff.  And if you don't get satisfaction, send it to
me.  Thanks.

>>BRUCE TONKIN:   Thanks, Peter.

Eun-Joo.

>>EUN-JOO MIN:   Yes.

And I also would like to echo what Peter said.  This is not only about
contractual compliance enforcement failure, but it is more about
putting in a place -- putting into place a procedure through which
ICANN can more effectively enforce its contracts.

I think it is a heavy burden, arguably, it's a heavy burden to put on
ICANN staff to make a determination whether there is trademark abuse or
not abuse, whether registries manner of operation of the TLD is causing
or materially contributing to trademark abuse.  And for those rather
technical questions, of course, related to contractual conditions, it
may be more efficient to ask a neutral panelist who has expertise in
the field to make that determination and make a recommendation to ICANN
for its consideration.

>>BRUCE TONKIN:  Khaled.

>>KHALED FATTAL:   Yes, thank you, Bruce.

Khaled Fattal speaking in personal capacities and other capacities as
well.

I am pleased to see this debate taking place.  And I call it debate
because, as you can see, there are many who are in favor and many that
have doubt.

From an IDN point of view, I would like the panelists and those -- the
experts who are actually putting -- giving their input, is addressing
the issue purely from a trademark or from a dispute resolution is very
valid.  But when you start touching on the issue of IDNs, I ask you to
actually go and sit in the other chair.  Go and sit from the other part
of the -- of the point of view, and then see how it needs to function
from their perspective.

When we consider that many of the -- the next one, two, three billion
Internet users that are going to come into this place, and then this is
the community that's going to enable it, we need to see how we can
advance the -- what do you call it? -- the speed by action, but at the
same time be fair to them.  At least this has gone quite a long way
from the days when Louis Touton was at ICANN, and at times when I was
running a dispute resolution in India, and an application for setting
up an arbitration center in India, where he felt there was no market. 
He just believed there was no market.  But this is at least a step
forward.

On a last note, I would like to address the ICANN staff and the ICANN
board that I think it's about time we take a much stronger and much
firmer position on using this mike as an opportunity for speaking, but
at the same time, it needs to come with a sense of responsibility on
how we address and talk about other cultures.  And I think you all know
what I'm talking about.  I'm not going to rephrase.  It's all in the
transcripts.

I recommend that a much firmer position gets taken on those who
actually abuse this and are put onto probation, because this is not the
first time.  A previous incident happened in Mexico City addressing a
board member who is of the feminine gender which was totally up
acceptable.

So I think if the community believes this is the right thing to do, if
we start doing it from our house, we have a far better chance of making
it look better from the outside.

Thank you.

>>BRUCE TONKIN:   Thank you, Khaled.

[ Applause ]

>>BRUCE TONKIN:   So just -- again, just in fairness on the other
issues, I don't know how well briefed people are on this particular
topic, but if you have actually read the document and formed an opinion
on the post delegation dispute mechanism, I will just call again for a
straw poll.  Those who believe we need a post-delegation dispute
mechanism, please raise their hands.

Okay.  And those who believe we should not have the post-delegation
dispute mechanism.

Okay.  Not quite sure exactly how to add all those up but there's
certainly not an overwhelming majority either way.

Okay, now I just want to, just in closing the session, I wanted to
come back to two people who I did cut off.  One is Paul Stahura, if he
wants to make his comment quickly, and the other is Jean Christophe,
and then we will close this session down.  But there are a couple of
other topics:  thick WHOIS and I guess the algorithm that is used.

So if you have comments on those, please submit them through the
public comment mechanism, and please feel free to ask the panelists any
questions on that after the session.

>>PAUL STAHURA:   Thank you for coming back to me.  It's Paul Stahura
with eNOM.

Two points regarding the GPML.  I'll try to make them quick. Point
one, regarding getting extra legal rights to trademark holders.  I
think the GPML takes rights away, but not from trademarks holders; from
the rest of us.

I have the right to open a shoe store and name it apple.shoe without
checking in with third parties to use that name for shoes.

GPML takes that away from me if apple is on the list.  I have to check
in first in order to use apple dot shoe.

Point two, regarding the bar height of the GPML, I want to point out
if it's high, as a panelist said the IRT wants it to be -- and I don't
know your name.  I'm sorry you were the one who said it should be high.

>>DAVID TAYLOR:   David.

>>PAUL STAHURA:   Then thereby few marks on the list if the bar is
high, say there are 100 marks, and it's an exact match mechanism so we
will be developing this entire GPML system for very few strings from a
handful of giant corporations.

Large corporations, because there is a correlation between big
companies and companies that have their marks in a large number of
countries.

I think the cost of the proposed GPML system outweigh the benefits
that this very small group of large companies will receive, especially
considering the introduction of the many other new RPMs proposed.

Thanks.

[ Applause ]

>>DAVID TAYLOR:   I was going to say thanks Richard, but -- I was
playing there.

I would like to say that's an absolutely valid comment and we on the
IRT team, we are not wedded to things, these are not things we
personally want to see go through.  These are up for discussion.  And
we are the first to be aware they are not perfect and not fully
complete but we want to make it a step in the right direction so all
new gTLDs can flourish.  And I certainly encourage that last e-mail
which you had received to go in there at the bottom with the comments
because we are looking forward to reading all the comments on the IRT
report, which are informed comments from people who read the reports
because that's all we are after.

>>BRUCE TONKIN:   Jean.

>>JEAN CHRISTOPHE VIGNE:  Jean Christophe Vigne from EuroDNS, vice
chair of the registrant constituency, acting here in my personal
capacity.  

The question was about URS.  It's a bit too soon to say right now if
(inaudible) does support URS, but I do believe it's a step in the right
direction to at least detail cybersquatting, and cybersquatting just
for the sake of it, if you will.

However, I have a slight implementation issue that may require,
Brandon said earlier, a PDP issued.

In your suggestion for implementation you said, and correct me if I am
wrong, that while the domain name was frozen, the standard URS process
page was put up instead -- in lieu of the proper page.

The problem I have here is to do that you need the registrar to change
the settings of the domain name in question.  That actually right now
belongs to a registrant, whether he is acting in good or bad faith or
not.  You are actually acting registrar.  To take action on a domain
name without any proper mandates.

Because while the RAA that we just signed this morning talks about
UDRP and grants us the power and, indeed, protects us from advanced
action from registrants if we do execute a UDRP decision, nothing right
now in our agreement allows us to do so and protects us from
registrants saying why did you change the page to which my domain name
was attached.

I think this is a major flaw and why the URS, as I said, is a step in
the right direction.  I am really interested in knowing how you will
proceed on that key point which is do you change the page without the
(inaudible) content.  That's all.

>>JEFF NEUMAN:   I think we answered this question earlier.  I don't
know if you were in the room or not.

>>JEAN CHRISTOPHE VIGNE:  Sorry.

>>JEFF NEUMAN:   That's okay.

What the proposal is, at the first stage when a URS is filed, the name
is what we call frozen.  It's not really locked, as people use that
term, because it's actually a mixture of a couple different statuses.

It's all by contract.  You, I'm sure, have in your contract with your
registrants, either directly or through your resellers, the ability to
suspend, terminate, all sorts of wonderful things, disable domain names
pending all sorts of -- for different reasons.

But the problem is when a UDRP comes in, you lock the name.

We're asking for the same type thing.  When a URS comes in, you freeze
the name which is just a couple of additional statuses.  And then if
the name is found to violate or a URS comes out in favor of the third
party, at that point it is the name servers, and this can be done at
the registry levels, it's a redelegation of the name, the name servers
are changed so it points to the service provider.

>>JEAN CHRISTOPHE VIGNE:  I am not questioning the technicality of
doing it.  What I am saying is, okay, just saying it's done at the
registry level.  Then maybe it should be a PDP for the registries.

If you want a registrar to do that, the example you quote, Jeff, are
based on the agreement, the current agreement we have with ICANN which
tells us how to help and enforce a UDRP.

>>JEFF NEUMAN:   Sure.

>>JEAN CHRISTOPHE VIGNE:  We have nothing of the sort right now.

>>JEFF NEUMAN: But you will.  There will be a new TLD agreement. 
There will be an agreement between ICANN and the registry and there
will be an agreement between the registry and registrars and those will
all be set through contract.

So you are right, that will exist, but it doesn't exist now for
existing TLDs.

>>JEAN CHRISTOPHE VIGNE:  So to be clear, modifying or proposing
modifying the agreement just based on the recommendation without a PDP.

>>JEFF NEUMAN:   I would think for any of these rights protection
mechanisms, they all constitute modifications of the base agreement
that exists.

>>JEAN CHRISTOPHE VIGNE:  Thanks.

>>BRUCE TONKIN:   Okay.  I'd like to draw this session to a close and
thank everyone for staying back a bit longer to give as many people as
possible a chance to speak on the topic.

The next session will start in 15 minutes, and the session is called
malicious conduct.  I just want to be clear.  That's not an invitation
to conduct --

>>PETER DENGATE THRUSH:   Bruce, I wonder if I could take this
opportunity to thank the members of the IRT that are in the room. 
Speaking on behalf of the board, we knew this was going to be a big
task.  I don't think we realized quite how hard it was, and we are
really grateful that you put in this effort.  

That's not to say we agree with what you have done and this is not an
endorsement of the outcome.  This is a thanks for the effort, because
this process is all about self-regulation, getting solutions from
inside the community so we can be trusted.

And this debate, and I wasn't here for it earlier, and I understand we
may have to look at the transcript, you know, make sure we do this
properly, but if we can't do these things ourselves with contributions
and debate, then the model is dangerously flawed.

So thank you for a huge contribution to that.  We are really grateful.

[ Applause ]



Part 2

Malicious Behavior



>>GREG RATTRAY:   If we could get everybody in their seats, I'd like
to get started.

Good afternoon, everybody.  I think we're going to start into this. 
My name is Greg Rattray.  I'm on the ICANN staff and the moderator for
the panel for the second of the two overarching issues that is going to
be addressed this afternoon, the potential for malicious conduct
arising from malicious conduct from the implementation of new gTLDs.

In a sense, it's significantly different than the approach taken on
the last panel where we had the Implementation Recommendation Team have
a proposal that was concretely on the table.

With this panel, we've got a set of experts.  They're going to talk
about their perspectives on the potential to malicious conduct as well
as the types of things that can be done to, you know, remediate that
potential.

I'm going to introduce each of them as we go along.

In two of the cases, they represent organizations that have submitted
comments on the process specific to the issue of malicious conduct. 
And they will be the first two speakers this afternoon.

We to see the malicious conduct issue as focusing specifically on the
potential for criminal conduct arising from the implementation of new
gTLDs.  We are trying, as Kurt initiated the session this afternoon, to
draw some distinctions between the different overarching issues.

So part of the challenge is, there are aspects of combating certain
sorts of trademark protection issues and malicious conduct issues that
begin to intersect in certain ways when it comes to implementation. 
But we really want to try to have this be a different dialogue than the
one that was just had about the IRT recommendations and really focus
on, again, the potential for malicious conduct at the criminal level
and what might be done to remediate that.

And I'll try to be the gatekeeper when we get into discussion.

Again, we're going to do begin with five panelists.  I'm going to try
to keep the panelists to an eight-minute time frame in order to allow
for significant discussion at the end.  And I'll introduce each of them
in turn.

The first is Rod Rasmussen, who's the president and CTO of Internet
Identity, the co-chair of the Anti-Phishing Working Group's Internet
Policy Committee and been the lead on their working group examining the
issues on this specific topic, and the power behind the draft support
that they've submitted that is up on the Web site related to this issue.

So, Rod, with that, over to you.

>>ROD RASMUSSEN:   Thank you, Greg.  We really appreciate the
opportunity to be here and to present this draft version of our
progress so far in identifying issues in this topic area.

So I'm just going to -- we're limited on time, so I'm going to go
quickly through this.

I wanted to give those who don't know who the Anti-Phishing Working
Group is a little bit of background on who we are.  We have over 3,000
members from 1700 organizations around the world.  It's a screened
membership, not everybody can join it.  We try and keep criminals out,
for instance.  And we -- but we do have a wide representation,
including many members of the audience here.  I see many of you are
also APWG members.  So we have members of the ICANN community who are
well represented.  But a very good selection of folks from everything
from academia to law enforcement, and all the industries in between.

These are the roles we definitely -- we play as part of our -- kind of
our mantra of going after and stopping abuse online, particularly
around malicious criminal use of phishing.  Obviously, it's in the
name.  And malware and things like that.

But we keep statistics that are kind of the industry standard as far
as what's going on in the situation.

We do a lot of policy advising, at least in bringing surfacing issues
like we're doing today.  And we have semiannual meetings where we get
together and bring out what the latest trends, et cetera are, and
support a lot of research.

So the Internet Policy Committee is a subset of the APWG.  We have
over 90 members.  It's represented -- it's got a good cross section of
our membership.  And we're the folks within the APWG who kind of take
on the work of what is going on on the Internet in various projects. 
I've presented on some of those at some of the other constituency
meetings over the last several years.

But what we really want to make sure is that antiphishing and crime is
considered in Internet policy frame- -- venues like this, and that we
can help support that with research, et cetera.

So with that background, I wanted to talk about -- oh, I'm sorry.  I
was flipping through on my machine here without having the slides up
here.

So there's that.  Okay.  So let's talk about this draft report we've
got out so far.

So this is in response to requests from our own organization and ICANN
to give some opinions and some thoughts and some background as to what
potential for abuse would be, malicious conduct would be with the new
TLDs.  We are definitely, as Greg was mentioning, we are definitely not
touching the trademark issue here.  We're keeping that out of what
we're doing here.

In red here, we still have a little bit of work to do on consensus
here within our own organization.  But we have this preliminary draft
which we agreed we could put up together here, with the caveat that
we're still working on that.

The draft that's been posted both on the ICANN site and on the APWG
Web site is a draft paper.  And its only issues, we have a continuing
process we're going to go through and come up with some recommendations.

We actually have a set of recommendations that are -- have been
floating through the group.  We basically have to bring those together,
hash those out as far as how we -- what they would be and whether
they'd be policy, best practices, or what have you, and then get that
back to the community here.

So I have a couple -- a couple of different thoughts here.  We have,
you know -- we could have potential policy things like, you know,
requirement of a thick WHOIS.  That seems to be a popular one.  Not
just with us.

Or we may have a lot of best practices suggestions.  I think we have a
lot of those.

But the other thing, too, the purpose of this paper is not just to say
these are the policies or these are the best practices you should do,
but to bring awareness to a lot of the issues.  Because we're standing
up potentially hundreds of new TLDs here and with lots of new operators
out there.  So we want to make sure that some of these security issues
that we've learned about over the last five or six years as criminals
have engaged in higher and higher levels of activity are also known to
the new registries and their operations as they stand them up.

I think that's really important for us to be doing this as part of
what we're doing here.

So we've subdivided this into really three categories of issues, and
we're looking at issues that are really inherent to the actual
attributes of actually the names themselves or the business models
surrounding them as new models are created and new TLDs are created.

We look at issues of scale.  If we're going to bring in dozens,
hundreds, thousands, whatever the number is, of new TLDs, that's --
that's different than when we've seen in the past where we've brought
in two or three at a time.  So what does that entail?

And then there's a lot of outstanding issues that we've been going
back and forth on over the years.  And we're bringing some of those to
the attention now for a couple reasons.  One to make sure they're
considered as part of the process, and, two, there's been a lot of
interest by new registry operators in how they can create a very secure
TLD, a well-trusted TLD, so that people use it and they get wide
acceptance of it across the Internet.

So we want to be able to address those issues as well, because there
are people asking about it.

And I'm just going to talk about -- do some highlights here in the
last couple of minutes here I have.

So some of the attribute issues, probably -- we will do some rank
ordering of these as priorities as part of our process.  But I think
that probably our number one concern is going to be who gets to own and
run a registry.

And, basically, I don't care who it is, as long as it's not a criminal
organization.  But how do we keep criminal organizations from running
registries?  We had a registrar that was very likely involved with
Russian organized crime.  So we want to try and keep that kind of a
situation from occurring within the -- within a registry, which could
be even more powerful.

And, you know, taking a look at various aspects of TLDs, could they
potentially break things, do they provide -- let's say you have a
highly secure TLD, in theory, financial services or some sort of a
backend system type of TLD.  Is there a higher standard that needs to
be set as part of that?  Because they will be targeted for abuse.  And
just looking at something even as benign as a dot city name, picked dot
Seattle because -- or dot Tacoma, because that's where I'm from,
because I don't think anybody's looking for that one, at least I
haven't gotten my application yet.  But just knowing that somebody's on
a dot Tacoma gives you a lot of information that you can use in a
targeted attack against them.  Those kind of attributes are kind of
important.

And then, you know, what kind of antiabuse policies do they have? 
We've seen this over and over again.  The bad guys will go after the
weakest link, and they will continue to abuse that registry or the
registrar that has problems with dealing with abuse issues, preventing
them from using their -- and abusing their systems until they can
change their policies.

So can we learn from that and move that forward?

Another issue that we're looking at is if in potential business
models, do registrants have different kinds of rights and
responsibilities than they would in other TLD that we already have? 
And if so, does that mean it makes it harder to mitigate something when
a bad guy gets ahold of a registration?  So those are all concerns we
have.

The scaling issues, we are looking at, you know, again, capabilities. 
How can you deal -- if you have lots of new registries coming in,
there's lots of different scaling issues here.

And adding a lot of complexity to any system creates places where
things can break.

As we also are looking at how we get access as first responders,
security companies, brands, et cetera, to the data, we're going to
have, you know, potentially hundreds of new sources, that may incur
some costs for those kinds of organizations.  So that's, you know, a
consideration we want to bring up.

Then the long-standing issues.  The first one is a very popular one
around here.  We brought it up in the paper.  Not to say we're
requiring changes to WHOIS.  We just want to make sure that WHOIS is
part of the system.  Oh, sorry.  Thank you.

That was a little precursor there.

So WHOIS, we're just bringing it up and saying it's important.  And I -
- our standing that it's not on the table really to change it, but just
to emphasize that this is important, why it's important.

And then various other things that have been out there, DNSSEC,
policies around prevention and mitigation of malicious domain names
that have been tried and trued in other registries, can we take some of
those and either push them across as policy or best practices.

So there's a whole plethora of different issues that we've brought up
in our paper.  We can certainly spend some time talking about various
ones that people have.  There is the APWG's Web site.  And that's the
correct one.  I had it AGWG earlier.  And that's my contact
information.  We're going to continue moving forward on this process
and hopefully get something out here in the next several weeks that
will include policy recommendations and best practices, make
recommendations, and the other things that people are looking for.

>>GREG RATTRAY:   Thank you, Rod.

As you well know, we think this is a very important part of the input
to us on this process.

Next up, we have Greg Aaron, the director at Afilias, he oversees the
operations of the dot info TLD and is responsible for creating programs
designed to address phishing, malware, botnets, and other malicious
behaviors.  He is also the secretary of the Registry Internet Safety
Group, an association of organizations interested in fighting online
identity theft, and the RISG did submit input.

And, Greg, over to you.

>>GREG AARON:   Thank you for having me, Greg.

RISG is basically a group of organizations that decided to start
getting together about a year ago, because we're interested in dealing
with problems like phishing and malware.

We're registry-focused, but we also have members who are security
firms, registrars, and from law enforcement, because each of those
types of entities has a role to play.  And we want to be able to share
ideas.

So what I'm going to present to you are some consensus statements that
are up on the ICANNWiki, provided by the companies who are listed. 
That said, some of the members have varying opinions about new TLD
issues and may be posting their own comments.

So, what's our approach?

What we learned when we started getting together and talking about
these idea is that we have very different problems to solve as
registries.  Each of us was facing different types of malicious uses
and to varying degrees.  So what we decided was that we need to create
some best practice that we can all adapt and choose from to deal with
the problems effectively that we're facing.

Some of the issues and some of the things that contribute to these
differences are that registries are of different sizes, they have
different business plans, they're trying to reach different sets of
registrants, they choose their registrars differently, and therefore
they have different sales channels and so forth.

We also have been talking a lot about how different abuse problems
need different responses.  The way you deal with phishing is very
different than the way you may deal with a case of malware, for example.

All of these registries that we're talking about also have to meet
varying restrictions and requirements.  The ccTLDs, for example, often
receive guidance or restriction from their national governments.

The ICANN-regulated TLDs have contracts that they need to abide by and
consensus policies.

And what we're also finding is that registries and registrars can
often choose very different but equally effective ways of dealing with
a particular problem.  So we're interested in bottom-line
effectiveness, absolutely.  But people have different ways of getting
there.

So, in general, we're finding that very specific policies or very
specific implementations are not applied very effectively or very well
across differing TLDs.  Rather, we need some choice to deal with our
own situations.

Okay.

Basically, we're finding that also no one party or one type of entity
is going to be able to solve these problems.  In fact, ecrime is not a
solvable problem.  More, it's a matter of management.  And
collaboration and data sharing and education are extremely important
and very effective.

We all believe that ICANN is a really useful place for people to come
together and discuss these issues and so forth.

A few years ago, that's how I got involved in these issues.  It was at
ICANN and talking with people here.

And, finally, our approach is what's going to happen with the new TLDs
is in a lot of ways unknowable.  But I do want to present some ideas
and some trends that we have seen in the past that might be applicable
to the future.

So ICANN asked just four questions.  And the first question was
basically if a TLD grows, gets more domain names in it, or if new TLDs
come into existence, has that resulted in an increase in problems? 
Malicious use of domains.

What we can say with certainty is that, as a TLD grows and becomes
more popular, you do start to see a rise in these issues.  But this is
probably a natural thing to happen.

For example, as a TLD grows, you are going to have more and more
people building Web sites in it.  And of course that's what we all
want.  We want a TLD to grow, to be popular, for people to put up
content.

But that also means that if there are more Web sites, that means there
are more Web sites to get compromised and hacked into, and that means
phishing may start to occur.

There may be injections and compromises that lead to malware residing
on those sites.

So on one hand, growth in a TLD is wonderful to have, but it comes
with certain attendant problems.  And that may be inevitable.

We have also seen that criminals definitely migrate from TLD to TLD
over time.  For example, some of these big phishing gangs will go after
a TLD or registrar, they will get names, and then they will get chased
out and they will go somewhere else.  And then they will get chased out
and go somewhere else.  That happens in the existing TLDs right now. 
So we can assume that criminals will eventually start to register names
in new TLDs.

The second question was, I mean, what measures are needed to deal with
some of these problems and what are the challenges.

The registries and registrars in our group identified some of the
challenges.  Some of those are legal.  You have varying privacy laws
and government regulations and controls.  There are certainly risks
with suspending domain names and stopping them from resolving, and none
of us like to see false positives.

Sometimes these behaviors are very difficult -- these real problems
are very difficult to identify and then document to a level where
you're comfortable saying to a registrar or someone that here is a real
problem and here is why.  We have been able to document this and this
is why we need to deal with it.

There are technical challenges, including gathering data, sharing it,
formatting it.  And of course there are problems with registrant data,
which might be dispersed, that means through thin WHOIS, for example,
or just plain inaccurate.  We are all familiar with those problems.

And finally, there are costs associated with it.  Security work is no
fun.  Nobody likes do it, really.  And it's a cost center.

Third question is, as things evolve, what new processes do we need?

Well, the cooperation actually is already global.  We have a lot of
people sharing information and doing good things together.  We need to
do more of that.  There needs to be more cooperation between interested
parties.

One thing we need to think about is what is ICANN's role.

ICANN is a technical coordination body at the very highest level.  It
is interested in the security and stability of the DNS.  In other
words, the Domain Name System at its highest level.

That's very different than all the things that go on in the Domain
Name System.  In other words, the uses and abuses that are taking place
every day.  So we have to think about that because it has profound
policy and operational implications.

The group certainly suggests that ICANN take steps to become aware of
some of these problems that may escalate to significant threats to the
DNS itself and then work on ways to cooperate and help mitigate or
prevent those problems.  That's very important.

And the fourth question, what measures can be employed by ICANN.  And
we did come up with two recommendations that we would like to share.

The first is that in the new gTLD application process, we do recommend
that applicants specifically state what they intend to do as far as
abuse policies and handling.  We would like to see that.

And tell us what they are going to do.  And we suggested those be in
line with some general practices that a lot of organizations already
do, and APWG and RSG are working on best practices that can be used.

We suggested applications that fail to include provisions for abuse
handling or abuse policies should be referred to the extended
evaluation process.  Those applications should basically get a closer
look.

The other thing we recommend is that the ICANN compliance staff needs
to be ready for the new TLD round.  They have a really central role in
responding to WHOIS complaints.  WHOIS is the way that responders
figure out whether there may be a problem and who to contact.  And we
think that they should be reviewing regularly all registrars'
compliance with WHOIS.  Port 43 and web-based WHOIS, in accordance with
the existing agreements and other existing policies.

So that's it, and thank you for your time.

>>GREG RATTRAY:   Thank you, Greg.

Next up we have Leigh Williams.  Leigh is the former chief risk
officer of Fidelity Investments and a former senior fellow at Harvard's
Kennedy School.  He is now the president of BITS, a technology policy
consortium of 100 of the largest financial institutions in the United
States.  He is here today speaking for four associations that ICANN has
asked Leigh to review of connections among finance security in the gTLD
expansion.  

So, Leigh, over to you.

>>LEIGH WILLIAMS:   Thank you, Greg.  And thank all of you for the
time and interest you have in security.  I guess I shouldn't assume you
are all interested in security.  There were some straw polls in the
panel before this one.  Would all of those in favor of security, raise
your hands.  All those opposed?  That was pretty good.  Can somebody
take note of who the opposed might have been?

I actually do genuinely want to thank all of you for working security
issues, for working the interest of the registrants.  I come
representing one slice of the registrants, the financial services
industry.  This is critically important to our industry, not just gTLD
expansion but all of the things that ICANN does on security and on
stability, many of the things that you do every day matter a great deal
to all of us.

Now, I thought I'd take maybe two minutes on each of four topics to
kick off our part of the discussion.

One is to talk about this review that Greg mentioned and our plans for
conducting or facilitating that review.

The second is an issue that we think is critical to us, and that is
the selection of participants in the gTLD process.

The third is configuration of those registries, the security
requirements of the registries that those participants manage or that
they work in.  And then finally, there's one open question that I think
deserves a little bit more work that we're happy to contribute to, but
that we will certainly need some help with.

So first, this review.  The financial services industry, as I said,
cares a great deal about this.  We have come to ICANN and said this
matters to us.  We would like to do anything that we can to help.

Greg mentioned that some of my colleagues here on the panel had
submitted comments on the guidebook.  We submitted a couple round of
comments.  I checked my notes earlier and I think we may have given
more comment letters to ICANN in the last six months than we did to the
U.S. Federal Reserve, which in our book makes it pretty high on the
priority list.

So we made that offer, said we were happy to pitch in.  ICANN very
graciously accepted that invitation and said if would you like to
facilitate some of these discussions, if you would like to garner some
input from industry and from all of the people who have a stake in this
process, and then offer back to us some insights on what you think of
security, we would be happy to commission that work.  So we would be
happy to do that.

The first stage in getting that done is to work here and in the coming
consultations, the ones that are scheduled in July in New York and
London and Hong Kong, to try to bring together some people from the
financial services industry, but also other people who have a stake in
this.

So we're happy to take input from anybody who cares about highly
secure and perhaps even high-risk domain ranges.

Ultimately, if we get that input in August, in July what we're hoping
is to synthesize it in August and feed it into the process of what
might ultimately be the next guidebook issuance, which I assume comes
in September in advance of the October meetings in Seoul.

So there's the review.  That's the way that we're thinking about
cobbling some of these ideas together.

Now, there are two issues that we know will have to be dealt with in
the course of that review.  The first one is how we select all of the
participants in this process of financial gTLDs.  And I say all
participants, because for us it's not just who is awarded the registry.
It's not just the registry operator, but it's at least as important to
us, ultimately, who the registrars are who work with that registry and
who the registrants are.

We have a financial services ecosystem that has financial institutions
of every shape and size, large, small, U.S., non-U.S., every country,
every continent.  Every product set, so some are banks, insurer,
securities firms, card companies, payments processers, lots of
different pieces of that whole puzzle and one thing we need to make
sure is that ultimately, domain names that claim to be financial and
that claim to represent that ecosystem or maybe community, if you will,
ultimately really do represent the legitimate interest of financial
customers.

I said community.  I was a little reluctant to throw that word in
because I think it is extremely important for us ultimately to decide
what the financial community, not just the ecosystem, is.  But that's
also going to be very difficult.  We have all those product sets, we
have all these geographies.  We have some boundaries between those who
are regulated by their financial regulators in their home or host
countries and those that are not.  And we'll have to see how each one
fits into that category.

But that's one of the first decisions that we'll all ultimately have
to make together, is who is eligible to be a registry and who they
ultimately will work with all the way downstream as an eligible
registrar and registrant.

Now, I don't know what all the eligibility issues are, but some of the
ones that have been thrown on the table are the way that we think about
proof of good standing, how we manage endorsements, how we manage
objections, whether we do background checks and criminal background
checks or financial background checks.  All the pieces that are
mentioned in the current guidebook I think will be important and it
might turn out that we uncover some others as well.  

So there's one issue, is who the participants are and how they are
selected.

The second issue that is at least as important is how those registries
ultimately are operated.  The security requirements and configurations
in those registries.

I don't want to prejudge what the answers are for all of those, and
many of the questions I think have already been raised by Rod and Greg.

Some of the things that people have mentioned as potential
requirements for what might be elevated requirements for high-risk or
high-security domain names are levels of encryption and authentication,
certificate management.  They might be browser configuration.  We might
not require just DNSSEC but there might be some specific requirements
about key management within DNSSEC.

I don't know what all those configurations are, and even if I had my
own opinion or my institutions had an opinion, I'm not sure that would
necessarily be the right answer up front.

But over these consultations, ultimately I think we will all have to
decide what the right level of security is in operating all of those
registries.  And then we will have to figure out how, actually, to
employ it across all of those registries and domains.

So that's the third question.  I said I had one open question that we
were trying to sort out, and that's the one that we get to is how
ultimately do we take those conclusions that we all reach together
about what the right participants are and what the right security
requirements are and then actually promulgate them through the whole
process.

Now, there are a lot of different possibilities.  One is they could
just go in the guidebook and they could be applicable to everyone.  So
if we come up with some ideas that we think are important for security,
they could apply not just to financial domains but to every domain.

Now, that's probably not the best answer.  Our hypothesis is we
probably need a higher level of security than you would set as a floor
across the entire domain space.

So the kind of diversity that Greg talked about, it probably requires
us to set some requirements for financial TLDs that are a little bit
higher, and we'll have to figure that out.

So that's the second possibility, is we put it in the guidebook, and
in the guidebook we somehow differentiate between what is applicable
across the universe and what is applicable to some category.  And I
don't know whether you call that category high risk or high security or
you just call it financial, but in some elevated category, we have some
elevated requirements.

We think that's probably going to be the right answer.  Our hypothesis
going into this discussion is that that might be the best way to do all
of this.

And then there is a third possibility which frankly I think is of some
concern to us, and that is that we don't put any of this in the
guidebook that we just set it aside.  That we do all this work together
to figure out what the right requirements are but then we push it off
to the side until the applications start flowing in, and that then we
rely on the community to look at those applications.  And through the
comment's endorsements and objections, to sift through who, in their
applications or in the contracts that they are offering, actually are
meeting those security standards and who is falling short.

Now, that strikes those of us in the industry, I think, as being a
very dispersed, very resource intensive, maybe even a dangerous process
because we have an awful lot of applications flowing in.

If we can set the rules up front in the guidebook or wherever it is
appropriate for ICANN, we think that makes a lot more sense than
looking at all of these applications after the fact.

So we're sifting through all of that.  The bottom line is we very much
look forward to working with as many of you as want to participate in
this process to really answer three questions.  One is the selection of
financial TLD participants.  The second is the security requirements
for the registries in which they all operate.  And then finally, the
best way to apply the best mechanism, ultimately, for applying all of
those rules to the process.

Thanks.

>>GREG RATTRAY:   Thank you, Leigh.

Next we have Raja Azrina.  She has over 14 years of experience in
Internet working and information security.  Her primary role has been
the establishment and operation of the Malaysian CERT, my CERT, since
1997 until late 2008.  She also is the former chief technical officer
of Cybersecurity Malaysia and its chief information security officer
and served on several national and international working groups.

Azrina, it's yours.

>>AZRINA OTHMAN:   Thank you for the introduction, and I am very
overwhelmed with the session.

I followed through the few sessions since yesterday, and I find it
very interactive, and I expect a very interactive session this
afternoon.

So basically, my views for today would be mainly on the challenges and
covering some areas of recommendations or possible solutions when
dealing with malicious activities, DNS related.

From the views and from the eyes of, I would say, the CERTs, Computer
Emergency Response Teams, and I know there are representatives of CERTs
in the audience today, and I do believe after many, many years of
working in the CERT, they would concur with me that we have a major
problem with DNS being under attack right now with a lot of response
requiring participation, cooperation from registrars and registries.

So the first thing I would like to cover would be on the threats.  And
here I believe that you have heard several.  What I have on this list
is just the tip of the iceberg but I would like to highlight the major
problems we have been facing among the CERTs, among the response teams.
Mainly the following, the first one would be the domain purchase,
purely mainly targeting criminal activities, for the purpose of
criminal activities.  And here we can see the purchase of the domain
using trademarks that's basically registered in that particular country
but the purchase of the domain is made from registrars that are
residing in other countries.

So the problem is the validation, verification is not properly in
place, and as such, that that purchase has been approved.

Now, secondly would be the issue of WHOIS data.  Now, for the CERTs,
the main, prime source of information in identifying the source of
attack or the source of malicious activity would be a WHOIS lookup;
okay?

So the WHOIS data is very important for us.  Of course, there are
other means.  We do trace route, we do other means of tracing, but of
course the WHOIS data is very, very important.

Now, unfortunately, the WHOIS data can be completely bogus.  It could
be falsified.  It could be anything under the sun.  And this creates a
lot of problem with this.

And thirdly would be the unauthorized modification of the NS reports. 
Now, based on experience, there are registrars that actually allow
access to the system for the applicant or the owner of the domain to
request for changes, and in which changes would be automatically
implemented or executed without proper authentication process.

So this is a challenge in which there were several cases involving
such incidents.  And it is very embarrassing for the victims.

Fourthly would be the domain squatting, and I think that's helpful
covered this afternoon, the previous session, so I won't go into those
details.

Finally would be the malicious DNS Fast Flux.  And there are plenty
types.  I mean, there are two major types of Fast Flux.  And the ones
that , for example, the single flux, I would like to explain, is that
it involves manipulating the error reports while the double or double
flux would be involving the manipulation of the NS reports.  And it is
getting deeper into the system and making it more difficult to be dealt
with.

So the challenges, I would say one of the major challenges, the first
one would be the fact that based on the several -- well, many cases
that I have gone through, is that it keeps repeating on the same
providers or the same registrars or resellers.  And it could be that
they are attracting bad actors, which I believe this has been raised in
several sessions.

And secondly would be a particular service is used over and over,
despite the fact that they are showing some initiatives to actually
stop the activity.

Now, these two facts, actually, has been cited with facts from APWG
survey, so it's not purely just based on our experience, but also
supported with facts.

Thirdly, the CERTs and other brand of phish fighters depend on the
WHOIS, as I state just now.  And that the owner of the domain names and
I.P. address information has been falsified.  And as such, it actually
delays response.  It delays action to be taken, and it creates a long-
winded process for us to actually get to the bottom of, to identify
whether it is a deliberate act or it is an accident.

And fourthly would be the cross-border issue.  Now, I have had
firsthand information in dealing with cross-border in which people are
actually -- when there is an incident, the first thing they trace is
actually the I.P. address, not quite the domain name.

I don't know why most victims actually look at it that way, but
perhaps because from I.P. address, you can locate the location, the
physical location of the machine.

What happens is they would trace it to a physical host which runs the
I.P. address and take down the site.  The problem is the domain is
still up, so another site, another I.P. address, would be up in 24
hours, and the incident I would like to recall would be the one taken
down in Malaysia was brought up in Amsterdam in 24 hours.

Now, this is before Fast Flux came about.  Of course, with Fast Flux
it can never be down.

There will always be another site being up.

And when I was advising this case, I advised the party involved, which
was from the Middle East, to basically do the removal of the request
for request for the removal of the domain.  And removal of the domain,
from the experience, I could say that it can involve months for a
request to be taken up seriously by the registrar, or it can take up to
the least I've seen was a week for the domain to be removed.  And this
is where subpoena being issued from the country where the registrar is
being located.

So that is a large effort to be taken for the removal of the domain.

Now, there is also some initiatives done by registrars to flag on bank
names that are being requested or applied.  Now, this is an issue in
which will it be scalable.  And secondly, not all banks' domain names
have the word "bank" in the domain.  So you can miss a lot of banks by
just basing on the term "bank."

Finally would be the domain dispute resolution process, the UDRP,
which I find is just too long a process, and where damage has already
been incurred.  So it's damage control, it's too late, and it's -- it
may work for cybersquatting, but for criminal cases, it is just too
long.

So I believe that one approach would be it's important to have
measurable mechanisms in which some methods, some mechanisms needs to
be in place for us to measure solutions.

If we put in controls, security controls, or it can be in the form of
policy or technology, we need to ensure is it scalable.

For example, domain lockdown where alerts go out to registrants.

In case of Conficker, it was just too much.  Too many domain names was
involved -- too many I.P. addresses was involved, and too many domains
were involved.  And it was just too much to be taken up by the
registrars on a reactive mode.

Secondly would be is the security integrated into the business
process?  In the first place, if we are just focusing on the reaction
but not on the preventive measures, then we are not solving the case
because we will be firefighting all the time.

So when we cut red tapes, we put things online to make process faster,
to make application go faster, are we basically lessening or losing on
the controls on the security requirements?

And thirdly would be can the online process be abused, is something
that needs to be audited.  Banking, online banking system are
rigorously being tested and audited before being launched, but is the
same process being applied for registrars when they are issuing a new
online application process?

Finally, does voluntary best practice work?  I mean, there are a lot
of guidelines in place.  They are very good, and they are very good if
they are applied, implemented and complied with.  But the problem is
that how do you measure?  How many of them -- how many of the entities
are actually complying to this best practice?

And how do you measure the responsiveness of these registrars or
registries or implicated parties?

The way forward, I will say there are a few.  Perhaps the first thing
I would like to focus is if you want to improve the information
handling, we must ensure the input validation is there.  Like in
programming, when you do a program, you want to ensure that what you
put in are good data, then you get good data out.

But the problem is if you put garbage in and you get garbage out, then
you repeat a process of cleaning up or trying to get to the bottom of
things.

And secondly would be the recording of the owner of subdomain, which
often is not practiced; okay?  Although it is a requirement, but it is
not quite a good -- it is not practiced.

Finally, my final slide, would be the proactive scanning and
detection, and proactive action needs to be put in place.

Then responsive action would be to reduce the time taken for takedowns
of domains.  It's largely discussed in the sessions.

And finally flagging or acting upon a customer registering for
malicious domains can also lead to further investigations.  So rather
than just acting on a report, purely suspending them, perhaps an
investigation can be initiated to further weed out further bad actors.

So basically, that would be my final slide.

Thank you.

>>GREG RATTRAY:   Thank you, Azrina.

Next we have Beau Brendler who is here representing the ALAC, and Beau
has said he will explain some of the others that have contributed to
his research and perspective.

So, Beau, over to you.

>>BEAU BRENDLER:   Yeah, thank you.  On my title slide there is just
the names of some of the merry band of investigator folks that help us
out at that at-large.  (saying names) as we call them, or I call them --
mostly, they contributed to the last slide.

>>GREG RATTRAY:   Beau, we're still waiting on your slides.

>>BEAU BRENDLER:   Oh, sorry.

Me being the last panelist standing in the way of the gala.  Everybody
wants to start getting their drink on, and we're waiting for my slide
here.

>>LEIGH WILLIAMS:   I thought this was the gala.

>>BEAU BRENDLER:   There we are.  There we are, actually.  So,
actually, that's not that exciting, this slide.  So we'll go past it.

I'm going to try to be in a consumer's shoes here.

I don't know how many of you have tried to go on a diet, but there's a
really effective diet drug called phentermine, very effective in weight
loss, whereas a lot of other drugs aren't.  So perhaps I'm a consumer
and I've heard of that.  And I go online and try to type in the URL of
this particular drug that I've heard.  

So I realize this is kind of a setup here.  But which of these is a
legitimate seller of weight loss medication?

Anybody care to hazard a guess?  Somebody said, "None."  That's good. 
Okay.

The first is short amphetamine.  So selling it is illegal.  But if you
picked number two, that's at least the correct spelling.  The first one
actually is a little bit -- it's actually a little bit cleverer than
the other two at the bottom, because the one with a Phentremine with a
t-r-e in the middle is the correct trade name for a variation of
phentermine.  The two at the bottom, who knows what you're actually
going to get if you order from them. 

The actual site there, if you go there, you'll find a lot of chat and
a lot of information, and then you'll find links to illegal pharmacies
where you can buy the amphetamine.  

So all of those are, I think, blind registered or private proxy
registered.

Which of these is a consumer advocate?  

I don't know how many of you have heard of acai berry, the wonderful
berry or fruit that is supposed to help you lose weight and clean out
your colon and all that.  

There have been a lot of criminal prosecutions in the United States of
manufacturers of acai berry products because they really don't stand up
to what they say they do.

So of these, can anybody guess what the consumer advocate is?  

Theacaiberryreview.com, the acaiberrywatch.com, one of my favorites,
the colonreviewboard.com.  I imagine a bunch of people in white
uniforms in a room sort of like clawing through organs, "This colon has
a cheese burger in it from 1983.  We're going to give it a B minus."  

And then, you know, there's webmdacaireview.com. 

So which of these is a consumer advocate or at least giving
information to consumers that might be useful?  

Might anybody guess Webmdacaireview.com?  You would be wrong, because
that's a site that has been blind registered I think at Go Daddy and
goes to a page where somebody talks about how their acai berry product
is better than everybody else's.  And all the rest of them, of course,
are actually not consumer advocates.  They are in the style of a lot of
marketing pages that you see nowadays that simply try to say, we're an
expert, we're a consumer organization, and, you know, our product is
better than this other guy's product.

I don't know if loan modification's a big issue in Australia.  But in
the United States, there's a lot of criminal activity going on in the
selling of loan modification services.  In fact, it's kind of
interesting.  The same people who brought us the subprime mortgage
crisis have gone into business making a lot of money counseling
consumers how to reengineer their loans when in fact you can do that
for free and not pay anybody to do that.  But there also have been some
efforts by the Obama administration to help people out.  

Does anybody care to guess which one of these actually has government
backing, in other words, there's real information from a government
organization to trying to help to have help you out?  The Federal Loan
Modification Bureau, governmentloanmodificationprogram.com.  That's --
if anybody guessed makinghomeaffordable.gov, how did you guess?  That's
the one.  Why did you guess that?  Because it's got a dot gov.  That's
how consumers think.

Or perhaps how they don't think.

So I'll be brief on this slide, because we want to get through this
and get to discussion.  What's the lesson here?  Victimized consumers
don't care about trademarks.  Nobody whose bank account has been
cleaned out by a phishing scam says I'm really mad that Chase's
trademark rights have been abused.

I think in the discussion that we've had, at least within the at-large
and over time in the IRT and all this going on, I think we have to get
past the point that this is all a trademark issue.  Because it goes
beyond that.

So my last slide here, which I'll go through quickly, if you look very
closely there, you can see Abbey Bank is a pretty big British financial
institution.  And our little group of investigators went through and
found this group of sites blind registered at Pipni in the Czech
Republic.  And in the course of trying to find what they were, all of a
sudden, they disappeared, and then appeared in 24 hours at Spirit
Domains.  So you'll see there are all kinds of things trying to trick
somebody into thinking they're Abbey Bank; right?  Abbey-Bank-PLC.com,
Abbeybankfinancelondon.  The one I wanted to call your attention to
specifically and make a point about is the relatively ridiculous one
with spaces above and below it at the bottom,
antiterrorismmonetarycrimesdivision.org.  That's probably not a
trademark; right?  But we need to be as equally concerned, I think, in
this community about sites like that that seek to deceive and mislead
consumers into thinking they're getting advice or getting help when, in
fact, they're getting ripped off or directed to a site that downloads
malware onto their machine or some other kind of situation like that. 
So in the course of sitting down and talking just with the panel at the
beginning, I know that there was some discussion about wanting to have
people present results or ideas for results on these panels or what to
do about this kind of stuff.

And that's a huge question.  I mean, there's a whole bunch of
different things.  But I think the issue we really have to pay
attention to the most is really WHOIS.  Of all of the issues, I know
that's been debated in the ICANN arena for ten years or more and people
are really burned out about it and tired about it.  But if there were
any one that some of the people who have been doing this investigating,
for instance, are the most concerned about, that would be it.  And
certainly no one in the at large proposes that WHOIS evolves to, you
know, some sort of system whereby people who want to criticize their
governments or whatever wind up getting tracked down and killed.  No
one wants that, of course.

But we also don't necessarily want to be in a situation where we're
advocating for completely anonymity in doing business.  Because I think
the examples we have seen over and over again this week and in ICANN
meetings before in an atmosphere that allows complete anonymity in
doing business leads to the kind of things that we heard about so
eloquently in the previous presentation.

>>GREG RATTRAY:   Thank you, Beau.  And that concludes presentations. 
I have about 25 after 5:00.  The panel is open until 6:00.  So this is
the point at which we'd like to take questions to the panelists.

So if you have a question, please come to one of the mikes located in
the aisles.

>> Quick highlight for Leigh.  Something I have been astonished to
learn is the reach of an organization called the Australian Securities
and Investment Commission here in Australia, which is the peer of the
Securities and Exchange Commission in the States and the Securities
Commission in Canada.

It has programs that, through statutory authority, regulate the
ability of sites to offer financial advice.  

Now, we're all familiar with the fact that people who give financial
planning advice to individuals have to be licensed.  But they've
actually gotten themselves into the game of telling Web sites what they
can and can't say if they're outside of the financial domain.  So it's
interesting to see that at least one national regulator is active out
in --- clearly in a space that would seem to fall outside the goalpost
you drew for elevated security or elevated interest around.  And that
might be an area to look both at their activity and whether that's a
good idea or bad.

>>LEIGH WILLIAMS:   If you think about those two questions, one is --

>> Mike.

>>LEIGH WILLIAMS:   If you think about those two questions that I
posed -- sorry, where did you go?  There you are.

The first is who the right participants are.  And it's absolutely true
that in Australia and in most countries, financial regulators have some
rules about who can and can't say that they are a financial
institution.  They may have to have a charter for some activities and
not a charter for others.  And that's true in the offline world.  It's
not true everywhere for the online world.  So today somebody could
register a dot bank or could have "bank" in the name, as Azrina
mentioned, in some countries and draw attention and in other countries
not draw attention.

One of the things that we'll have to work through in this whole
consultation is how we define who we think is a legitimate registry or
registrant in that space.  And that has to be based not just on our own
beliefs, but on the way customers think about it, as beau said, and the
way regulators think about it, as you said.

>>MIKE RODENBAUGH:   I'm Mike Rodenbaugh, an officer of the business
constituency and represented on the GNSO Council but speaking
personally.

Greg, you mentioned in the RISG slides that an argument that you have
a risk of liability, that registries and registrars have a risk of
liability in the event of false positive takedowns.  And I've heard
that argument expressed to me by board members, which indicates that
it's a -- possibly having some resonance.  And that really bothers me,
because I think it's a red herring really designed to scare people. 
Because I've been doing this work as an attorney for 14 years, and I'm
really not aware of any instances where a contract party has been held
liable for that sort of thing.  So the question is a fairly simple one.
Are you aware of any legal opinion or precedent that supports that
argument?

>>GREG AARON:   Yes.  I've spoken with a registrar recently, and I'm
not -- I shouldn't discuss who it is.

But as you know, we live in a litigious society.  As an attorney, you
know this.

And you also know that people don't necessarily have or need good
reasons in order to sue each other.

>>MIKE RODENBAUGH:   That's right.

>>GREG AARON:   When one gets sued, one spends a great deal of time
and effort and may incur, you know, PR damage and other things dealing
with that before it's dismissed in court, for example.

So there are risks.  Irregardless of whether there are precedents and
hold harmless clauses and those kinds of things, I think.

>>MIKE RODENBAUGH:   That's right.  There is indemnification all
throughout the chain.  Registrants essentially waive claims for that
sort of takedown in their agreements with registrars, and that goes all
the way up the chain to ICANN.

So -- I'll leave it at that.  We don't need to argue.

>> Greg (saying name).  I've got -- I did read your slides there.  And
one of them, you made a very clear definition of what you believe
ICANN's role is in terms of the stability of the DNS system itself.

Now, if I take that through, is that a challenge in there that's --
you're leaving on the table?  And the reason I ask that, because I'll
be the broken record again.

I have a botnet hosted on a Fast Flux domain.  The DNS is registered
in a country -- I won't tell you which one, but there's one in my mind -
- where they simply (inaudible).  I have no response from them
whatsoever.  The only thing that's going to get this botnet off my back
is the deregistering that domain.

Now, if you're suggesting in your argument there that ICANN has no
responsibility in that case, now, it doesn't matter if it's a ccTLD or
a G -- I don't want to get that way.

But what I'm saying is, where do I go and where does the population of
the Internet go if the registrars say, "Well, it's not my problem.  I
don't have to deal with this"?

I'll read you something, if you know Ross Anderson's work, this is the
economics of security.  It's almost like a little thing here.  Listen: 
In general, if the party who is in a position to protect a system is
not the party who will suffer as a result of a security failure, then
we will encounter problems."

Well, I'm encountering those problems.

Registrars, registries in other countries have no reason to care if
that domain is being used to hammer third parties around the world.

Where do we go?  What do we do?

>>GREG AARON:   Criminals put us all in very difficult situations. 
They make -- you know, they have no rules.  And they create problems
for all of us.

What we've said here is there's got to be a policy discussion about
what ICANN is able to do on a policy side versus the other things it
could do to encourage people to act responsibly.

We don't make our phone companies responsible for what people do with
their phones, for example.

>> (inaudible).

>>GREG AARON:   Well, there's a common carrier issue.

We don't make federal express responsible for everything that is in a
package, although they're also a responsible company and they may have
some ways of dealing with, you know, bad things being shipped.

There are no easy solutions to some of these cases.  That's all I can
say.

>>LEIGH WILLIAMS:   Because some of those solutions are so difficult,
because those kinds of takedowns are so difficult, we're arguing that
at least in the financial space, we need to have a very high bar for
who comes in in the first place so that we don't have to do quite as
much cleanup, as much mopup after the fact.

>>BEAU BRENDLER:   That's great for the financial space.  You can
afford it.  But for consumers whose primary direction into Web sites is
not a dot bank or a dot trust, but a dot com or dot info or something
like that, that's -- that's a -- I mean, congratulations, that's
terrific.  But....

>>LEIGH WILLIAMS:   You're absolutely right.  We do need to solve it
for everybody, not just for one slice.

>>ROD RASMUSSEN:   I'd like to make an observation here, or two.  On
this issue.

It's the overarching issue which we've been dealing with and
discussing ad nauseam for the last several years.

I think that this broader community actually, has seen a lot of
progress in doing things to address the issue.  A lot of the contracted
parties in the ICANN space have taken on and added abuse policies
directly to deal with these issues so that they can act responsibly and
remove these people from the Internet.

So there is -- there is, I think, a fair amount of movement here.

The other observation I'd like to make is that I -- there isn't a --
ICANN isn't the arbiter of all of this stuff.  The consumers, the
corporations are, we're all connected.  We have seen over and over
again if there is bad behavior within a specific name space that large
chunks of the Internet quit routing that name space when that happens. 
So there are measures that happen that are undesirable.  I think, from
an ICANN perspective is that we all want to interoperate.  But if
there's so much abuse within one particular TLD, name space, I.P.
space, what have you, there are people, technologies, et cetera, that
are out there blocking that.

So that is the downside. Everybody talks about government regulation
coming in, too.  That's another issue.  But the reality is the
marketplace often dictates how these things get dealt with.  And then
do you see registries/registrars responding to that, because it's the
market force pushing them.

>>GREG RATTRAY:   Wendy, we'll have a question from that queue, which
is longer, and then over to the center.

>>WENDY SELTZER:   Thanks.  Wendy Seltzer.

I want to thank the panel for giving us a balanced view of the problem
and the nuance of dealing with the problem of ecrime while also dealing
with the rights of various parties not to be prejudged as criminals
because their activity looks suspicious or looks like something that
hasn't been seen before.  And so I just wanted express my concern at
Mike Rodenbaugh's statement that registrants have no rights or
registrants immunize and indemnify everybody in the chain above them,
and that we shouldn't be thinking of the contracts as quite that loose
with regard to the end user registrant, and we shouldn't be thinking
that the solution to crime is to make the end users' hold on a stable
location for online activity even more tenuous.

>>GREG RATTRAY:   I don't think there's --  That was a statement by
Wendy and I think not a question.  So unless anybody has a thought, I'm
going to turn it over to the center aisle.

>>PHILIP ARGY:  Thank you.  Philip Argy from ArgyStar.com, also from
the eCommerce Committee of the Law Council of Australia.

Parking for one moment the issue of the anonymous right to free
speech, because that is important, but I think it needs special
attention in the arena of privacy shields and proxy servers that are
being addressed elsewhere, I'm really concerned that when you talk to
law enforcement agencies, the thing they most say they would like is a -
- an identity verification mechanism so that they can immediately know
who is doing what's going on.

And I'm wondering from the panel whether the time has come to not
require registries, registrars, and possibly even all the way down to
registrants to have digital certificates with an independent high level
of identity assurance behind them so that you can at least stop some of
the spoofing and various other things that are going on and substituted
DNS records and all kinds of things.

Has the time come when that is, first of all, technically feasible? 
Do people think?  And has the time come to just say that's the price we
have to pay to eliminate a lot of the inappropriate criminal conduct
that's going on?  And as I say, recognizing that there's a space there
we need to protect where anonymous or at least not easily detected
identity is catered for, but where law enforcement agencies have the
ability to find out who's really behind particular entities?

>>LEIGH WILLIAMS:   I'll leave it to my fellow panelists whether it
makes sense across the entire domain space.  But that is certainly
something we could consider for any elevated risk or elevated domain
ranges.  And that could be not just certificate issuance, but
management and monitoring of the certificates.  It could be other kinds
of authentication requirements.  It could facilitate the trading of
secure e-mail in and out of that domain, this would be a huge help to
us.

So at least in the space that we have some responsibility for, I think
we would be likely to support it.  It's on the list of things that
we're thinking about now.

>>GREG RATTRAY:   Other panelists' comments?

>> Danny Yee from Electronic Frontiers Australia.

I can respond to both.  

I hardly think it's feasible to expect the DNS to distinguish medical
fraud from accurate medical information.  That's a bit like asking it
to solve world poverty or something like that.

The other thing was malicious action by governments.  And as some of
you may know about the stories coming out of Australia about our
government's plans to interfere with the sensible workings of the
Internet, that's one of the things we're concerned about.

How much of a problem is it or how much of a distraction is it for all
of the people fighting, say, phishing, that they have to deal with
people concerned about malicious governments as well?  Obviously, it's
not within ICANN's remit or antiphishing groups to tackle governments. 
But is it a problem that different governments have different goals and
put pressures on you to comply with different, say, rules for content?

>>ROD RASMUSSEN:   I'll take a stab at part of that, I think.

The -- how can I say this?  There is some evidence that there may be
state actors behind some of the kinds of attacks that we're seeing,
which obviously makes it far more difficult to deal with them.  I think
I'll leave it at that from that perspective.

From the regulatory perspective, every country has different
requirements, procedures, laws, et cetera in dealing with mitigation of
various content on the Internet.  Some of it -- some things aren't even
illegal in some countries.  So it makes it -- it does present
challenges.

We are seeing a coalescing of regulatory treatment of this through the
Council of Europe's -- I don't remember the name of it -- Cybercrime
Convention.  Thank you.  And many countries around the world have
signed on to that.  And that is an extremely helpful instrument in this
regard.

I don't remember if Australia has signed up yet for that.  If I
remember, they were one of the ones that was kind of holding out.  But
I don't know if they have yet or not.

But that has provided some very good tools, I think, for law
enforcement and the people who are dealing with this in the
infrastructure to be able to basically normalize how they do things.

>>GREG RATTRAY:   In the center.

>> My question's for Leigh.  And forgive me -- it's late in the day --
if I'm not really totally coherent in making this question.  But I
wanted to go back to what you were saying before --

>>LEIGH WILLIAMS:   I'll give you an answer as coherent as the
question.  Forgive me.

[ Laughter ]

>> I want to go back to the comments you were making about a financial
registry and the issues regarding it and whether or not it needed some
modifications into the applicant guide or something like that.

Through the last couple of ICANN meetings or whatever, it seems in
some corners I'm being told that the -- you know, the market sector --
the market model is capable of doing that, that if someone creates a
dot bank registry and it's insufficient for you, then someone can
create dot finance, dot money or whatever, until something comes along
that's good enough, or perhaps the institutions that you're working
with could create a coop on their own and go to ICANN, which may, you
know, push the definition of what constitutes a community application
into something they may not have anticipated.

I just want to get a little bit more of an idea of what you're
thinking of in terms of the kind of extra protections, the kind of
extra things that you would put into the application -- into -- well,
sorry -- what you thought might go into the guidebook that perhaps
could be solved simply by a registry coming up with doing the right
thing in the first place.

>>LEIGH WILLIAMS:   I heard someone in the GAC yesterday say that
there were a couple of cases in which she had some questions about the
solution that had been proposed, and she felt obliged to have something
to put in its place, but she didn't have it.

Well, I'm, to some extent, in that same position.  I do have some
concerns.  I'm not sure that we know what the right ultimate answer is.

One of the things that I think we're worried about is that if, say,
dot bank were awarded and it didn't satisfy the requirements for the
largest, most responsible, or smallest, most responsible institutions,
for that matter, it might still satisfy the requirements for some bad
actors.  And it wouldn't draw the most -- the most security-conscious
institutions.  But it might draw some marginal institutions.  And if it
didn't draw them, it might draw some bad actors that are just payments
providers or that pretend to be payments providers or pretend to be
banks that don't satisfy the regulatory requirements for actually being
banks.

So one of our worries is that we could have a whole list of lots of
domains that are awarded that appear to be financial and that consumers
could easily be confused by but didn't satisfy any financial
requirements.

>> But then wouldn't it be true that if all the real institutions went
into dot finance and dot bank had the reputation of where the shady
guys were?

>>LEIGH WILLIAMS:  My impression is that consumers are not so engaged
that they will see where the herd goes and follow them all the time. 
The reason phishing works is because the level of awareness among
consumers isn't perfect.  And that they find their ways to the wrong
site in today's environment.

If we give them some hints that are incorrect about what's secure and
what's not, they may follow some of the wrong hints.

So we would do everything that we could in the guidebook or anywhere
else to try to lay out some very strict standards for what could pose
as a financial services TLD, and the way that those ultimately would be
awarded only to those who ultimately provide service to financial
institutions or to financial services providers, however that should
ultimately be defined.

>>GREG RATTRAY:   To the panel's right.

>>JORDYN BUCHANAN:   Hello, I am Jordyn Buchanan.

It strikes me in listening to a lot of this conversation, actually,
that instead of looking at new TLDs as a terrifying threat, that there
actually seems like there's a singular opportunity for market-based
solutions to the sets of problems you are talking about.

If I gather correctly from looking at Beau's presentation, for
example, when we saw the example of the dot gov site, consumers are
capable of making qualitative distinctions between TLDs when they
exist.  To a large extent today, there aren't qualitative distinctions
between TLDs.  The registration policies in most of them are
essentially identical.

But as consumers become exposed to places where there are qualitative
distinctions between TLD policy, it seems like ultimately consumers
have the capability to recognize that, combined with Rod's point that
if there are places that essentially become homes to bad actors, they
are all in one place; right?  That's easy.  If you have the evil dot
bank and all the bad participants are there, then that's great.  Your
ISPs will just start to filter those guys out and the dot finance or
good bank or whatever it is that actually has reasonably high standards
can be a point at which we can educate consumers and encourage them
unless you go to dot good bank, you know, you are not going to a real
bank.

So it seems like the creation of dot safe or some set of good TLDs
that have exceptionally high security practices, where you have 100%
guaranteed WHOIS, and then if we educate consumers to start to take
advantage of these opportunities, it seems like that's a real
opportunity to vastly improve our security and our ability to defend
against these sorts of attacks as opposed to being worried that there
might be the creation of bad ones that could have bad practices.

Similarly, I could imagine someone could create like dot anon that was
truly anonymous, and people could make decisions how to interact with
it.  ISPs might ban it or people might say I don't know who anyone in
there is, I am very skeptical about what I hear about it, but at least
it's there and it's an opportunity for people to participate in
meaningful speech.

>>LEIGH WILLIAMS:  For financial services, I think there is a good
chance there will be great opportunities here.  I also think also are
some risks.  So our strategy is to steer as many consumers, as many
companies, towards the opportunities and away from the risks as
possible.

>>BEAU BRENDLER:   Just to respond to the part about consumer
education.  I think it's certainly reasonable, but it's very difficult
to do.  That doesn't mean to say we shouldn't do it, but, you know, I
think it will be difficult to get consumers past the original mind set
of the dot gov, dot mil, dot edu.  Those are the ones that have stuck
and remain stuck in the consciousness.

So new gTLDs, great.  But whatever the mechanism is to begin to help
consumers figure out that dot trusty bank is better than dot bank at
some point, that's going to take some work.  It doesn't mean to say we
shouldn't do it, but....

>>LEIGH WILLIAMS:   And I would hate to see some trial and error in
the meantime.  It's a lot to bet while people sort out what's good and
what's not.  And a lot of people could go through a lot of hurt in the
meantime.

>>ROD RASMUSSEN:   I think I would like to point out that a lot of
people in the APWG are the technology vendors that make these kind of
decisions in their products about what to promote and what to perhaps
say is dodgy.

So they are paying great attention to this process.  And for those
TLDs that do get introduced that have high levels -- high standards
that do work with the security providers, they will probably get a
little green bar somewhere on the browser, and those who don't may get
a yellow or a red bar.  So some of this will be solved by technology
because you will be self-identifying.

>>GREG RATTRAY:   I think we ever to the left next.

>>ROBERT LOWE:  My name is Robert Lowe from AusCERT, and I have a
quick question for Greg from Afilias.

Firstly, I think it is very encouraging to see a registry take such
proactive role in the security space.  And I think you mentioned also
that security was a cost center.  I don't know who has that view.  But
have you found -- or since you have taken this role, it looks like from
the APWG statistics, it is making an impact.  Do you think there is a
business case there for other registries and registrars to adopt?

>>GREG AARON:   Thank you for your question.  You are referring to
some studies that Rod and I have been doing over the last year, I think.

>>ROBERT LOWE:  I am specifically referring to the second half of 2008
statistics.  That report showed that the dot info demain had a quicker
takedown of phishing sites.

>>GREG AARON:   Yeah, we have had fewer incidences, and what we have
had, we have been able to get down much more quickly by working with
our registrars and so forth.

I mean, we made a decision to do some of these things because we
wanted our namespace to be trusted.

We want people to feel like these names are a good place to be and we
want a good reputation in our industry.

So that was a decision we took, and we had to work out some policies
and procedures for how to do that safely.

And it does seem like it's working out pretty well.  I'm very pleased.

There are costs associated with it, there are certain risks.

We have to put personnel to work on these things.  We write some code
to create tools to do these kinds of things.  We have to acquire data
in some cases.

But we have made a decision as a business that we want to do this. 
And we are seeing some benefits, so it's encouraging.  And Rod has seen
some other examples of success stories.

So now what we are trying do show other registries some of the things
that work.  And it's encouraging.

>>ROBERT LOWE:  What's been the response from those other registries?

>>GREG AARON:   I was talking with a large ccTLD just before I came to
this conference, actually, and we were exchanging some ideas, because
they are not -- they have had some good -- some good things happen, but
they are not entirely satisfied with where they are.  And they are
considering some policy changes that may help their situation further.

So that was a great conversation because we're exchanging and learning
from each other, and there are going to be some concrete results coming
out of it, I think.

>>ROBERT LOWE:  Thanks.

>>GREG RATTRAY:   Over to the right of the panel.

>>AMADEU ABRIL i ABRIL:   Is this the right?

>>GREG RATTRAY:   Yes.

>>AMADEU ABRIL i ABRIL:   Okay.  I thought it was on the left.

I am Amadeu Abril i Abril, CORE Internet council of registrars.

First of all, to thank ICANN and the panelists for making this
presentation in the room.

We are still less people than when we talk about trademarks. 
Trademarks!  Nobody is coming yet.  But normally this works very well. 

Security is probably still not that attractive, but at least it is not
discussion in the margins and the corridors like we have seen for some
years now.  It is at the central stage in a big room for important
things.

The next thing, as Jordyn would say, the new TLDs is an opportunity
for learning, improving, teaching, and preaching for good solutions.

But probably not to solve all problems in the world.

For instance, we have been hearing here sometimes, even at this
session, claims that ICANN registries, registrars should solve anything
that relates to any inconvenient or, even more, illegal problem just by
shutting the domain down, blocking it, freezing it, whatever.

Now, when in the European Union context we ask these questions to the
law enforcement agencies or governments, the standard answer we get is
if you see something illegal, come to us, as being police slash courts
slash public procurement, something like that.  You file a complaint
and we will tell you what to do.  But be very careful about you decided
what is legal or illegal.  In some cases it is very clear.  In some
others, you should leave that to the judicial branch to decide to tell
you.

Which means that the providers are not completely free in all
circumstances to do whatever they want.

In the example -- The last example they gave me was, well, if somebody
enters your home to -- a thief breaks into your home, you are not
completely free to just handcuff him, lock him into a closet, put him
on hold, so to speak, while the police arrive.

There are limitations to that.  You can do certain things.  You cannot
do all things all the time.  So be careful, because perhaps you will
just be crossing the line of the good intentions into the bad criminal
acts without noticing.

There's lots of things that can be done through contracts, codes of
conducts, cooperation, learning, and careful drafting of contracts with
new gTLDs and new registrars.  This is why I think it's very important
to have codes of conduct, best practices -- not just best practices,
but kits that we can offer to the new registries saying just do this. 
Don't spend lots of time trying to reinvent the wheel.  You are not a
specialist in security.  If you do this, you will probably be okay with
the minimum things you can do.  And rapid suspension being one of them.

Now, when I was the CEO of dot cat and we were improved, we introduced
the rapid suspension mechanism for lots of things:  noncompliance with
rules of the registry, I.P. regulations, and any other things from Spam
to security, et cetera.

When somebody claims there is an IPv election and come to claim that --
come to request a name being put on hold, the standard answer is you
should guarantee that your claims are true that this party, our
customer, effectively has no right.  And then you should indemnify us
in case that's later proven that this was false, that you made the
mistake; all right?

And we never have a problem.

So, Mike, if you are so sure that there are so many -- so few cases in
which this will be a real issue, and I completely agree with you, it
will be very rare, but if one of these occurs to a very small registry,
it could go just belly up for a long time, why don't we agree that
collectively the Anti-Phishing Working Group can find very cheap
insurance for these cases, all of them together, just to guarantee that
registries and registrars could do that without needing legal expenses
in researching what are the legal regimes, the legal consequences, the
legal cost in doing all this.

Lets simplify things for both parties.

>>MIKE RODENBAUGH:   May I respond to that since it was directed to
me?  It will only take a moment.

>>GREG RATTRAY:   All right, Mike.  A moment, and then the panel.  We
are approaching the end and we have now three people come up to the
mic.  So quickly, please.

>>MIKE RODENBAUGH:   I would say it's really up to businesses to have
that insurance.  I think it's actually required in the ICANN contracts,
for one thing.  If not, it certainly is a good best practice to have a
comprehensive general liability policy that would cover you for that
kind of risk which is incredibly rare.

Also, incredibly easy to fix if there is a false positive.  You simply
learn about it and turn it back on.  Damage is cut off pretty quickly.

>>GREG RATTRAY:   Okay.  In the center.

>>PAUL STAHURA:   Paul Stahura, that's my name and a question for
Leigh, I think, regarding the dot bank kind of TLD, new TLD.  Dot bank
or dot good bank or dot trust or dot security, and these kind of things
that have this implied meaning of security and banking and financial. 
Are you suggesting that there would be a higher bar in the DAG for
those technically?  And to implement extra security measures?  Is that
what you are saying?

>>LEIGH WILLIAMS:   That is one possibility.  And it might be that we
argue for high security and we all collectively decide that that
security applies across the domain space.

But if the appropriate level of security and, therefore, in some case
cost or inconvenience for the entire domain space doesn't satisfy
expectations of consumers or regulators for finance, then yes, we might
have to have a differential.

>>PAUL STAHURA:   And it's because the name, the string is -- means
security or stability.

So if we had something like dot really crappy, then would that have a
lower bar?

>>LEIGH WILLIAMS:   Well, some of it is the perception and some of it
is the reality of financial transactions flowing consistently, and
sometimes very high-risk transactions flowing in great volumes across
these domains or in these --

>>PAUL STAHURA:   So we have to link the meaning to the bar level. 
Somebody would have to make a judgment, this means something really
secure so we need to have a high bar for that one.  This one might not
mean something secure so maybe it's a lower bar or the current bar in
the DAG.

>>LEIGH WILLIAMS:   Well, I have heard it proposed two ways.  One is
finance, anything which is financial requires a higher elevation.  I
have also heard people say let's not carve out finance but let's just
try to establish a definition for high risk or high security.  And one
of the possibilities is anything that claims to have or implies that it
has high security or is of higher risk.

>>PAUL STAHURA:   Okay.  I got it.

Thank you.

>> Hi, my name is Andrew K.  I have a quick rebuttal to the gentleman
who was asking a question a moment ago.

If you figure out where to get cheap insurance, I'm sure everybody in
the medical and professional services industry would love to hear it,
and I'm sure you could set up a great site for it and a really clear
domain name.

>>GREG RATTRAY:   Looks like you may have the last word.  Let's keep
it crisp.

>> I will be.  Coming back to my earlier comment -- and Greg, I do
apologize, what I was getting at is registrars who do nothing is the
concern.

The registrars who respond and even give an act back is something we
can work with.

What I was also going to add to that, and following on from the
discussion here, in the ISP business, the copyright holders have a very
interesting setup whereby if I am the -- and I know it's not quite the
same but I just want to throw it out there, is that there is this idea
of safe harbor.

It means that if I as an ISP am notified by a copyright agent that a
customer of mine is infringing copyright, if I act within a certain
time frame and a certain period, I am actually not liable for
prosecution for that action.

Now, there's two issues with the safe harbor that are quite good. 
"A," it gets a response because if you don't respond you become liable
for the actions.

>> No, not true.

>> No, not true?

>> Well, my lawyers are going to tell me something different because
we have been doing it wrong for a while.  But I am just saying there
might be different ways to -- maybe a safe harbor or something that the
registrars can act in good faith without necessarily worrying about
liability, and maybe something that can be considered.

>>GREG AARON:   I feel where you are coming from, because I have
called registrars that I needed action from and got nothing.  And it's
a very frustrating situation.

The issue of covering people who need to take action is a really
interesting one.  And I am wondering if it's going to continue to come
newspaper the ICANN context.

Even if there were registrars -- Even if registrars, for example, felt
completely covered and completely safe, that wouldn't probably solve
the problem because a lot of registrars are small or inaccessible or
just don't pay attention anyway.

So there's -- There might be some ways to make things better.  They
won't probably solve all the problems.  But take your point.

>>LEIGH WILLIAMS:   Marilyn, do you have something?

>>MARILYN CADE:   I just have a question.  Could you explain just
quickly, if you are a registrar, how it is you are inaccessible? 
Because I thought your business was reaching people.

>>GREG AARON:   I can't speak as a registrar because I'm not one, but
we have a lot of registrars at ICANN, and a lot of them -- and we have
some that are very large and open 24 hours with 24-hour staffs and we
have some that are small.

>>GREG RATTRAY:   All right.  I think that wraps it up.

If there's no more questions, I first want to thank everybody in the
audience for their participation.  This is a stage in a process. 
Certainly in this area we are going to have to develop specific
recommendations for the applicant guidebook and we will continue the
dialogue about those recommendations and how to implement this.  And I
would like to ask the audience to thank the panelists for their efforts
this afternoon.

[ Applause ]

>>GREG RATTRAY:   With that, everybody please have a good evening.