As a result of the submission to ICANN of over 1,900 applications for new top-level domains (TLDs) in 2012, concerns have been raised about the adequacy of safeguards to protect consumers against harm such as, confusion, malicious conduct and criminal activity in the soon-to-be vastly expanded Internet domain landscape. On April 11, 2013, ICANN’s Governmental Advisory Committee (GAC) issued Safeguards Advice in its “Beijing Communiqué,” outlining: (1) six proposed safeguards for all new TLDs, (2) five additional measures specific to TLDs pertaining to sensitive and regulated areas (e.g., children, education), and (3) three additional safeguards for regulated sector TLDs (e.g., financial, gambling, professional services, environmental, health and fitness, corporate identifiers, and charity).
On June 25, 2013, the ICANN Board of Directors New gTLD Program Committee (NGPC) convened and adopted the proposal for implementation of the six safeguards recommended for all new TLDs. ICANN’s adoption of the six safeguards will impose more stringent rules on security and Whois data checks. These safeguards will require applicants to incur additional oversight, cost, and investigative responsibilities within their registries. Registrants of second-level domains in new TLDs also will have to contend with additional oversight responsibilities.
On July 2, NGPC tackled ICANN staff proposals on the additional eight “sensitive/regulated sector” safeguards. NGPC has decided to place on hold all applications for TLDs identified by the GAC, many of which are highly sought after, pending further dialogue at the July 14-18 ICANN Meeting in Durban, South Africa.
NGPC’s response creates uncertainty about how these TLDs will be treated. Even so, New gTLD applicants and other entities operating in sensitive/regulated market sectors – particularly those in the pharmaceutical, biotechnology, insurance, financial services, media and entertainment industries – should prepare for the likelihood that some or all of the eight proposed safeguards will be adopted, in whole or part, and for effect of the six newly adopted safeguards.
The Six Adopted Safeguards Applicable to All New TLDs
The six safeguards applicable to all new TLDs pertain to Whois verification and checks, mitigation of abusive activity, security checks, complaints, and consequences for domains with false Whois information or which are used in breach of applicable law, including:
- Mitigating Abusive Activities. ICANN will amend the new gTLD Registry Agreement – its contract with the registry operators – to include a mandatory Public Interest Commitment Specification (PIC Spec). The PIC Spec will obligate registry operators and registrars contractually to prohibit registrants “from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deception practices, counterfeiting or otherwise engaging in activity contrary to applicable law and providing (consistent with applicable law and any related procedures) consequences for such activities including domain name suspension.”
The mandatory PIC Spec will also obligate registry operators to “periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware and botnets.” Additionally, they must “maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks” and “maintain these reports for the term of the [Registry] Agreement unless a shorter period is required by law or approved by ICANN” and provide the reports to ICANN when requested.
- Security checks. ICANN will either convene a task force or through a policy development process establish a framework for registries to implement the required security checks. This means that registry operators likely will not know the full extent of cost implications of these new measures before executing their contracts with ICANN.
- Whois verifications and checks. ICANN, instead of registry operators, will implement Whois checks at least twice a year; however, registry operators will be responsible for punishing registrants who provide false Whois information or violate the requirement that the domain name should not be used in breach of applicable law, such as by suspending the domains.
Additional Safeguards Applicable to Regulated Market Sectors
The NGPC decided that additional clarity on the scope and intent of the eight additional sensitive/regulated sector safeguards is required before any can be adopted. NGPC considered an array of problems, including those voiced in public comments by the ICANN Community, that the GAC’s Category 1 Advice is “untimely, ill-conceived, overbroad and too vague to implement,” and creates questions as to fairness and predictable treatment of TLDs. By way of example, the GAC’s Beijing Communiqué includes a non-exhaustive list of affected TLDs, a significant number of which relate to regulated market sectors, including 45 financial TLDs, e.g., .cash, .brokers, .finance, .fund, .bank, .pay, .credit, .market, and .mutualfunds. The scope of the proposed requirement is problematic given that compliance with these safeguards will fall to both registry operators and, to an extent, the many entities that will register second-level domains within these regulated sector TLDs.
For operators of regulated sector TLDs and their registrants, the extra safeguards could require the following:
Registries to include in their acceptable use policies a requirement that registrants comply with all applicable laws, including, e.g., those related to privacy, data collection, consumer protection, fair lending, debt collection, and data and financial disclosures.
- NGPC expressed no concerns with this safeguard, as all registrants are required to comply with applicable laws;
Registrants to implement appropriate security measures for the collection and maintenance of health and financial information.
- NGPC deemed this safeguard to be too vague and thus impossible to implement and noted that registry operators are not the appropriate entities to carry out this safeguard;
Registries to establish working relationships with relevant regulatory bodies.
- NGPC identified contractual enforcement concerns with this safeguard and a potential unwillingness on the part of regulatory or industry self-regulatory bodies to collaborate with registries;
Registrants to notify the registry of their single point of contact for notice of complaints or reports of registration abuse and provide contact details of relevant regulatory bodies in their main place of business.
- NGPC expressed concern over how registrants would determine which regulatory bodies might be relevant, noted registries already have a point of contact, and that in the case of unrestricted TLDs, implementation of this safeguard should be through registrars and the Registrar Accreditation Agreement;
Registries to verify and validate registrant authorizations, licenses or credentials before domain registration and consult with relevant national supervisory authorities in this endeavor when needed, and, conduct post-registration checks on registrants to validate and ensure registrants are compliant with laws/regulations and licensing requirements and generally conducting their activities in the interest of consumers.
- NGPC expressed concern that implementation of these safeguards could change the nature of some open TLDs into restricted TLDs, and potentially discriminate against users in nations whose governments either lack bodies/databases to verify such information or have different regulatory regimes.
Potential Implications of the Additional Safeguards
Adoption of even some, if not all of these sensitive/regulated sector safeguards, will impose unanticipated obligations on registries and registrants. For instance, registries may be required to more proactively police their TLDs and enforce their acceptable use policies to ensure compliance with applicable laws. These oversight and enforcement roles are ones that traditionally have belonged to law enforcement, legislators, regulatory bodies, and/or adjudicative forums such as courts, but the requirement that registry operators comply with all applicable laws may shift to registries some of these responsibilities.
Further, regulated sector registries may find the need to strengthen their acceptable use policies and alter their business plans to ensure compliance with these requirements. They may also see the need to amend their TLD registration policies if they do not reflect the safeguard requirements. This, in turn, could mean that new gTLD applicants will want and/or need to amend previously submitted PIC Specs for their TLDs – all of which could contribute to further delays in delegation of the TLDs to the Domain Name System.
For entities planning to register domains in these sensitive/regulated sector TLDs in an attempt to promote or just defensively protect their brands and services, adoption and implementation of the safeguards will likely produce greater record keeping and financial disclosure obligations as well as oversight by non-industry regulators, require the development of new or enhanced security measures to safeguard consumers’ information (i.e., health and financial), and create obligations to registries with whom they have no direct contractual relationship. The validation and verification requirements could also result in a more involved TLD registration process.
Conclusion and Next Steps
Though the fate of these eight additional sensitive/regulated sector safeguards is unclear, more oversight and compliance for registries and registrants is inevitable. As such, they will need to begin to prepare for adherence to these or similar obligations and consider allocating more resources to staffing compliance personnel and counsel.