As has been well publicized, the Internet Corporation for Assigned Names and Numbers (ICANN) is in the final stages of approving nearly 2,000 new generic top-level domains (gTLDs) for launch. Intellectual property owners and computer security experts have expressed concern that the forthcoming gTLDs may become havens for intellectual property infringers, malware purveyors, counterfeiters and others engaging in infringing or abusive conduct. To address these concerns, the New gTLD Program Committee (NGPC), the entity empowered by ICANN to make strategic and financial decisions regarding the new gTLDs, has recently adopted several “safeguards” that are designed to reduce the potential for infringing and abusive use of the new gTLDs. Although the effectiveness of these measures remains to be seen, they are a step in the right direction for protecting IP owners’ rights within the soon-to-be-launched gTLDs.
The NGPC has been working to finalize the agreement that registries of the new gTLDs will be required to sign with ICANN. This agreement is named the New gTLD Registry Agreement (NGRA). The NGPC requested input on a draft of the NGRA from ICANN’s Governmental Advisory Committee (GAC). GAC’s role is to provide advice to ICANN on issues of public policy and the interaction between ICANN’s activities or policies and national laws or international agreements.
On April 11, 2013, through a document known as the “Beijing Communique,” GAC made a number of recommended changes to the draft NGRA. Among GAC’s recommendations were that six “safeguards” be added to protect intellectual property owners and reduce the potential for fraudulent and abusive use of the new gTLDs.
On June 23, 2013, NGPC announced that it was adopting all six safeguards but with changes to the terms and implementation methodologies. On July 2, 2013, NGPC approved the final draft of the NGRA, which incorporated some of these safeguards. The more important safeguards the NGPC has adopted from the perspective of copyright and trademark owners are discussed below.
WHOIS Verification and Checks
Domain names have long been used to engage in a variety of unlawful conduct, including piracy, cybersquatting, phishing, pharming, the distribution of malware and the operation of abusive botnets. Many individuals engaged in such conduct provide false or incomplete WHOIS information to their registrars in an effort to cover their tracks. Since 2003, all domain name registrars have been obligated to require that their registrants provide accurate and complete WHOIS information, with the penalty being that the registrar can suspend or delete the domain name if accurate and complete information is not provided within 15 days of request.
The current system has proven to have little effect in preventing the registration of domain names with false WHOIS information because registrars are not obligated to police their registration records. Policing the system is thus left to intellectual property owners and companies subjected to security attacks. Many registrars are cooperative in requesting updated information from their registrants upon request from IP owners and others, but not all registrars carry through with suspension or deletion of a domain name if the registrant does not timely provide accurate WHOIS information.
To help address these issues, NGPC has passed a resolution that will require ICANN to verify the accuracy of WHOIS data provided for registrations in the new gTLDs. Under this resolution, ICANN will be obligated to perform a sampling at least twice a year “of WHOIS data across registries in an effort to identify potentially inaccurate records.” ICANN will do so using a software tool it is developing and that is reportedly near completion.
ICANN is supplementing these requirements with changes to the Registrar Accreditation Agreement (RAA) that all registrars will be obligated to sign to register names in the new gTLDs. The new “2013 RAA” includes a section called the “WHOIS Accuracy Program Specification” that requires registrars to perform certain validation checks of contact information provided in a domain name registration. These checks include validating the presence of data in all fields and validating that telephone numbers and street addresses are in the proper format for the applicable country or territory. More importantly, however, the Specification requires that registrars (a) “[v]alidate that all postal address fields are consistent across fields (for example: street exists in city, city exists in state/province, city matches postal code) where such information is technically and commercially feasible for the applicable country or territory”; and (b) verify that either the email address or telephone number in the application are correct by contacting the registrant through either the email address or telephone number and “requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar.” With regard to the latter, if the registrant does not properly validate the telephone number or address, the registrar is obligated to either manually verify the information or suspend the domain name until the information is verified.
How effective the new safeguard and 2013 RAA Specification will be is unclear. There is no indication of how ICANN’s WHOIS verification tool works or how effective it will be at identifying false or inaccurate WHOIS data. It is also unclear whether the tool will have any impact with regard to domain names registered through privacy services. The WHOIS information for such domain names is the contact information of the privacy service. The WHOIS information may thus look correct to ICANN’s software, even though false contact information may have been provided by the registrant to the privacy service.
The NGPC’s resolution also provides no direction as to what ICANN must do with the inaccurate WHOIS data it collects. Presumably, ICANN will provide this information to registrars, who will then act on the information. However, there is no requirement that ICANN do so, and no penalty if registrars fail to act on the information. Nevertheless, if the information ICANN collects is reported to registrars, registrars may be more proactive in acting on the information and suspending domain name registrations with false or incomplete WHOIS information than registrars are at present with regard to reports of false WHOIS information reported by trademark owners and others. The combination of the new NGPC-approved safeguard and the changes incorporated in the 2013 RAA are thus positive steps for trademark and copyright owners.
Contractual Agreement by Registrants Not to Engage in Abusive Activity
A second safeguard adopted by the NGPC, and incorporated into the recently approved NGRA, requires registries of new gTLDs to include in their contracts with registrars a provision that obligates those registrars to include in their contracts with registrants a prohibition against “distributing malware, abusively operating botnets, phishing, piracy, trademark and copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law….” The safeguard adopted also requires the registries to require their registrars to specify consequences for any registrant engaging in the above activities, “including suspension of the domain name.”
Although a beneficial addition to the registry agreement, the safeguard may prove to be of only limited benefit to copyright and trademark owners. Registrars and registries are not obligated to police domain names for infringements by their registrants, and registrars are not obligated to take action if a registrant is engaged in such conduct (such as deletion or suspension of the domain name).
Nevertheless, there may be a few benefits to trademark and copyright owners from this safeguard:
- The safeguard may cause registrars to adopt stronger policies regarding the consequences for use of a domain name to engage in trademark or copyright infringement, and the safeguard may make registrars more willing to suspend or delete domain names if such conduct is brought to their attention.
- The registrant’s agreement to this new contractual provision could be cited as evidence that a domain name registrant’s infringing or abusive activity was knowing and willful in support of a claim for punitive damages and/or attorneys’ fees against the registrant.
- The provision may serve to deter individuals from registering domain names for infringing or abusive purposes (although we do not harbor much hope this will prove to be true).
Checks for Security Threats
The third safeguard adopted by the NGPC, and also incorporated into the new gTLD registration agreement, requires registries to “periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets.” Because this obligation to scan domain names for abusive behavior does not cover infringing activity, counterfeiting or piracy, it may be of less benefit to trademark and copyright owners. Still, domain names that infringe trademark rights or traffic in pirated copyright material may lure in Internet users confused about the nature of the website and harm those users with malware or other abusive activity. If this safeguard is effective, it could serve to protect trademark owners from damage to the reputation and goodwill of their marks.
Unfortunately, at this time the safeguard adopted by the NGPC only requires registries to maintain reports on the number of security threats identified and to provide the reports to ICANN upon request. According to the NGPC, the details of how registries will implement these security checks and what the consequences will be for domain names found to be harboring security threats were purposefully left undefined so that the NGPC could solicit comments and debate on these matters. The NGPC’s hope is that “this will permit Registry Operators to enter into agreements as soon as possible, while allowing for a careful and fulsome consideration by the community on the implementation details.” While this strategy may prove successful, IP owners are currently left uncertain as to whether this safeguard will provide any protection for them.
Several New gTLDs Put on Hold
In addition to considering the safeguards discussed, the NGPC also considered additional safeguards that GAC has recommended for a subset of new gTLDs that are “linked to regulated or professional sectors.” GAC has expressed concern about the “implied trust” consumers will place in these particular new gTLDs, and recommended additional safeguards to ensure registrants of these new gTLDs comply with any applicable legal or regulatory frameworks applicable to those “regulated or professional sectors.” Among the new gTLDs identified by GAC in its non-exhaustive list are <.poker> and <.casino>, due to their connection to the gambling industry; <.healthcare> and <.medical> due to their connection to the health care industry; and <.game>, <.data> and <.media>, due to their possible implication of intellectual property laws.
The NGPC expressed concern that these additional proposed safeguards were “untimely, ill-conceived, overbroad, and too vague to implement,” and resolved to initiate discussions with GAC to clarify the scope of the proposed safeguards. In the interim, the NGPC resolved that the gTLDs identified in GAC’s proposal would be placed on hold pending the resolution of its discussions with GAC.
A full list of the domain names identified by GAC as being linked to regulated or professional sectors can be found here, at pages 9 and 10. Though the additional safeguards recommended by GAC could have a significant effect on both registries and IP rightsholders, of immediate interest is the fact that a large number of the new gTLDs will not be available as soon as anticipated.