ICANN is MIA on .XYZ by Philip Corwin, Internet Commerce Association

Internet Commerce Association logoThe .XYZ opt-out domain registration situation has been a major focus of domain industry press reports since the registry’s recent launch. But it raises more than questions about how to properly rank the “success” of new registries and whether unsavory practices are involved.

The more critical inquires that should be made are whether ICANN is effectively and affirmatively enforcing registrar and registry contractual agreements; whether it conducts sufficient background checks on new gTLD registry applicants – and, most important, whether involuntary “registrants” are being subjected to potential trademark infringement liability without affirmative intent or consent.


By now anyone who’s part of the domain investment or broader ICANN community is aware of the curious saga of the recently launched .XYZ registry. Soon after its young CEO boldly stated, “We hope to reach 1 million .XYZ registrations in the first year and 5 million registrations in the first three years.”, the registry launched with a remarkable total of nearly 18,000 registrations on its first day, a total that has quickly grown to more than 100,000.

But it was soon noted that “the zone files showed that over 70% of all .XYZ registrations had been made at NetworkSolutions, an expensive registrar that has a less than 5% share of most new gTLD registrations.” (The NetSol percentage of .XYZ registrations has reportedly since climbed to more than 85%.) Then it was further discovered that the surprisingly large number of registrations was not the result of affirmative registration decisions made by individuals responding to a compelling marketing or incentive campaign, but to a NetSol decision to give away “free domains”, most  matching domain names  already owned by its customers, if they did not “opt out” of the involuntary domain registration in response to an e-mail.  That revelation prompted one of the two organizations tracking new gTLDs to delete all NetSol-supplied free .XYZ names from its gTLD rankings, dropping .XYZ from its number one position to “number 14 on the list of most registered new gTLD’s with just under 15,000 registrations”. Yet some individuals are still attempting to resell .XYZ domains for substantial monetary gains to uninformed individuals by touting its NetSol-inflated gross registration numbers.

These events gave rise to the question of whether the .XYZ registry had made arrangements with NetSol to embark on this promotion and thereby turbocharge its initial registration numbers. But in a published interview, its CEO Daniel Negari  stated:

Each Registrar (or store) then makes its own decision on the retail price it wants to charge for the different domain names (products) it offers.

We have over 200 registrars from all around the word in all languages offering .xyz domain names. I do not know the details of every promotion or marketing campaign that they are doing every day.

Here is what I do know:

Regardless of whether a registrar charges $100, $5, or gives the domains away for free, I get paid the ENTIRE wholesale price, which is the same price that every registrar pays.

Yet there remains no explanation for why NetSol embarked on this aggressive campaign for this one new gTLD registry.

Regardless of whether the registry had any active part in encouraging NetSol’s actions, it continues to proclaim that “.xyz became the first new domain extension to cross the 100,000 registration mark”. But among professional domain investorsthe damage to the registry’s reputation has been done and is likely permanent. As one respected industry observer recently observed:

With NetSol you have a registrar that is three times more expensive than other registrars making themselves an even less attractive option by telling customers we will decide what domains are put in your account instead of you!

…With .XYZ you have a registry that has proclaimed themselves the next .com but instead are proving themselves not to be an alternate .com but an alternate reality based on fictional numbers of real registrants. Instead of becoming the next .com they are in danger of becoming the next .tk – the ccTLD for the obscure Pacific Ocean territory of Tokelau that gives away its domains for free.

Is deception really the business plan a registry expects to succeed with? While declaring oneself the winner based on a blatantly stuffed ballot box still happens in places like Syria it is generally regarded as poor form in the rest of the world (and is certainly not a good calling card for any business).

Of course new gTLD skeptics are loving this, saying that it proves the new extensions are already on the ropes, having so little of value to sell that they have to resort to giving the product away (and not just giving it away, but forcing it upon people who never asked for it) and then trumpeting inflated numbers. As you would expect registries that are doing it the right way hate that they are being unfairly painted with the same brush. I’ve seen key executives from at least three other new gTLD registries publicly post their dismayover how this is tarnishing the entire new GTLD program.So far the discussion within the domain industry has mostly been about what arrangement if any existed between NetSol and .XYZ and how to dissect new gTLD registration numbers to meaningfully decide which ones are successful – should it be based on gross registrations, registry revenues, or websites that have been actively developed?

But that misses two other big issues.

What about the rights and potential legal liability of the registrants who have been involuntarily signed up for these “free” .XYZ domains?

And, presuming that someone at ICANN monitors the domain industry press that has been feverishly reporting this story, why hasn’t it stepped forward to announce that, for the protection of registrants and the integrity of the new gTLD program, it is investigating to see whether either party is in violation of its contract with ICANN.?

After all, ICANN’s CEO proclaimed last year that registrants were its number one concern.

Given continued community misgivings about the effectiveness of ICANN’s contractual compliance enforcement efforts, as well as the intense scrutiny it is undergoing in conjunction with stakeholder consideration of the IANA functions transition and accompanying enhanced accountability mechanisms, you’d think the organization would welcome a chance to demonstrate that it doesn’t need a third party monitor to tell it that it should look into this type of situation and take appropriate action.

For starters, NetSol may be creating potential trademark infringement liability for these involuntary registrants. As has been reported, “Clear-cut cases of cybersquatting seem to be among those .xyz domain names that Network Solutions has registered to its customers without their explicit request…They’re all registered via NetSol’s Whois privacy service, which lists the registrant’s “real” name in the Whois record, but substitutes mailing address, email and phone number with NetSol-operated proxies.”

One website cited in that article is www.disneytime.xyz . That parked website features a Network Solutions corporate name and logo in the upper right hand corner along with an “under construction” notice, and has links to entertainment-related topics such as “Top Ten Music Artist” and “Pop Hits Music”. Clicking on any of those links brings one to yet more pages with pay-per-click (PPC) ad links. Overall, the parked page appears to be under NetSol’s control and presumably they choose the PPC link labels and receive any income derived from the ads. (Ironically, there is also a link on the bottom of the page labeled “Trademark Free Zone” – clicking on that takes one to http://imptestrm.com/ which has links to such topics as “Cheapest Insurance” and “Lose Weight”.) It would be interesting to get the opinion of the Disney Corporation regarding the propriety and legality of an ICANN-accredited registrar involuntarily registering this domain on behalf of a customer who failed to opt-out — and then populating it with music-related ad links.

“Registrants” shouldn’t be involuntarily exposed to the potential of receiving a cease-and-desist letter, much less being the target of UDRP or URS arbitration or even a trademark infringement lawsuit. As for the trademark owners, they may not have effective recourse to a UDRP or URS arbitration action. One element that must be proven by a complainant is “bad faith registration”, and bad faith involves affirmative intent – and there’s not much intent involved with a failure to click on an opt-out link in an e-mail that may not even have been read. (But there is a plausible argument that NetSol might be considered the actual registrant for dispute resolution purposes, since it chose the domain name and completed the registration absent any clear direction from its customer.) There’s also the legal twist that, where NetSol matched the registered .XYX domain to one the customer already had in an incumbent registry, the existing customer agreement with a registrant in such legacy gTLDs does not include consent to be subject to the Trademark Clearinghouse (TMCH) and Uniform Rapid Suspension (URS).

And that raises another critical question: If any of these opt-out registrations of infringing domains triggered a Trademark Claims Notice to the involuntary registrant, did any of them ever see it and have a second opportunity to opt-out at that point? After all, as described above, the registrant’s real name was listed in the WHOIS record, but not their e-mail address; instead, the listed address was for NetSol’s proxy service. Did NetSol receive any Claims Notices and go ahead and register the domain anyway without passing that Notice along to the “registrant”?

There’s also the matter of whether involuntary registrations are in compliance with the 2013 Registrar Accreditation Agreement (RAA) entered into by all those selling new gTLDs. Section .7.7 states, “Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar”. An opt-out procedure arguably fails to satisfy that requirement. NetSol reportedly tried to get around that by including, as a less than conspicuous footnote in its e-mail, this statement, Please note that your use of this .XYZ domain name and/or your refusal to decline the domain shall indicate acceptance of the domain into your account, your continued acceptance of our Service Agreement located online at http://www.networksolutions.com/legal/static-service-agreement.jsp, and its application to the domain.” But it’s not clear that any court would view that as satisfying the RAA’s contractual requirement.

The RAA also contains an addendum titled “ADDITIONAL REGISTRAR OPERATION SPECIFICATION” that includes a statement of “Registrants’ Benefits and Responsibilities”. One of those rights is, “You shall not be subject to false advertising or deceptive practices by your Registrar or though (sic) any proxy or privacy services made available by your Registrar. This includes deceptive notices, hidden fees, and any practices that are illegal under the consumer protection law of your residence.”

Is an opt-out registration a deceptive practice and notice, or illegal under any national law, and thereby in violation of that registrant right? It could well be. Further, if a registrant involuntarily received a free .XYZ domain, and had previously opted for automatic renewals of its domains held by NetSol, would reregistration a year hence at a hefty fee be an unfair and deceptive trade practice? Those are questions that the Federal Trade Commission (never a fan of the new gTLD program) or other national consumer protection agencies, as well as states’ attorney general, might want to investigate, especially if ICANN doesn’t move quickly.

Overall, this situation appears to raise the most significant questions about the effectiveness of the RAA and ICANN’s compliance enforcement since the Registerfly fiasco of early 2007. It is not of the same character, since that situation involved a registrar stealing customer domains and funds, but it is still quite disturbing. Back in 2007 then-ICANN CEO Paul Twomey declared, “What has happened to registrants with RegisterFly.com has made it clear there must be comprehensive review of the registrar accreditation process and the content of the RAA. This is going to be a key debate at our Lisbon meeting scheduled for 26–30 March 2007. There must be clear decisions made on changes. As a community we cannot put this off…Registrants suffer most from weaknesses in the RAA and I want to make sure that ICANN’s accreditation process and our agreement gives us the ability to respond more strongly and flexibly in the future.”

While the 2013 RAA is substantially stronger on paper than the one in use seven years ago, in the end it is only as strong as ICANN’s compliance enforcement makes it.

As for the .XYZ registry , if it did have some arrangement with NetSol to undertake this involuntary registration program, and if it involved any consideration not offered to other registrars, that would raise the question of whether it is in violation of its Registry Agreement, as Section 2.9 of that contract requires non-discriminatory access for all registrars.

There’s also an open question regarding the efficacy of the ICANN background check for new gTLD registries and their top executives. The CEO of .XYZ, along with his company Cyber2media, were the lead defendants in a Lanham Act lawsuit filed by Facebook on July 22, 2011, months before the new gTLD application window opened in January 2012. That complaint alleged four separate violations of the Lanham Act as well as two other civil counts. Further, the scheme that defendants were alleged to be engaged in was far more sophisticated than the one described above for disneytime.xyz. According to the lawsuit, rather than landing on pages that were clearly parked, consumers who mistakenly typed in typographic variations of Facebook were redirected to websites that mimicked Facebook’s design and used its distinctive marks and logos. They were then invited to take part in social media “surveys” and thereby have a (fictional) chance to win a MacBook, iPad, or iPhone — in exchange for divulging proprietary personal information including their phone number and e-mail address.

Of course allegations are not proof of guilt, and this lawsuit appears to have been dismissed against those two defendants within days after the .XYZ application was submitted to ICANN. But, if only to inform ICANN of potential background check alterations for the next round of the gTLD program, it would be useful to know whether this very relevant litigation was revealed in that application – and, if not, whether the background screeners conducted a simple web search that should have brought up information about the lawsuit – and in either event what further investigation was undertaken and resolved.

Summing up, there’s a lot more at stake in this situation than which registry has the most registrations.

There are significant contract compliance and consumer protection issues, compounded by possible involuntary trademark infringement. Thousands of registrants are directly affected, and all registrants are potentially at risk. Can it really be permissible for any ICANN-accredited registrar to involuntarily assign new gTLD domains to existing customers on an opt-out basis, given the substantial potential legal liability that accompanies domain registrant status? If that is permitted then we could see hundreds of thousands or even millions of involuntary domain registrations occur over the coming months as hundreds of new gTLDs become available to the general public. Aside from the risks to “registrants”, such a development could substantially erode the public perception and reputation of the entire new gTLD program – and of ICANN.

It should be as simple as ABC for ICANN to realize it needs to step up to the plate and take responsibility for initiating   a full inquiry and report on what has transpired in the initial .XYZ registration phase. The answers are important for registrants, for registrars who don’t engage in opt-out registration practices, and for the other operators of new gTLD registries who are busy trying to create value that attracts willing registrants.

It’s also of immense consequence for ICANN’s own reputation as a critical time in its history. As the community is beginning to deliberate on enhanced accountability measures to accompany the IANA functions transition, it would be exceedingly useful for ICANN to demonstrate that it can act of its own volition and investigate suspicious situations involving contracted parties — and hold them duly accountable if transgressions are found.

This article by Philip Corwin from the Internet Commerce Association was sourced with permission from: