2017-04-28T14:29:00-08:00The internet has changed and evolved ever since it's ancestors first came to life in the late 1960's. Some technology fades away and is forgotten; other aspects continue but are overlaid, like geological sediments, so that they are now longer visible but are still present under the surface. The Domain Name System — both the technology of DNS and the deployed naming hierarchy we all use — are among those aspects of the internet that, although they feel solid and immutable, are slowly changing underneath our feet. Act I: In Which DNS Fades to Translucent Grey Internet Domain Names had a good twenty-year run from the early days of the World Wide Web (1995) through 2015. Some people made a lot of money through domain name speculation. Others made money by wallpapering Google Ad Sense advertisements over vacuous websites. And a busload of attorneys made a good living chasing down shysters trying to make a buck off of the trademarks of others. And through its perceived control of domain name policy, ICANN grew into a ever-bloating, money absorbing bureaucracy worthy of Jonathan Swift. But things are changing. The days of domain names as the center of internet policy and internet governance are ending. Domain name speculation will slowly become a quaint shadow of its former self. What is driving these changes? It is not that the Domain Name System (DNS) is becoming less important as a technical way of mapping structured names into various forms of records, most often records containing IP addresses. Nor is the Domain Name System used less then heretofore. Nor are the knights of intellectual property becoming any less enthusiastic about challenging every domain name that they feel does not pay adequate homage to the trademarks they are protecting. And national governments continue to believe that domain names are the holy grail of levers they can use to impose their views of right and proper behavior onto the internet. All of that remains. And it will remain. What is happening to DNS is more subtle: Domain names are slowly becoming invisible. For many years internet users could not avoid domain names. DNS names were highly visible. And domain names were everywhere. DNS names were part of e-mail addresses, DNS names were prominent parts of World Wide Web URLs, and DNS names that were based on words formed a rough, but useful, taxonomy of web content. But the sea-level of internet technology is slowly rising. We now live in a world of web search engines. We now have personalized lists of "contacts". We now use a profusion of "apps". And we now spend much of our online lives inside walled gardens and social networks (such as Facebook, Twitter, or various games.) Even in places where users formerly uttered or typed email-addresses (containing domain names) or web addresses, we now enter keystrokes or words that are used by user interface code to search for the thing we want and make suggestions. For example, when I send an e-mail, I usually don't need to type more than two or three characters of the name of the desired recipient; for every keystroke the software goes to my contact list, does a search, and shows me the possible outcomes. Similarly, on web browsers the old "address bar" has become a place for the user to send search targets to a web search company. In both of these examples the user no longer really deals with domain names (even though in both of these examples there are domain names — sometimes visible, sometimes hidden — underneath the search results.) In the world of Apps, games, and walled gardens there may not even be a way for a user to utter a domain name. And if a user does mention a domain name it is frequently in the form of a shortened URL that has no resemblance to the actual domain name of the target resource. You can confirm this by asking yourself: "When was last time I used a domain name while using Facebook or Twitter, or when playing my favorite game?" Few of us have ever used a domain name when giving an order to an Amazon Echo [...]
2017-04-28T10:51:00-08:00Words (and by extension their constituent letters) are as free to utter and use as is the air sustaining life. No one owns them. There is no toll fee to be paid to dictionary makers who curate them. There are, however, two carve-outs from this public domain, namely words and letters businesses use as designations of origin for their marketplace presence, protected by trademark law; and words and letters arranged expressively by authors, protected by copyright law. The rights accruing to persons under these carve-outs — trademark more ancient than copyright (circa 1610) — have their roots in statutory and common law. Another carve-out of more recent origin has emerged based on contract rather than legislation relating to the registration of domain names. The first to register words and letters as domain names essentially owns and controls them for the duration of their registrations, which could be unending with renewals. It will be recalled that when the Internet Corporation for Assigned Names and Numbers (ICANN) implemented the Uniform Domain Name Dispute Resolution Policy (UDRP) at the end of 1999, there were approximately 7 million domain names. Today there are over 340 million domain names; 142.7 million of which are country code domains, approximately 127 million are in the dot com space and New TLDs account for approximately 26 million. The precise current counts can be found on the Verisign website; counts from 1998 to 2009 can be found at http://www.zooknic.com/Domains/counts.html. The question is, who is acquiring all of these domain names and for what purpose? There are two principal groups of registrants of domain names, namely commercial businesses (including mark owners) and domain name investors. Businesses acquire domain names to create or maintain a presence on the Internet corresponding to their presence in the actual marketplace. In the main, they register the domain names they need. In contrast, domain investors (as distinguished from cybersquatters) from the nascent years and thereafter steadily expanding their business models have been active in vacuuming up every word in general and specialized dictionaries as well as registering strings of arbitrary characters that could also be acronyms. What they have done and the reason for doing it (and continue doing particularly in the dot com space) is summarized in Steve Forbes' 2007 press release (an age ago, but no less relevant), namely that the Internet had created a new market analogous to the market in real property: "Internet traffic and domains [he said] are the prime real estate of the 21st century. This market has matured, and individuals, brands, investors and organizations who do not grasp their importance or value are missing out on numerous levels." This means (as investors see it) that domain names are not just addresses in cyberspace; they are "prime" properties. As the numbers of registered domain names held by domain investors have increased, the free pool of available words for new and emerging businesses has decreased. Put another way, there has been a steady diminution of the public domain of words and letters for use in the dot com space that corresponds in reverse to the increase in the number of registered domain names. This is not just anecdotal exaggeration. The situation I'm describing for the dot com space is made explicit in Verisign v. against XYZ.com, 15-2526, pg. 9 (4th Cir. February 8, 2017). The evidence in that case indicated that "99% of all registrar searches today result in a 'domain taken' page." The Court noted further that "Verisign's own data shows that out of approximately two billion requests it receives each month to register a .com name, fewer than three million — less than one percent — actually are registered." The mass acquisition of domain names (again, I'm referring in particular to the dot com space) has resulted in commodifying words and letters (in essence locking them up) for the purpose holding or using them for profit; in essence transfor[...]
2017-04-27T12:28:01-08:00Despite the launch of more than 1,200 new gTLDs, .com remains far and away the most popular top-level domain involved in domain name disputes. In 2016, .com domain names represented 66.82 percent of all gTLD disputes at the World Intellectual Property Organization (WIPO), the only domain name dispute provider that publishes real-time statistics. And, as of this writing, the rate is even higher so far in 2017, with .com domain names accounting for 69.78 percent of all disputes. Not surprisingly, the overall trend since the launch of the new gTLDs shows .com appearing in a smaller percentage of cases under the Uniform Domain Name Dispute Resolution Policy (UDRP). For example, in 2012, when the new gTLD applications were unveiled, .com domain names represented 74.84 percent of all gTLD disputes at WIPO. Of course, some new gTLDs are appearing in UDRP cases, with 13 new gTLDs represented in 10 or more UDRP cases at WIPO in 2016: .xyz .top .club .online .vip .store .website .cloud .site .space .shop .lol .date But, the discrepancy between .com disputes and others is tremendous (as the chart above shows): WIPO saw 3,120 .com domain names in dispute proceedings last year, but the most-commonly disputed new gTLD — .xyz — appeared only 321 times. As I've written before, the large number of new gTLDs probably contributed to a record number of UDRP disputes in 2016. But it's clear that new gTLDs are accounting for relatively few disputes. Trying to understand why new gTLDs don't appear in more UDRP proceedings is pure speculation, though a couple of explanations seem reasonable: New gTLD registrations account for a small percentage of all domain names. While there were 329.3 million total domain name registrations (with .com accounting for 126.9 million of those) as of the end of 2016, there are currently fewer than 29 million new gTLD registrations. Therefore, there is simply a relatively small number of gTLD registrations that could be subject to a dispute. Trademark owners care more about .com domain name registrations and how they are being used. While new gTLDs are bothersome to many trademark owners, their limited appeal makes them less important to dispute.Written by Doug Isenberg, Attorney & Founder of The GigaLaw FirmFollow CircleID on TwitterMore under: Cybersquatting, Domain Names, Top-Level Domains [...]
2017-04-27T10:10:00-08:00One thing was clear from a recent presentation by the new leaders of the SF-Bay Internet Society (ISOC) Chapter Working Groups: inclusion and collaboration will be the key to these groups' success. As Dr. Brandie Nonnecke, the Internet Governance Working Group (WG) Chair said, "We haven't yet cracked the code on what 'multistakeholder' means." But that won't stop her and Dr. Jaclyn Kerr, the Data Protection, Privacy, and Security WG Chair, from trying. At a recent Chapter Event held on April 10th, 2017, these two innovative leaders laid out an ambitious plan to bridge silos and foster open dialogue in order to work towards the Internet Society's mission that the Internet is for Everyone. Focus Areas These newly-launched Working Groups will focus on the interest areas of the SF Bay Area Chapter members, as determined by their responses to a recent survey. There are three in total: Internet Governance; Data Protection, Privacy & Security; and Internet of Things (IoT), Internet Technologies & Access. Internet Governance For the Internet Governance Working Group, Chair Brandie Nonnecke laid out a plan that includes supporting interdisciplinary research, publishing position papers and policy briefs, organizing workshops, symposia, and activities, and supporting a fellowship programme. The goal is to educate and engage stakeholders not traditionally involved in Internet governance. Brandie is well-suited to achieve this goal: she is a PhD whose research focuses on multistakeholderism in internet governance and information and communication technology (ICT) policymaking at the Center of Information Technology Research in the Interest of Society (CITRIS) and the Banatao Institute, UC Berkeley. The WG group is now accepting members; help drive the agenda by applying to join the WG. Data, Privacy, Security For the Data Protection, Privacy, and Security Working Group, Chair Jaclyn Kerr discussed the urgency of this issue: due to government surveillance and data breaches, there are serious threats to our online security and privacy. Even at the top level of government, there have been security breaches. Jaclyn discussed working in collaboration with the other WGs and fostering discussion between those involved in tech, civil society, civil liberties, security and academia. Jaclyn is as a Postdoctoral Research Fellow at the Center for Global Security Research (CGSR), Lawrence Livermore National Laboratory, where her research focuses on cybersecurity and information security strategy, Internet governance, and the Internet policies of non-democratic regimes. Apply to join this WG. IoT And last but not least, in the IoT, Internet Technologies & Access Working Group, the focus will be on the IoT ecosystem, issues around access, critical Internet infrastructure, innovation and open standards. As more and more devices connect to the Internet, we need to ensure that security concerns, critical resources like IPv4 and IPv6 address space, and technology standards are addressed. Mischa Spiegelmock, who unfortunately could not attend the Chapter Event due to travel, chairs this WG. Mischa is software engineer who currently leads an engineering team at MVS Technical Group Inc., and specializes in information security, database-driven applications, systems programming, UNIX and C. To get involved, apply to join this working group. Opening Doors So many decisions about Internet governance, security, and infrastructure happen behind closed doors. The more technical the topic is, the more difficult it is for everyday citizens to get involved, which is a vulnerability for all of us. These Working Groups, the SF-Bay Area Chapter and the Internet Society exist to change that. "The Internet touches every part of our lives and everyone should be equipped with enough knowledge to enable them to have a say in how it is run," says SF-Bay Area Chapter President and Chair, Susannah Gray. "The SF-Bay Area Chapter provides a neutral platform[...]
2017-04-27T06:20:00-08:00In March, I posted a call to action to those of us in the community who have the inclination to fight against a movement to redact information critical to anti-abuse research. Today, I felt compelled to react to some of the discussions on the ICANN discussion list dedicated to the issue of WHOIS reform: Sorry, not sorry: I work every working hour of the day to protect literally hundreds of millions of users from privacy violating spam, phish, malware, and support scams. Should access to WHOIS data be redacted in any way beyond what it is at present, my work will be made impossible. I spend 90% of my day in WHOIS data, the other 10% sculpting the data in a manner to provide reason and proof to hosting provider and registrars to take action against real-life criminals on their networks. I also prepare cases for law enforcement to act upon. Contrary to popular belief in some quarters, LE cannot possibly begin to know about the stuff I (and my many, many colleagues) see until we tell them. That's how it works. Any of the big botnet and crime ring take-downs and arrests you've ever seen have involved a public-private collaboration between individuals, researchers such as myself, and law enforcement. So, I'd like to issue congratulations to all those who want to redact. You will, without a single iota of uncertainty, will expose many more people to real — not potential or hypothetical — privacy issues of a far more serious nature than you could possibly imagine, all in the badly mangled, misguided, and muddleheaded notion of what privacy actually is in the real world. 'Cut off your nose to spite your face' has never been more apt. I hope you tell your Mom, family and your friends what you are trying to do here, while I spend my time trying to protect them from real evil: Revenge porn. Identity Theft. Plain old theft. Stalking. Photographic representation of the rape of children. Trolling, leading to the destruction of people's lives. Emptied bank accounts. Tell them you don't want me to be able to do my job, and that you are trying to make it impossible, because you think access to the data that has been public and without challenge under the world's privacy laws for twenty years is better off limited to the point of uselessness, sacrificed on some misshapen altar of privacy. If I sound angry at what you are attempting to do, then I've hit my mark. I am furious. The security sector is furious. We are terrified that you may have any degree of success in this regard, because you apparently don't know, or don't care what the actual results will be. Placating with 'gated access' means there will be some among my peers and colleagues, far more talented and effective than I, who simply cannot gain access, and the resulting mess will be on your head, and at risk of overstating my case, the blood on your hands. So again, congratulations. Mother's Day is coming up. Be sure to make mention of this in the card you send. Now, if you'll excuse me, I'll go back to diving in the data lake of WHOIS, trying to keep spam and far worse evil off've your network. K bye tnx. Neil Schwartzman Executive Director Coalition Against Unsolicited Commercial Email http://cauce.org Twitter : @cauce Written by Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCEFollow CircleID on TwitterMore under: Cyberattack, Cybercrime, DDoS, DNS, Security, Spam, Whois [...]
2017-04-26T07:32:00-08:00As an admin, app security should be a top priority - but SaaS apps represent a difficult challenge in that regard. How can you protect your business from their risks, while enjoying all their rewards? Within the average enterprise, there are 508 unique cloud applications in use. That number's overwhelming enough on its own without considering that 88% of those applications aren't enterprise ready, or the fact that one in five cloud applications has data sharing as a core functionality. Allowing your employees to use these apps freely is like installing a screen door on the side of a boat - sure, it might not sink your organization, but it's still a huge risk. Of course, the challenge is that where SaaS apps are concerned, you as an administrator have very little control. People are going to rely on the functionality these apps offer in an effort to get their jobs done. That's inevitable. The only thing you can control is whether or not your data is protected as they do so. At its core, that's tied to whether or not your users look upon you as a productivity enabler or just another obstruction. Let's talk about how you can be the former. Talk To Your Users If your users are employing third-party, consumer-grade SaaS apps in the workplace, then it's blindingly clear that they've some productivity need your business's standard tools aren't meeting for them. You have to find out what that need is - determine the functionality your users require in order to effectively do their jobs. I guarantee that for every single unsecure app your users employ, there's an enterprise-ready alternative just waiting to be implemented. And it's up to you to find them. But that's only the tip of the iceberg. Improve Your Authentication Process There's a simple term I'd like you to familiarize yourself with: Single Sign On. Your end goal here is to make your entire SaaS application suite part of one platform, in a sense - to allow your users to access every single application they need to get their job done while only requiring them to authenticate once. On the surface, that may sound like a huge security breach waiting to happen. Improperly-implemented, it most assuredly is. But here's the thing - single sign on can actually be incredibly secure if you make use of multi-factor authentication. Consider the following authentication process, which makes use of several 'security barricades,' but nevertheless remains secure: An employee wishes to access their business's SharePoint repository via smartphone. When they attempt to access the system, it immediately recognizes the device they're using - it's been registered as 'trusted.' Said employee is then prompted for their fingerprint. They use the fingerprint scanner on their smartphone. Finally, they're prompted to enter a four-digit PIN or username/password. Once they've done all this, they can access not only the SharePoint repository, but every other SaaS app employed by their organization until the authentication period expires (something which can be controlled by IT). That's actually a pretty barebones process - you can makes things even more complex by introducing features such as access time and access location into the mix. But from the employee's perspective, it's pretty seamless. They simply log-in, swipe their fingerprint, enter their PIN, and they're done. Better yet, the multiple checks and balances ensures that if someone does try to crack your system, they need to not only possess the employee's physical device (which can easily be reported as lost or stolen), but also their fingerprint and their login info. Sure beats using RSA Tokens and Smartcard Readers, doesn't it? Rethink Your Protocols According to Search Cloud Computing, insecure access protocols are one of the most significant security risks facing SaaS applications in enterprise. With that in mind...what are you doing to protect your remote employees? Are yo[...]
2017-04-25T06:05:00-08:00The Domain Name Association (DNA) recently commissioned Web Traffic Advisors, with supporting analysis from Kevin Rowe of Rowe Digital, to do an independent study, Hidden Advantages of Relevant Domain Names, to answer the following question: Can domain name extensions, especially meaningful or relevant domain name extensions (e.g. .Club, .Online, .Rocks, .Today), have the same opportunity as traditional or more generic ones (e.g. traditional .Biz, .Com, .Info, .Org)? The answer is yes! Companies that want to compete for visibility in search engines — either organically or through paid search — are discovering that they can do so with keyword-rich domain name extensions. By utilizing relevant, domain name extension that map more directly (on both the left and the right side of the dot) to frequently searched descriptive terms can fast-track search rankings. To view the full infographic and report summary, visit here. The top takeaway is that keyword-relevant domain name extensions stand on equal ground when it comes to organic search performance. Plus, relevant domain name extensions required less inbound links to rank in the top page search spots than their traditional and more generic .Com and related counterparts based on the case studies and keywords examined. This finding is a pretty big reveal from a search engine optimization (SEO) perspective because there have been years of speculation and even research around the idea that having the keyword in the URL itself is helpful. While there has always been a lot of evidence that points to that conclusion, it has been a bit of a leap to confirm that a keyword-relevant domain name extension would also be of value in search rankings. Many marketers have favored sticking with a traditional domain with a keyword to the left of the dot such as healthinsurance.com, over a domain name extension like health.insurance with keywords on both sides of the dot. However, the study confirms that keyword-relevant domain name extensions are doing very well without having to create the same amount of inbound links generated by keyword-rich web pages, content and social media. So, how is it possible that relevant new domain name extensions can rank so well for high-volume keyword searches and also have visibility for related modified terms? Here's why: Good rankings can be achieved by domains with relevant extensions with lower "Domain Authority," which is a scoring system developed by several technology firms serving the industry that is used to measure the relative number and quality of links pointed to a website's domain name from pages on other websites. Relevant domain extensions in the study had a low Domain Authority, an average of 4, yet they ranked with near equal results to more established domains with much higher Domain Authority. As a result, unique, relevant domain name extensions rank frequently on top pages of the search results alongside .Coms, which have a Domain Authority average of 33, according to Rowe Digital Research. This means that relevant domain names have the opportunity to rank well in categories with less overall Domain Authority and inbound links than traditional extensions vying for those top page spots. Collectively, the research examined four case studies that form a sample set spanning across different industries, including business-to-business, retail, sports and entertainment. Each competes for very high-volume keywords being targeted by marketers and bid on by search professionals for paid search. For example, Seo.Agency, one of the four case studies (see figure below) is unique because the domain name extension itself is made up of very competitive keywords. According to the research, Seo.Agency has been able to establish a strong relevance for that term and maintain their rankings on the top three search pages with just 30 qualified keywords, attra[...]
2017-04-24T09:20:01-08:00This week I'm going to Washington to argue against regulating Internet access as if it were phone service. Twenty years ago I was there for the same reason. My concern now as it was then is that such regulation will damage the economy and reduce opportunity by stifling innovation and protecting the current dominant players from the startups which would otherwise threaten them. At that time the proponents of Internet regulation were most regional monopoly telephone companies, who were regulated themselves (and very comfortable living in a regulated environment). The then small Internet industry (including me) argued that startups were not monopolies and could not afford the batteries of lobbyists and regulatory compliance lawyers needed to survive in a regulated world. "Imagine," we said, "if each new Internet app had to be approved by some commission or another". Fortunately, Federal Communications Commission (FCC) Chair Reed Hundt, a Democrat appointed by Bill Clinton, and a majority of commissioners agreed with us. The Commission policy on Internet regulation became one of forbearance. The monopolists were right to worry. The Internet was disruptive. If they had won, there would be no such thing as Skype or Vonage; calls to China would still be $3.00 minute; and 800 numbers might still be more important than websites for shopping. Google, Netflix, Facebook, and Amazon wouldn't be the companies they are today. Hundt's successor William Kennard, also appointed by Clinton, listened carefully to all arguments and continued the policy of benign forbearance. Innovation flourished. When Bush was elected, Internet folk were afraid that his FCC appointees would be more responsive to telco lobbying. We could no longer argue that the Internet was a fledgling industry but could and did argue the public benefits of innovation and rapidly evolving business models. Michael Powell, Bush's first appointee as FCC Chair, and the Commission debated and then issued the "Pulver Order” declaring that Voice over IP was not a telecommunications service. That meant in practice that the FCC, whose mandate only extends to telephony services, would have no reason to regulate the Internet. The FCC did NOT regulate the Internet from then until now. However, in the waning days of the Obama administration, the FCC promulgated a regulation saying that Internet access is a telecommunications service (regardless of whether voice over IP is involved.). Therefor the FCC has the right to regulate Internet access as it used to regulate monopoly phone service. Big reversal. Those who now want regulation are Google, Facebook, and other major Internet players. They are good marketers so this regulation is called "Net Neutrality". Who could be against a neutral Internet where all bits are equal? Ironically it is the telcos and cable companies (ISPs) who are on the other side and against reregulation; they are the ones who will be regulated. There are four major things wrong with the "Net Neutrality" regulations as promulgated (they are not yet in effect): All users of the Internet, as well as the economy itself, will suffer if regulation is used to throttle innovation — that's as true now as it ever was. This regulation protects the powerhouse incumbents — Google, Facebook et al — from effective and needed competition. It protects them on one side from rich ISPs (why?) and on the other side from would be new providers of Internet access (think mesh networks, access from drones, whatever) who won't be able to satisfy the regulations made for the technologies they are obsoleting. There is probably no legal justification for the FCC regulating the Internet. FCC has jurisdiction over basic telecommunications service. They said the Internet isn't such a service for years; just saying it is all of a sudden a basic telecommunications service do[...]
2017-04-23T08:43:00-08:00This report was co-authored by ZHAOHAN LI and LIU YUE On April 20, 2017, an 8-person delegation led by Göran Marby, President & CEO of ICANN, visited China Academy of Information and Communication Technology (CAICT). Madam Liu Duo, President of CAICT met with Mr. Göran Marby and the delegation. After the meeting, Mr. Marby attended the Chinese Internet Community Seminar held jointly by CAICT and ICANN Beijing Engagement Center. It was Mr. Marby's first visit to China after being appointed as the President and CEO of ICANN, and also the first time for him to attend the Chinese Internet Community Seminar and exchange opinions with Chinese Internet Community members in face to face. Göran Marby, President & CEO of ICANN attending the Chinese Internet Community Seminar held jointly by CAICT and ICANN Beijing Engagement Center (Click to Enlarge) On the seminar, Mr. Hu Jianbo, Director of Industry and Planning Research Institute of CAICT, gave an opening speech on behalf of Madam Liu Duo to welcome Mr. Marby for his visit and participation in community activities. His speech reviewed the achievements made since the signing of the cooperation memorandum between CAICT and ICANN three years ago and noted that CAICT would be determined to play its role, to enhance its cooperation with ICANN and other parties, and to support and promote the development of the community. Mr. Marby made a speech to express his gratitude for CAICT's efforts in promoting communication between ICANN and the Chinese Internet Community. He pointed out that ICANN attached importance to its cooperation with China and he himself was very pleased to join the community activity and was willing to hear the voice of the China Internet Community and learn Chinese experience. He wished that ICANN enhance communication and cooperation with CAICT and the Chinese Internet Community. During interaction session, Mr. Marby and his team, exchanged ideas with more than 40 delegates from government agencies, domain name registries and registrars, industry organizations, research institutes, and universities in fields of Chinese translation service improvement and enhancement, ICANN's position and roles, end user rights protection, community participation, domain name service support, capability building, ICANN official website improvement, ICANN's support for academic participation and research, and cooperation on domain name dispute resolution. Mr. Marby highly praised the success of the China Internet Community Seminar and expressed his willingness to strengthen communication and interaction with the China community members for in-depth cooperation and long-term development. Side note: After Göran Marby took office, China Internet Community immediately and voluntarily conducted a 3-day PDP to give Mr. Marby a Chinese name which is 马跃然. The "official" interpretation from ICANN language services provided that 马跃然 means a handsome horse is galloping happily on a beautiful grassland. It has been the most efficient PDP ICANN ever had and shows the Chinese philosophy and wisdom as well as the commitment from China community members to ICANN processes. Written by Zhaohan LIFollow CircleID on TwitterMore under: ICANN [...]
Classified ad site craigslist is famously protective of its contents. While they are happy for search engines like Google to index the listings, they really, really do not like third parties to scrape and republish their content in other forms. In 2013 craigslist sued a company called 3taps which had created an API for craigslist data. They also sued real estate site Padmapper, which showed craigslist and other apartment listings on a map, something craigslist didn't do at the time. After extensive legal wrangling, 3taps eventually gave up and in 2015 paid craigslist $1 million and shut down. Craigslist donated the money to the EFF which was a little odd since the EFF had generally supported 3taps.
One of 3taps' other customers was another real estate site Radpad, which kept showing craigslist listings after 3taps shut down.
Radpad has since gone bankrupt, and last week the court accepted and the bankruptcy administrator did not contest an impressive settlement with craigslist.
It lists all of the bad stuff that craigslist alleged that Radpad did, including copyright infringement of about 130 craigslist listings, scraping 80,000 people's contact information from craigslist, and sending them 400,000 e-mail messages through craigslist's system in violation of CAN SPAM. (The particular violations alleged were fake return addresses and fake subject lines to make it appear that the messages were from a live person.) A detailed injunction forbids Radpad to do any of the things craigslist objected to.
The interesting piece is the damages: $60.5 million, of which $40 million is CAN-SPAM damages for the 400,000 messages at $100 each. I think that's the largest CAN-SPAM judgment ever.
It's worth noting that Radpad initially denied all of craigslist's allegations, but stopped defending the case when they went bankrupt. The bankruptcy administrator was not a target of the suit. They just added the judgment to the pile of claims against Radpad that are unlikely ever to be paid.
The judgment does allow craigslist to keep pursuing the people who did the scraping, so it's possible we haven't yet heard the last of this case.
Written by John Levine, Author, Consultant & Speaker
Follow CircleID on Twitter
2017-04-21T16:54:01-08:00California was recently reminded that rain can be very dangerous. In February, the nation's tallest dam, the Oroville dam in northern California, became so overloaded with rain that over a 100,000 people had to evacuate their homes. Many of them ended up at the fairgrounds, a common place for rural communities to gather in times of disaster. Many rural fairgrounds remain unconnected to broadband Internet services, which can make a dangerous situation worse. Especially during critical times, the public must be able to access resources and communicate with their loved ones through the Internet. Now imagine: What if fairgrounds did have high-speed Internet access? It could be an untapped place for opportunity, acting as a job and economic generator for rural communities and serving as a connection to a 21st-century Internet-based economy. Making this shift and bridging the rural-urban divide in this way is just one projected benefit from the Internet for All Now Act (AB 1665). A Legislative Solution Even though the California Legislature pledged to help connect 98% of Californians to the Internet by 2017, the state has not been successful in rural communities. According to the 2016 Survey on Broadband Adoption in California, 16% of Californians lack access and 14% connect only through smartphones, which means that a staggering 30% lack home broadband and a computing device. Cost is reported as the biggest deterrent to access. See a map of each district's broadband access in California: many rural areas remain underserved or unserved with broadband access. These maps find further evidence that, as the California Public Utilities Commission (CPUC) reported in April 2017, only 47% of rural households have access to reliable broadband service. In 2008, the California Public Utilities Commission (CPUC) and Legislature established the California Advanced Services Fund (CASF) to correct this digital divide. It provided grants and loans for the deployment of broadband infrastructure in unserved and underserved areas, as well as grants to public housing and regional associations to advance broadband deployment, access, and adoption. Funded through cent increases to the public's phone bills, the fund supported 58 projects over the last nine years. However, this is the only source of government support for broadband, and the CASF is out of money, with 6 pending projects and more in the pipeline. The Legislature is the only entity that can replenish the CASF, which is why the Internet for All Now Act is so critical. Otherwise, we will continue having a digital divide that reinforces economic insecurity amongst rural, disabled, and low-income communities. Nuts and bolts of the bill Proposed legislation, AB 1665 or the Internet For All Now Act, would expand the capacity of the government to bridge this divide. The Sf-Bay Area Chapter supports this legislation's multi-faceted strategy, which would: Fund infrastructure projects that provide broadband access to no less than 98% of California households by December 31, 2023. Establish a new Broadband Adoption Account to assist low-income Californian households in getting online. Require the CPUC to biennially report on CASF to the Legislature. Require the CPUC to identify priority unserved and underserved areas and delineate the priority areas in the biennial reports. Require the CPUC to consult regional consortia, stakeholders, and consumers regarding priority areas and cost-effective strategies to achieve the broadband access goal through public workshops conducted at least annually. To learn more about the legislation, visit InternetForAllNow.org. What You Can Do If you're a California resident, contact your legislator today and tell them you support AB 1665. A sample script: "Hi, I'm a resident [...]
2017-04-20T13:43:01-08:00In The Limits of Filtering, Evan Engstrom and Nick Feamster argue eloquently that the costs of a "takedown-staydown" system to defend against copyright infringement would be prohibitive for online service providers (OSPs) and therefore deprive OSPs of otherwise interested investors. I agree that Engstrom and Feamster raise some valid points, particularly including that content recognition technologies are not perfect (he cites a 1-2% error rate on the specific technology he had tested) and may have costs to the OSP. However, we must also remember that the current DMCA regime imposes significant costs on content creators, particularly on small or individual artists who cannot afford the time or resources to engage in the endless whack-a-mole of notice and takedown. Moreover, the law fails to strike a reasonable balance between the legitimate needs of platforms to innovate and the needs of content creators to protect their works. The Current Notice-and-Takedown Regime As Engstrom and Feamster note, the DMCA today grants an OSP a safe harbor with regard to the storage or indexing of or linking to copyright-infringing material if they have no actual or constructive knowledge that the material is infringing, and if, once advised of the fact of infringement, they act expeditiously to remove or disable access to the infringing material. In other words, "takedown" is a remedy under law available to OSPs who wish to allow their users to share material with others online. This provision has been problematic for rights holders because identical, or substantially identical, material can simply be uploaded again after each "takedown". This creates an asymmetric, burdensome cat-and-mouse game between a holder of copyright and hundreds or thousands of deliberate infringers of that copyright, since content, once "taken" down, does not "stay" down. Most troublingly, this creates a massive imbalance between the interests of online service providers and the interests of small or individual artists. The difference between "takedown" and "staydown" turns on the definition of "actual or constructive knowledge" in that, a service provider is presumed by courts to be unaware of the infringement status of materials until after they receive a complaint from a rights holder. This presumption is rendered invalid by today's availability of commercially reasonable technology and tools which are capable of accurately comparing and matching many types of digitized artworks — for example, older material which a service provider has taken down as a result of a complaint by a rights holder, and newer, substantially identical material which is in the process of being uploaded. Such content recognition technologies are not perfect (as noted, the Echoprint technology tested by Prof. Feamster at Princeton found an error rate of 1-2%), but the question is whether they are effective. To my mind, an effectiveness rate of 98-99% (the converse of Prof. Feamster's error rate) is clearly effective and certainly a vast improvement over today's flailing notice and takedown regime. Simple procedures can be readily adopted to address the relatively small number of false positives — such as a system by which uploaders can dispute the validity of a particular block (much as the DMCA currently provides for counter-notices). Engstrom and Feamster also point out that most piracy websites are overseas and therefore asserts that amending the DMCA to implement takedown-staydown would be pointless. I believe that the United States of America should set an example for rights protection that we want the rest of the world to follow. Also, while the site's operator may be overseas, the content itself may often be found hosted on U.S servers. There's no question th[...]
2017-04-20T13:18:00-08:00While the most common results of a UDRP proceeding are either transfer of a disputed domain name to a complainant or denial (that is, allowing the respondent to retain it), there is another possible outcome: cancellation. I'm always surprised to see a UDRP decision in which a domain name is cancelled. True, many trademark owners don't really want to obtain control of a disputed domain name (and, instead, they simply want to get it taken away from a cybersquatter). Plus, maintaining a domain name incurs an ongoing expense as the result of renewal fees, and many trademark owners already have large (and, therefore, costly) domain name portfolios. But, the cancellation remedy means that a UDRP victory may be short-lived because cancelled domain names become available for registration by anyone, including another (or even the same) cybersquatter. A trademark owner that files a UDRP complaint incurs real expense (through filing fees and legal fees) — payments that rightly could be seen as an investment. Allowing a domain name to be cancelled instead of transferred seems like a wasted investment. Here's one way of looking at the math: The least amount of money that a trademark owner could expend on a UDRP complaint is about $500 — if it files at the Czech Arbitration Court (the least expensive UDRP service provider) and prepares the complaint itself, without outside counsel. (In reality, most UDRP complaints incur total expenses of thousands of dollars.) A popular registrar such as GoDaddy charges about $15 per year to renew a .com domain name. Therefore, a trademark owner could maintain a transferred domain name for more than 30 years for less than the cost of filing the cheapest possible UDRP complaint. Under this scenario, why would a trademark owner risk having a domain name fall into the hands of another cybersquatter if it could keep the domain name for itself and avoid having to file a second UDRP complaint? The risk is real, as domain names cancelled in UDRP proceedings don't necessarily remain cancelled for long. For example, although the pharmaceutical company Sanofi won a UDRP complaint last year for 21 domain names, 20 were quickly re-registered (by multiple registrants) after they were cancelled and are being used in connection with websites that most trademark owners would consider problematic. True, not many trademark owners request the cancellation remedy. At WIPO (the most popular UDRP service provider), only 1.69% of all cases have resulted in cancellations. But, the number of cancellations is on the rise, reaching 2.16% in 2015 and 2.09% in 2016. What explains this (slight) increase in cancellations? One reason could be the arrival of cybersquatting in the "new" gTLDs. For example, some recent UDRP decisions that resulted in cancellations involved the top-level domains .support, .xin, .engineer, .istanbul, .host, .accountant and .bid. Perhaps the prevailing trademark owners felt that these domain names would not be attractive to other cybersquatters after they were cancelled. Whatever the reason, trademark owners should think long and hard about whether to request the cancellation, rather than transfer, of a disputed domain name in a UDRP proceeding. It would seem that a domain name worth pursuing is worth keeping. Written by Doug Isenberg, Attorney & Founder of The GigaLaw FirmFollow CircleID on TwitterMore under: Cybersquatting, Domain Names, Law [...]
2017-04-20T11:47:00-08:00We recently wrote in response to how LegitScript is painting inaccuracies about the Canadian International Pharmacy Association ("CIPA”). With our members' 100% perfect safety record selling life-saving medications to millions of Americans for over 15 years, we are proud to participate in a regulated industry. We are also confident in the affordable solution we provide for consumers struggling with outrageous medication prices in the U.S. Given this affordable solution to predatory pricing, it is evident that LegitScript's dissemination of inaccuracies is part of a broader pattern of actions that closely parallel those of the U.S. pharmaceutical sector to extend an outmoded and dysfunctional pricing system to cyberspace. This includes misrepresenting CIPA's role in the Healthy Domains Initiative ("HDI”) and operation of the .Pharmacy gTLD in a manner that is not only contrary to the Internet Corporation for Assigned Names and Numbers' ("ICANN's”) Bylaws and mission statement, but elevates the protection of profits over consumer interests. (See an earlier piece here on CircleID by Jeremy Malcolm, Senior Global Policy Analyst, Electronic Frontier Foundation and Mitch Stoltz, Senior Staff Attorney, Electronic Frontier Foundation.) The Truth About HDI For the record, CIPA advised the Domain Name Association ("DNA”) after it invited non-member input in 2016 that we would be happy to participate in HDI and to contribute to its online pharmacy initiative. Like many other non-members, we were ultimately disappointed to learn that DNA unveiled the HDI without asking for our input. To date, we have taken no position regarding the HDI's Rogue Pharmacy Abuse Report Proposal (the "Proposal”) because the information released by DNA has failed to provide sufficient details regarding the actual operation of its envisioned system for verifying the legitimacy of online pharmacies. We remain ready to work with DNA to refine the Proposal in a manner that both protects and benefits consumers seeking safe, authentic, and affordable medications via the Internet. In fact, CIPA recognizes the mischief of what are truly "rogue" online pharmacies, which prompted us to track misuse of our respected Certification trademark. For many years, we have worked directly with the Canadian Anti-Fraud Centre, a collaboration of the Ontario Provincial Police and the Royal Canadian Mounted Police, in order to take down those websites using our Certification trademark without authorization. In addition, we aggressively monitor use of our Certification trademark and pursue legal action against its unauthorized use. Contrary to LegitScript's view that we do not like private companies developing and implementing reasonable policies that remove the incentive for governments to regulate, we actually support and enforce self-regulation, and voluntarily coordinate with law enforcement to protect consumers. .Pharmacy – Misuse of a Global Internet Resource CIPA and the Electronic Frontier Foundation ("EFF”), an internationally recognized digital rights group based in San Francisco, are jointly concerned about private interests promulgating standards for key Internet intermediaries that are designed to serve their own financial interests. LegitScript's ongoing efforts to tarnish the reputation of CIPA and its members appears similar to the broad pattern of actions by U.S. pharmaceutical interests to suppress competition under a false narrative of consumer protection. The most blatant example of this is the operation of the .Pharmacy gTLD by the National Association of Boards of Pharmacy ("NABP"), the trade association primarily promoting the interests of U.S. retail d[...]
The Registration Operations Workshop (ROW) was conceived as an informal industry conference that would provide a forum for discussion of the technical aspects of registration operations in the domain name system.
The 6th ROW will be held in Madrid, on Friday May 12th 2017 in the afternoon, immediately after the GDD Industry Summit and prior to ICANN DNS Symposium and OARC 26, using the same venue as all above-mentioned events: Hotel NH Collection Madrid Eurobuilding, Madrid, Spain. A whole set of topics and speakers are confirmed. Here is the current list:
The speakers are from CentralNic, CloudFlare, ICANN, IIT-CNR/Registro.it, Verisign and Viagénie. The attendance is free but registration is required. The ROW Series workshops are sponsored by Verisign and ICANN.
Written by Marc Blanchet, Internet Network Engineer and Consultant
Follow CircleID on Twitter
2017-04-18T10:52:00-08:00There are no gatekeepers to prevent registrants from acquiring domain names incorporating marks that potentially violate third-party rights. Anyone anywhere can acquire domain names composed of words and letters in languages not its own through a registrar whose registration agreement is in the language of the registrant. For example, a Chinese registrant of a domain name incorporating a Norwegian mark as in
2017-04-18T09:47:01-08:00The president of LegitScript recently authored an inaccurate and misleading critique of the Canadian International Pharmacy Association (CIPA) that was clearly intended to smear our reputation with a broad brush dipped in inaccuracies and scare tactics. This response paints the true picture of who we are and the benefits CIPA Members offer U.S. consumers. CIPA Members Have A 100% Perfect Safety Record Since its founding in 2002, the members of CIPA have maintained a 100% perfect safety record. Yes, you read that correctly — a 100% perfect safety record. Serving millions of Americans. For 15 years. So, given our perfect safety record for well over a decade, we rhetorically ask: "where is the problem, LegitScript?!" CIPA customers can obtain a personal supply of pharmaceuticals and maintenance medications made by the leading brand-name manufacturers, at prices 50% – 80% less than U.S. pharmacies. (Ahhh...there's the problem: Our prices allow profit for the manufacturer, but don't gouge the consumer to the point of absurdity, as in the U.S.!) Top prescription drugs purchased through CIPA members include: daily medications prescribed to prevent blood clots after a heart attack; to reduce cholesterol; to treat depression; and for the treatment of diabetes. CIPA members do not sell controlled substances, narcotics or pseudoephedrine products. Any issues or concerns raised about the sale of controlled substances to customers in the U.S. — such as Google's non-prosecution settlement a few years ago — do not pertain to CIPA and do not involve any of our members, despite LegitScript's best efforts to suggest otherwise. In addition to dispensing medications from licenced pharmacies in Canada, CIPA members have relationships with regulated international pharmacies and inspected fulfillment centers that directly deliver medications to patients. A look at the FAQ section on our website shows that — despite what LegitScript says — CIPA members are fully transparent about the international component of their businesses. In short, customers are clearly informed where their medication comes from — on the CIPA website, and during ordering and with follow-up communication from the CIPA member. (A former CIPA member wasn't transparent — cause for expulsion from our organization. But he's actually been gone for a decade, and we've had zero contact with him in 10 years.) Our 100% safety record is the result of the stringent standards observed by all CIPA members to ensure patient safety, including: Requiring a valid prescription before dispensing medications; Obtaining demographic and medical information from the patient and maintaining a health profile with medication history to avoid adverse drug interactions; Having a licensed pharmacist on staff to supervise dispensing of medications and to be available for consultation upon patient request; and Maintaining procedures to ensure patient privacy and confidentiality of personal records and contact information. LegitScript's False and Misleading Accusations There are many unlicensed and illegitimate "rogue" pharmacies on the Internet, yet despite CIPA's strict safety procedures and 100% perfect safety record, Legitscript is trying to falsely paint us into the "rogues" corner of the web. It is readily apparent that LegitScript does not like how CIPA and the Electronic Frontier Foundation ("EFF") are collectively shining a spotlight on the U.S. pharmaceutical industry's coordinated campaign to eliminate threats to their predatory pricing model. This is what appears to have motivated LegitScrip[...]
2017-04-18T08:58:00-08:00Do consumers still get confused when they see a URL without a .com (or other traditional extension)? Probably — but I don't think anyone really knows the answer to that from a global perspective. What I do know, however, is that it's important for those of us in the new TLD industry to help our brand customers ensure that we're providing audiences with the best possible chance to identify new domains as legitimate web addresses. One question that frequently arises in our conversations with .brands is about just how to represent .brand URLs to maximize audience understanding, recall, and action when used in advertising or promotional material. The short answer is that there are a number of ways to represent .brand domains, each with its own advantages and challenges — and the best fit is based upon the media in which it will be displayed and the action you want your audience to take. So let's have a look at a few of the options that we've seen to date and see if we can uncover what the best option is for you. * * * www Traditionally, use of the 'www' was seen as the preferred method to ensure that the audience identified the text as a domain name. Many will also recall the http:// also being used interchangeably in days gone by. As browsers have improved over time, the requirement for users to type the 'www' and/or the 'http://' has been eliminated and thus, many advertisers simply use the simplified domain in their creative these days. When it comes to advertising new .brand URLs however, many have reverted back to the use of the 'www' to help train audiences that this is, in fact, a legitimate web address. This avoids confusion in situations where 'dots' are used as creative devices rather than functional elements of a domain name. For example, Neustar has opted to include the 'www' wherever possible when using its .brand. The plus side Helps the address to look like a domain name and conveys immediately that this is a web address and works well in spoken form Globally acknowledged standard The down side Can extend the length of the web address, potentially making it less appealing for visual or text-based ads Not required in browsers any longer, so potentially seen as outdated by some audience segments * * * http:// As discussed above, using 'http://' is a slightly more outdated version of the 'www' option but does establish well-understood URL elements to illustrate that despite the unfamiliar extension, this is a real domain name. The plus side Looks like a domain name and conveys immediately that this is a web address The down side Looks overly technical and not as attractive in written form and clunky when spoken aloud Again, not required in browsers any longer, but potentially seen as outdated a little more than the ‘www’. * * * Domain only labels
2017-04-18T02:08:00-08:00In the afternoon of March 29, the CAICT held the ICANN 58 China Internet Community Readout Session in the CAICT together with the ICANN Beijing Engagement Center. Mr.Li Xiangning, Deputy Director General of Information and Communication Administration under the Ministry of Industry and Information Technology (MIIT), attended the event and gave a speech on the meeting. Over 60 representatives from related governmental agencies including the Office of the Central Leading Group for Cyberspace Affairs, the Ministry of Foreign Affairs and Beijing Communications Administration, domain name registries and registrars, industrial organizations, institutes and universities participated in the seminar. The attendants introduced the developments of the ICANN 58 Copenhagen Meeting held from March 10 to 16 and further discussed the ICANN affairs and hot topics on the meeting. On the meeting, Li Xiangning, Deputy Director General of Information and Communication Administration, gave a speech, which fully affirmed the important role of the community exchange and cooperation platform set up by the CAICT and the ICANN Beijing Engagement Center in enhancing common understanding and promoting cooperation of the China Internet community, and presented his opinions over ICANN jurisdiction issue and the open registration of country name and country code in second-level domains. Li said that the MIIT would always support the development of the China Internet community and regard it as an important approach to implement the Internet power strategy so as to further strengthen China's discourse about international affairs and the rule-making processes. Jia-Rong LOW, Vice President of ICANN and General Manager of the Asia-Pacific Operations, introduced several important topics on the ICANN Copenhagen meeting, expressed his appreciation to the growth of the China Internet community, and fully affirmed the contribution by Song Zheng, Director of the ICANN Beijing Engagement Center to ICANN affairs and the China Internet community. And he also announced that Song would leave his position and Zhang Jianchuan, Senior Researcher of KNET, would take over his position. The attendants expressed their appreciations for Song's efforts in the last three years and extended their congratulations to Zhang Jianchuan on his new role. Guo Feng, Vice Chair of the Governmental Advisory Committee (GAC) and Researcher of the CAICT, introduced the general conditions of ICANN 58 Copenhagen and the progress of GAC's key topics. Attendants, such as Shen Zhi and Chu Nan from CNNIC, Liu Limei from CONAC, Professor Kan Kaili from Beijing University of Posts and Telecommunications, Cai Xiongshan from Tencent Research Institute, Wang Wei and Zhang Jianchuan from KNET, Pam Little from Alibaba Cloud, Wu Yangyi from ".商标" Domain Name Registry, Tan Yaling from Teleinfo, introduced the progresses of topics including ICANN, APNIC and APLTD related to the meeting and shared their experience on the ICANN 58. The seminar was moderated by Liu Yue of CAICT. The attendants discussed the issues such as ICANN jurisdiction and the compliant operations of domain name practitioners and unanimously considered that the China Internet community should further strengthen communication and coordination, enhance the quality of participants and the voluntariness, further their concerns about the progress of the second phase of the ICANN accountability, and voluntarily participate in the domain name rule making process so as to promote the development of China's Internet domain name industry and strengthen the [...]
2017-04-17T06:49:00-08:00M3AAWG is a trade association that brings together ISPs, hosting providers, bulk mailers, and a lot of infrastructure vendors to discuss messaging abuse, malware, and mobile abuse. (Those comprise the M3.) One of the things they do is publish best practice documents for network and mail operators, including two recently published, one on Password Recommendations for Account Providers, and another on Password Managers Usage Recommendations. Since I'm one of M3's senior technical advisers, I helped write them, but I think they're pretty good anyway. Rather than just regurgitate the usual unworkable advice (make each password 14 different random characters, change them every week, and never write them down) we tried to look at the real threats on the current Internet and offer advice that makes sense today. The password advice does recommend strong passwords or pass phrases, but then mostly talks about operational issues: do encrypt channels where passwords are sent via HTTPS or the like, do use multiple factors where possible, do use federated authentication to minimize the number of passwords people have to use, do make users change default passwords before using a new account, and don't do hard account lockouts after password failures (an easy way to harass your enemies.) While it does say to make it easy for users to change passwords when they want, it doesn't recommend required password changes, since that is counterproductive--people use a pattern like password1, password2, password3, write them down, or most likely both. The whole document is 8 pages long, so it's worth downloading to read the whole thing. The password recommendations also encourage people to use password managers, the topic of the second document. A good password manager makes good password discipline much easier, since it can remember different totally random passwords for every account, and won't forget them. Many of them can keep the list of passwords in sync between a laptop and phones and tablets, a boon for whose of us with aging memories. This paper is only three pages, short enough to download and print out and send around to people who don't understand why they're a good idea. There are lots more best practice documents on the M3AAWG web site. I'll blog about some of the others in the future. Written by John Levine, Author, Consultant & SpeakerFollow CircleID on TwitterMore under: Security [...]